Cloud-based assaults linked to Snowflake are challenging the conventional shared responsibility stance in cloud security.
In the rapidly evolving landscape of cybersecurity, several technology companies have taken a significant step forward by publicly committing to the Cybersecurity and Infrastructure Security Agency (CISA)'s Secure by Design Pledge. This initiative, launched in April 2023, emphasises the importance of embedding security early in product development and operations.
Omnissa, a leading player in the tech industry, was among the first to sign the pledge in early July 2025. The company has emphasised its commitment to best practices such as multi-factor authentication (MFA), vulnerability disclosure policies, and accelerated security patch adoption. They are using the pledge's framework to measure and improve their security standards.
Rewind, a SaaS data protection company, followed suit by mid-July 2025. Aligning with major companies like AWS, GitHub, and Okta, Rewind has committed to seven key goals designed to strengthen cybersecurity and make security the default in their products.
Zyxel Networks, focused on SMB networking products, also adopted the pledge and reported significant progress in implementing Secure by Design principles. They have made strides in areas such as MFA for administrative and VPN access, unique default passwords, and transparent vulnerability reporting. Zyxel claims to be a leader in integrating these measures globally for SMB networking.
However, Snowflake's participation in the CISA Secure by Design Pledge remains unclear. As of July 2025, no public information or announcement has been made regarding Snowflake's involvement in this initiative.
Recent incidents involving dozens of Snowflake customers' databases being attacked have highlighted the importance of security measures such as MFA. Snowflake has stated that the attacks were caused by an attacker's use of stolen credentials for customer systems unprotected by MFA.
The lack of MFA enforcement by default or requirement for Snowflake customers raises concerns about the company's approach to security, especially given the increasing targeting of compromised legitimate credentials by attackers in ransomware attacks.
Cybersecurity experts advocate for MFA as a baseline control to enhance enterprise infrastructure security. As we move further away from 2006, the need for a speed bump like MFA for storing sensitive information becomes increasingly apparent.
In a world where security is no longer an optional extra, it is crucial for technology companies to prioritise security measures over convenience, especially in risky scenarios. It remains to be seen whether Snowflake will follow the lead of its peers and commit to the CISA Secure by Design Pledge.
References: [1] Omnissa Press Release, July 2025. [2] Rewind Press Release, July 2025. [3] Zyxel Networks Press Release, July 2025. [4] Mandiant 2023 Ransomware Report. [5] Snowflake Security Update, May 30, 2023.
- Omnissa, in alignment with the CISA's Secure by Design Pledge, has emphasized its commitment to cybersecurity best practices, including multi-factor authentication, vulnerability disclosure policies, and accelerated security patch adoption.
- Rewind, following companies like AWS, GitHub, and Okta, has also pledged to strengthen cybersecurity by adhering to seven key goals to make security the default in their products.
- Zyxel Networks has made significant progress in implementing Secure by Design principles, with a focus on areas such as multi-factor authentication, unique default passwords, and transparent vulnerability reporting.
- The absence of Snowflake's participation in the CISA Secure by Design Pledge has been notable, particularly in light of recent incidents involving Snowflake customers' databases being attacked due to the lack of multi-factor authentication.
- Cybersecurity experts stress the importance of multi-factor authentication as a critical security measure to enhance enterprise infrastructure security, especially in a landscape of increasing ransomware threats and compromised legitimate credentials.
