TITAN AI · CONDUIT Agent
CONDUIT TICKET REPORT
TICKET
Azure
Critical
Assigned
Opened by TITAN AI · CONDUIT · Scanner found the finding, CONDUIT forwarded this ticket via CONDUIT generic-API layer, assigned identity_and_access, populated every ticket field, The ticket is routed and awaiting team approval — CONDUIT will update it after TITAN FORGE applies the fix.
Finding Summary
- Short description
- [TITAN] Critical — access_control on adf-banking-reg-reports
- Severity
- Critical
- Priority
- 1 - Critical
- Resource
- adf-banking-reg-reports
- Resource type
- Microsoft.DataFactory/factories
- Cloud
- Azure
- Subscription / Account
- 4f29d094-1079-44c9-acb0-4d73a7a2dd34
- Resource group / Project
- rg-banking-prod
The Security Finding
Azure Data Factory for regulatory reporting has pipeline with hardcoded service-principal secret in linked-service JSON. Credential rotation is blocked; SOX §404 failure and secret-sprawl exposure.
ITIL Change Management Fields
Justification
Critical: Azure Data Factory for regulatory reporting has pipeline with hardcoded service-principal secret in linked-service JSON. Credential rotation is blocked; SOX §404 failure and secret-sprawl exposure.
Implementation Plan
1. Pre-change snapshot captured by TITAN (auto-rollback available).
2. Execute fix command:
az datafactory linked-service update --resource-group rg-banking-reporting --factory-name adf-banking-reg-reports --name ls-sql-core --properties @linked-service-keyvault-ref.json
3. TITAN FORGE verifies the fix was applied.
4. Post-change rescan by TITAN SCOUT — finding must no longer appear.
5. Close ticket with Successful close_code.
Risk & Impact Analysis
Risk level: HIGH business risk — active exposure; fix required immediately.
Business impact if unremediated: Potential data exfil, privilege escalation, or compliance breach.
Scope: single resource (adf-banking-reg-reports).
Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails.
Finding detail: Azure Data Factory for regulatory reporting has pipeline with hardcoded service-principal secret in linked-service JSON. Credential rotation is blocked; SOX §404 failure and secret-sprawl exposure.
Backout / Rollback Plan
1. TITAN auto-captured snapshot of adf-banking-reg-reports before change (baseline: titan-banking-demo-20260422T201922Z).
2. If post-change rescan still shows the finding OR a new issue appears within 15 min:
a. TITAN FORGE fires rollback automatically using stored snapshot.
b. Incident reopens and escalates to on-call.
3. Manual rollback command path (human override) is documented in close notes.
Test Plan
1. TITAN SCOUT rescans adf-banking-reg-reports immediately after FORGE applies the change.
2. PASS criteria: the specific finding no longer appears in SCOUT results.
3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change.
4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated.
5. If any check fails, backout plan fires automatically.
Recommended Fix
az datafactory linked-service update --resource-group rg-banking-reporting --factory-name adf-banking-reg-reports --name ls-sql-core --properties @linked-service-keyvault-ref.json
Compliance Mapping
CIS 1.x IAMNIST AC-2SOC 2 CC6.1CIS Azure 6.2
Routing Metadata
- Assignment group
- identity_and_access
- Change type
- Emergency
- Approval required
- Yes
- Planned start
- 2026-04-22 19:09:22
- Planned end
- 2026-04-22 21:09:22
- Scan ID
- titan-banking-demo-20260422T201922Z
- Generated at
- 2026-04-22T18:55:22+00:00
- Opened
- 2026-04-22 18:55:22
- Closed
- 2026-04-22 18:55:22
- Close code
- —
Attached Security Ticket
SERVICENOW · TICKET
SEC-5761 · [TITAN] Critical — access_control on adf-banking-reg-reports
Priority: Critical
TICKET
Azure
Ticket Description
Azure Data Factory for regulatory reporting has pipeline with hardcoded service-principal secret in linked-service JSON. Credential rotation is blocked; SOX §404 failure and secret-sprawl exposure.
Recommended Fix: az datafactory linked-service update --resource-group rg-banking-reporting --factory-name adf-banking-reg-reports --name ls-sql-core --properties @linked-service-keyvault-ref.json
AI Close Notes
TITAN CONDUIT opened this critical access_control ticket and assigned it to the banking_compliance group for review. STATE: ASSIGNED — awaiting human action. Per TITAN AI policy, configuration changes are NEVER auto-applied and tickets are NEVER auto-closed by TITAN. The assigned group reviews the recommended fix, schedules an approved maintenance window, applies the fix manually, validates via SCOUT rescan, and closes this ticket themselves. TITAN documents and routes — the human owns the change from here.