How to Control TLS Cipher suites in Azure Databricks
Cipher suites:
A cipher suite is a set of cryptographic algorithms that will be used when negotiating a secure channel communication . Read more here about SSL cipher suites What Are SSL Cipher Suites? | Venafi. By Default most web calls in Azure are already supporting TLS 1.2 for transport layer security with a bunch of cipher suites to negotiate ordered by their security strength
For Ex, this is one of the cipher suites ECDHE-ECDSA-AES128-GCM-SHA256, Lets see what each portion represents
Why Organizations want to control them :
Because the list of ciphers that a cloud service provider can offer for the customers to negotiate from, this opens up a gate for applications from client side with weaker ciphers. Highly regulated industry customers prefer to control these cipher suites offered by cloud services, but unfortunately not all the services has the flexibility to control. In fact customer may have list of approved ciphers that they would like to enforce at the Cloud PaaS service level.
How to deal with this in Azure Databricks
With databricks , there is always a possibility to control the ciphers for intra spark cluster communication. For complete set of security baseline around Azure Databricks read here Azure security baseline for Azure Databricks | Microsoft Docs
Databricks maintains java level security parameters at this location /databricks/spark/dbconf/java/extra.security , the contents of this file should always be the default JVM configuration plus GCM Enable GCM cipher suites - Azure Databricks | Microsoft Docs
So any cipher suites to be controlled will need to be performed over the default java security settings. Here is a little dbc archive file which will help you do this programmatically in a scala notebook for any databricks cluster
Comments
Post a Comment