As the first and only company to provide true end-to-end enterprise security on top of Apache Spark in the cloud, Databricks has been partnering with enterprises and government agencies to securely process mission-critical workloads with Spark. Today we are excited to announce that Databricks has successfully completed SOC 2 Type 1 certification. The audit was done by Coalfire, a leading third-party cyber risk management and compliance audit firm. The report assures that Databricks’ controls were designed and implemented to meet the criteria for:
- Security. The system is protected against unauthorized access.
- Availability. The system is available for operation and use as committed or agreed.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality. Information designated as confidential is protected as committed or agreed 1.
This achievement is an important milestone in rolling out Databricks Enterprise Security (DBES). As the team who created Apache Spark, we architected DBES to address enterprise data security needs by building all the facets of security — encryption, identity management, role-based access control, data governance, and compliance standards — natively into a single data platform on top of Spark.
What is SOC 2?
As companies increasingly shift their workloads into the cloud-based data platforms, they need objective assurance that their confidential data, which often includes Personally Identifiable Information (PII) and intellectual property, is adequately protected. SOC 2 is a standard audit made by a trusted third party that provides the assurance. Issued by an independent auditor, the SOC 2 report includes a detailed description of the architecture, data flow, processes, controls, and audit opinion.
What this audit demonstrates
The audit completed at this time is SOC 2 Type 1. It is an independent validation of Databricks’ commitment to meeting customers’ requirements and to implementing a robust compliance program. Specifically, the auditors determined that Databricks has been architected according to security best practices from the ground up. Achieving SOC 2 Type 1 requires meticulous documentation of the controls that were already in place, such as:
- Secure product development lifecycle.
- Stringent access control based on the least privileged access principle.
- Robust logging, monitoring, events correlation, and alerts.
- Comprehensive vulnerability management with internal and external scans, penetration testing, and code reviews.
- Extensive employee security awareness training.
The SOC 2 Type 1 report provides the auditors’ opinion on the design of controls. In the coming months they will further validate the operating effectiveness of these controls with a Type 2 report, which is based on an assessment after the issuance of the Type 1 report. With the achievement of these compliance standards, Databricks is on track to execute an aggressive roadmap to realize the full vision of DBES, which includes a multitude of additional compliance standards including HIPAA, FedRAMP, and PCI as well as many cutting-edge security features.
1 American Institute of CPAs, Trust Services and Information Integrity