What Changed
Refactored Commvault Security IQ data connector to implement managed identity authentication and enforce secure HTTPS requests by removing SSL verification bypass.
Security Impact (Visibility & Fidelity)
Authentication Security Enhanced: Replaced DefaultAzureCredential fallback with explicit ManagedIdentityCredential, eliminating potential credential exposure in multi-tenant environments and ensuring consistent authentication mechanism.
SSL/TLS Security Restored: Removed ‘verify=False’ parameter from all HTTP requests, re-enabling SSL certificate validation for API calls to Commvault Security IQ platform. Previous implementation bypassed certificate verification, creating man-in-the-middle attack vulnerability.
Dual Authentication Support: Added both authtoken and Authorization Bearer header support to accommodate both SaaS and on-premises authentication flows, ensuring compatibility across deployment models.
Token Management Improved: Enhanced token refresh logic with proper Authorization header updates, ensuring secure token lifecycle management throughout connector operation.
Affected Files
Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py Solutions/Commvault Security IQ/Data Connectors/CommvaultSecurityIQDataConnector.zip (packaging artefacts: etc.)