Why Multi-Factor Authentication for Workloads is a Critical Security Control

Evan Gilman

With details emerging about the recent string of breaches across Snowflake customers, the importance of robust security measures for data and infrastructure access has never been clearer. These incidents have starkly highlighted a critical gap in our security practices: while multi-factor authentication (MFA) is a baseline standard for user authentication, it remains ominously absent from most workload authentication. This oversight leaves workload credentials vulnerable to trivial theft and reuse, opening the door for lateral movement within networks.

Not only are workload credentials typically lacking the multi-factor controls we require of human credentials, but they also frequently take the form of over-privileged shared secrets with static credentials that seldom change. If this sounds familiar, that’s because it should. Long-lived shared passwords have been with us for ages, and the weaknesses in this approach have led us to adopt phishing-resistant multi-factor authentication as a way to address these risks.

According to Snowflake’s joint statement with CrowdStrike and Mandiant over the weekend, threat actors targeted accounts with single-factor authentication and leveraged credentials obtained through infostealing malware. This incident underscores the vulnerability of static, over-privileged credentials and the necessity of moving towards more secure authentication methods. Implementing MFA for workloads and service accounts can mitigate these risks, ensuring that even if credentials are stolen, they cannot be used without the second factor of authentication.

The reality is that deploying multi-factor authentication for users is much more difficult than deploying their equivalent solution (hardware/software attestation) for workloads and machines. This is especially important considering the rise of malware specifically targeting machine and workload authentication credentials. For example, the SolarWinds SUNBURST attackers leveraged single-factor credentials issued to SolarWinds software to move laterally through victim infrastructure, allowing them to impersonate legitimate workloads and access critical systems and data. Similarly, the Okta HAR breach started with stolen service account credentials, granting unauthorized access to internal support systems and subsequently customer environments.

These examples, together with the recent Snowflake breaches, underscore the urgent need for improved authentication mechanisms for machines and workloads. By adopting hardware and software attestation, together with short-lived and automatically rotated credentials, organizations can better protect against these threats and reduce the risk associated with static, over-privileged credentials. Just as we are moving away from long-lived passwords and password managers to more secure methods like Passkeys, we must apply similar principles to machine and workload authentication.

As the White House National Security Strategy emphasizes, "the pace of technological change is accelerating, and our adversaries are not standing still." The strategy calls for adopting Zero Trust principles for protecting critical infrastructure. Machine and workload authentication is a critical part of this effort, and is a core component of the NIST Zero Trust Architecture, ensuring that our infrastructure is resilient and secure. By connecting the lessons from the recent Snowflake incident to the broader context of improving machine and workload authentication, we highlight the urgency and necessity of adopting advanced security practices to protect against evolving threats. Solutions like SPIRL simplify the adoption of these practices, making it easier for organizations to implement and benefit from these robust security measures.