As data moves to the cloud, the security moves from my computers to someone else’s. That’s fine. Even with “MY” computers, I don’t have full control over everything, so rather than trusting my coworkers to do the right thing, I’m trusting others. My clients operate in an ecosystem. At my start here, we were highly selective and the technical administrators had the power to push back against insecure, poorly designed integrations. Even back then, when clients heard our security concerns, they were rightly concerned, and bad ones never happened.

Snowflake decided (FINALLY) to implement stronger security after getting burned. BUT, it’s not mandatory MFA. Admins can make it mandatory, but they don’t have to. So, not that much stronger.

But, here’s the deal. Your phone provider, AT&T for instance, put your data including your PII in Snowflake. Including who you called or texted at other providers. If a scammer wanted to target you, they could use this information about you to make them think you were in trouble and needed $5,000 wired to the scammer. So, it’s important to have strong security, right? Oops.

As we also plan to move to the cloud, this kind of stuff weighs on me. It feels so much more complicated than what we run now, which is so much more complicated than it was a decade ago. That’s my expectation, but I get the feeling top-level management expects things to get easier.