Security considerations: SAS URI
1.Is there a reliable way to audit or detect if such publicly shared SAS URIs have been abused - Can you trace who accessed the file, from what IP, when — especially once the link is out there?
2. Even if the odds are low, how serious is the risk if a SAS URI containing PII is accidentally exposed (e.g., in logs, emails, chat, or browser history)?
3. Could a bot or unintended user realistically access data via a SAS URI if no IP restrictions are set? How would you mitigate this risk?
4. Are IP address restrictions reliable for protecting PII when using SAS URIs? Are there other effective mitigations?
If SAS URI is not really secure for PII, is there a different way I can use the SKY API to pull data from Raiser's Edge?
Answers
-
Assuming you are talking about Query API
sas_uri is available for 15 minutes only after query output has been successfully generated. See documentation on sas_uri here:
That said, it is no more safe or unsafe than "magic link" used in various platforms now-a-day, if you are not sure what "magic link" is, it's worth looking it up.
- I am not aware of a client way to trace/audit the link. I can't speak if Blackbaud internally can
- as mentioned about, it's just about as safe as a "magic link" use to login to a user account rather than using password
- job id is provided to the user who executed the query (adhoc or by query id), then this job id is used to run a check on if the query has finished execution, and if it is, the sas uri is provided to this user to download the result. this user must be an internal user that has rights to execute query and logged in. I cannot imagine a case where a bot or unintended user will get a hold of this sas uri without the user (who ran the query) explicitly providing this sas uri to it/them. this would be no more dangerous than this user logging into RE NXT, ran the query manually, download the csv and send it to a bot/unintended user
- I do not believe Blackbaud blocks the sas uri from being used via IP, not sure where you read this
As a programmer that do care deeply about security and data exposure, I do not think the use of SAS URI via Query API is insecure. But if you do not wish to use Query API, you can stick to the standard SKY API list endpoints to get constituent list, gift list, etc. You do have to keep in mind that Query API allows far more data to be available programmatically than these standard SKY API list endpoints.
Hope that helps.
2
Categories
- All Categories
- 6 Blackbaud Community Help
- 209 bbcon®
- 1.4K Blackbaud Altru®
- 395 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 1.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- 15 donorCentrics®
- 359 Blackbaud eTapestry®
- 2.5K Blackbaud Financial Edge NXT®
- 646 Blackbaud Grantmaking™
- 563 Blackbaud Education Management Solutions for Higher Education
- 3.2K Blackbaud Education Management Solutions for K-12 Schools
- 934 Blackbaud Luminate Online® and Blackbaud TeamRaiser®
- 84 JustGiving® from Blackbaud®
- 6.4K Blackbaud Raiser's Edge NXT®
- 3.7K SKY Developer
- 243 ResearchPoint™
- 118 Blackbaud Tuition Management™
- 165 Organizational Best Practices
- 238 The Tap (Just for Fun)
- 33 Blackbaud Community Challenges
- 28 PowerUp Challenges
- 3 (Open) Raiser's Edge NXT PowerUp Challenge: Product Update Briefing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports+
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Email Marketing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Gift Management
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Event Management
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Home Page
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Query
- 779 Community News
- 2.9K Jobs Board
- 53 Blackbaud SKY® Reporting Announcements
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)