SAS Token Compromised

%3CLINGO-SUB%20id%3D%22lingo-sub-1249399%22%20slang%3D%22en-US%22%3ESAS%20Token%20Compromised%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1249399%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20storage%20account%20(sa01)%20with%20a%20container%20(con01)%20that%20contains%20very%20important%20sensitive%20data.%20I'm%20ingesting%20this%20data%20into%20a%20databricks%20cluster%20(data01)%20and%20two%20apps%20(app1%2C%20app2).%20I%20have%20generated%20three%20SAS%20tokens%2C%20one%20per%20use.%20I've%20also%20got%20some%20users%20who%20access%20the%20data%20using%20their%20accounts.%20I've%20had%20some%20files%20accessed%20from%20the%20container%2C%20which%20were%20not%20the%20apps%20or%20the%20databricks%20cluster%20or%20the%20users.%20I've%20checked%20the%20logs%20on%20the%20storage%20account%2C%20I%20can%20see%20the%20files%20being%20accessed%2C%20but%20the%20SAS%20token%20comes%20up%20as%20%22sig%3DXXXXX%22.%20Literally%205%20Xs.%20I'm%20not%20masking%20the%20SAS%20token%2C%20in%20the%20log%20it%20comes%20up%20as%205%20Xs.%20How%20do%20I%20tell%20which%20SAS%20token%20was%20compromised%20and%20was%20used%20to%20access%20the%20data%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20the%20correct%20way%20to%20setup%20this%20solution%3F%20From%20what%20I%20can%20see%2C%20databricks%20does%20not%20have%20the%20ability%20to%20take%20a%20managed%20identity.%20My%20apps%20are%20running%20on%20premise%20as%20well.%20What%20should%20I%20do%20to%20fix%20this%2F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1249399%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EData%20%2B%20Storage%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

I have a storage account (sa01) with a container (con01) that contains very important sensitive data. I'm ingesting this data into a databricks cluster (data01) and two apps (app1, app2). I have generated three SAS tokens, one per use. I've also got some users who access the data using their accounts. I've had some files accessed from the container, which were not the apps or the databricks cluster or the users. I've checked the logs on the storage account, I can see the files being accessed, but the SAS token comes up as "sig=XXXXX". Literally 5 Xs. I'm not masking the SAS token, in the log it comes up as 5 Xs. How do I tell which SAS token was compromised and was used to access the data? 

 

Is this the correct way to setup this solution? From what I can see, databricks does not have the ability to take a managed identity. My apps are running on premise as well. What should I do to fix this/  

0 Replies