Securing Trust in the Data Cloud: Snowflake’s Journey With Chainguard
Introduction: Building trust at the core of Snowflake’s data cloud
Trust is the cornerstone of any relationship, including the one between businesses and their cloud platforms. In today’s world, data not only drives decisions but also innovation, and the security of that data within the cloud has become more important than ever. Snowflake stands at the forefront of this reality with a Data Cloud platform built on the principles of security and trust.
Challenge: Tackling CVEs and compliance
Snowflake’s journey in cloud computing transcended typical technological hurdles, evolving into a steadfast commitment to building trust with their customers — where security is built in, not bolted on to Snowflake’s products and services. This mission, however, is a constant journey and tackling Common Vulnerabilities and Exposures (CVEs) became paramount to building the most secure-by-default solutions. As a leading cloud-native company, container security and vulnerability management of these technologies particularly became a top priority for the Snowflake team to address.
“When you think about customer data, it's all about trust. And so our philosophy has always been to build security into the product in a way that the customer can focus on grabbing insight from the data and not having to worry about the security of the platform.”
The path to achieving FedRAMP High accreditation illuminated the importance of streamlining their team’s vulnerability management to meet stringent requirements for container vulnerability scanning and remediation. This compliance endeavor was a cornerstone of the trust Snowflake’s customers placed in their platform — especially those within highly regulated sectors such as governments and public services like education — who can benefit from Snowflake’s modern technologies and innovations.
For Snowflake, addressing CVEs in container images that power its products and services needed to be assessed, triaged, and remediated to instill the foundational trust of its platform. Anoosh Saboori — Head of Product Security — emphasized the dual focus of CVE remediation driving the security team’s efforts: 1) reducing risk to Snowflake and its customers while 2) enhancing productivity.
This delicate balance was pivotal as they navigated the complexities of security and compliance, striving to uphold the highest standards of vulnerability management. “It goes back to shifting left as the key to address scalability,” Anoosh explained, advocating for a proactive approach to security that begins with a solid baseline, thereby minimizing the need for extensive patching and allowing engineers to concentrate on innovation rather than remediation.
The journey towards FedRAMP High accreditation was a testament to Snowflake’s dedication to bringing the most secure solutions to regulated industries and sectors. On their journey to strengthen overall software supply chain security, the need for a strategic shift in Snowflake’s security approach that optimized developer velocity while reducing risk became evident. “Software supply chain is only going to become more important as we go forward,” remarked Brandon Sterne — Senior Manager of Product Security — highlighting the growing significance of a provably secure software supply chain in meeting and surpassing compliance standards.
“For us, it was really about enabling more insights. Imagine law enforcement officers, health sectors, and education sectors. There are so many insights that could help them do their job better. And by achieving FedRAMP High, it allows us to provide the benefits of Snowflake to these customers such that they can pass those benefits onto our citizens.”
This realization marked a pivotal moment for Snowflake, acknowledging that the existing manual methods of vulnerability management were no longer sufficient in the face of escalating threats.
Solution: Embracing Chainguard’s innovations
Facing the challenge of streamlining vulnerability management for container images, Snowflake sought a solution that could not only enhance their existing security processes, but also reinforce the foundation of trust with their customers. The answer came in the form of a strategic partnership with Chainguard, a collaboration that promised to help revolutionize Snowflake’s approach to software security.
Streamlining vulnerability management
The first order of business was addressing the overwhelming task of managing vulnerabilities, one that consumes valuable resources and takes time away from important business or customer innovations. Chainguard’s solution, with its focus on security-by-default measures, presented an innovative approach.
According to Brandon, “Chainguard Images allowed us to get the best of both worlds — we're able to go faster and build on top of really powerful open source platforms, but we also get the security assurance that Chainguard is able to provide us by giving us hardened, secure images.”
Anoosh highlighted the synergy, stating, “Chainguard was founded by people who’ve lived our challenges… their focus on preempting security issues aligns perfectly with our mission.” The adoption of Chainguard Images marked a significant shift, transforming Snowflake’s ability to manage vulnerabilities with unprecedented efficiency.
Furthermore, achieving FedRAMP High accreditation underscored the need for a solution capable of meeting stringent security standards. Chainguard Images offered Snowflake a pathway to not only help meet, but exceed these standards in a matter of months to ensure they were operational and audit-ready.
“It's a remarkable thing when you introduce Chainguard Images and see the vulnerability count plummet. Watching various applications go from hundreds or even thousands of vulnerabilities down to zero overnight is a really powerful testament to what Chainguard Images can do. And we would not have been able to get [to FedRAMP High] in time without their support.”
Building trust through enhanced security
Beyond the technical benefits, the partnership with Chainguard was instrumental in upholding the trust of Snowflake’s customers. By significantly reducing the number of vulnerabilities, Snowflake could assure its users of the platform’s security, an essential factor for clients in highly regulated industries.
“Chainguard is able to give us a really solid story, a really solid picture of what we are building on top of and making sure those building blocks are trustworthy and aren't going to create a problem for us in production. It all comes down to customer trust.”
Conclusion: A trusted platform and partnership
The collaboration with Chainguard represented more than a mere technical solution for Snowflake; it was a partnership founded on a shared commitment to security and trust by both companies. By integrating Chainguard Images into the team’s software development processes, Snowflake was able to focus on solving security challenges at scale, all while reinforcing its promise of providing a secure, trustworthy data cloud platform to its customers.
Looking ahead to the future of software supply chain security, Brandon remains optimistic: “As more industry and government regulation come into the picture and our obligation to having a provably secure software supply chain becomes more and more important for us, the direction that companies like Chainguard have charted … I think that sets the tone for the entire industry, frankly.”
If I were to describe Chainguard's value in one word, I would say — efficiency.
Vulnerability management is a huge source of toil in security engineering. As a one-person team, I can’t look at thousands of vulnerabilities and do everything else in my job. I’m lucky that I use our own products like Chainguard Images. Because we have so few CVEs in our production fleet, the vulnerability management part of my role takes so little time.
For years, our team struggled with minimizing and triaging CVEs in one of our most critical customer-facing images. By switching to Chainguard Images, we almost immediately achieved zero-known CVEs in our customer image for the first time in two years, which significantly helped free up engineering and technical success resources to focus on customer innovation and removed the daily headache of vulnerability maintenance associated with that image.
Security is in the DNA of GitGuardian. And Chainguard really made sense when we started to look at how to streamline and make sure we don't ship our software with any vulnerabilities because that is a really big part of our story.
Ready to Lock Down Your Supply Chain?
Talk to our customer obsessed, community-driven team.