What’s new in security and compliance at Data + AI Summit 2025
Serverless Egress Control GA, comprehensive Private Link coverage, Multi-Key Protection, compliance expansion, and more
Summary
- Serverless Egress Control is now Generally Available on AWS and Azure, enabling a deny-by-default posture and centralized network policy management for serverless workloads
- Databricks Multi-Key Protection delivers advanced encryption with customer-managed keys and file-level isolation for data at rest
- Expanded compliance offerings with the new Enhanced Security and Compliance on GCP, AWS GovCloud support, and broader regional coverage for Model Serving and serverless
Over the past year, we’ve continued to expand our security and compliance offerings to meet the evolving needs of regulated industries, privately connect to external resources, support your zero trust initiatives, and help you stay ahead of emerging threats. Today, we’re excited to introduce a new wave of capabilities that make secure, serverless, multicloud data and AI a reality:
- New platform security features:
- Serverless Egress Control: GA on AWS and Azure, Private Preview on GCP
- Serverless Private Link support to resources in your virtual private clouds and S3: Now in Public Preview
- Databricks Multi-Key Protection: Now in Private Preview
- New compliance availability:
- Enhanced Security and Compliance (ESC): Now in Public Preview on GCP
- Expanded Model Serving Compliance: HIPAA, PCI-DSS, more
- AWS GovCloud: GA with FedRAMP High and DoD IL5 authorizations
- New PayGo Pricing Model for ESC on AWS
Read on for a closer look at each announcement!
New platform security features to unlock AI and serverless potential
We’re delivering security that’s easy to adopt and built for modern multicloud environments. These new capabilities help protect sensitive data assets and simplify secure connectivity across the lakehouse.
Strengthening network security with Serverless Egress Control and Private Link
As more organizations adopt serverless for its scalability and simplicity, secure connectivity and network perimeter controls are critical to keep your environment private and mitigate data exfiltration risks. To help platform teams lock down network paths without compromising agility, we’re introducing new capabilities that deliver stronger, more flexible network controls across serverless workloads:
- Serverless Egress Control is now Generally Available on AWS and Azure and in Private Preview on GCP. It allows you to enforce a deny-by-default network posture for all serverless workloads, allowing outbound connections only to explicitly approved destinations (like specific domains or cloud storage resources ) or Unity Catalog-governed storage locations. SEG provides centralized policy management and a dry-run mode to test policies safely before enforcement.
- Serverless Private Link allows you to connect your serverless workloads to internal resources in your virtual private clouds (VPCs) on AWS and virtual networks (VNets) on Azure. On AWS, we’re also introducing Private Link connectivity to S3 buckets for private access to your object storage. These capabilities are now available in Public Preview. As a reminder, customers using this feature may incur data transfer costs.
These features complement each other and enhance your security posture. Imagine your platform team needs to deploy a Python Notebook to production. Because of strict internal policies, public internet access is not allowed, and all packages must be scanned before deploying to production. With Serverless Egress Control, the team enforces a deny-by-default policy that blocks all external outbound traffic, including to public package repositories. The team then configures a Serverless Private Link to connect to their private artifact repository on their network. Thus, with the use of these two features, the team can ensure that the Notebook is deployed in accordance with their security policies.
These network policy and connectivity features apply consistently across all serverless data and AI products.
At the National Australia Bank, security, governance, privacy and ethics are at the forefront of everything we do. In a heavily regulated environment, it is critical to ensure all of the controls are enforced when it comes to accessing and using data. By utilizing Mosaic AI Gateway in combination with Model Serving Endpoints, Serverless Egress Control, and Private Link, we are able to centralize our security and governance controls, allowing us to provide safe and secure GenAI capabilities within the organization.— Daniel Antoinette, Distinguished Engineer, Data Platforms, National Australia Bank
Introducing Databricks Multi-Key Protection
Databricks Multi-Key Protection is a new encryption capability designed to help you safeguard highly sensitive data, such as PII, PHI, and employee records by ensuring it remains private even from infrastructure or platform administrators. With Multi-Key Protection, data is encrypted with a combination of a key managed in your key management service and a set of keys managed by Databricks. Storage administrators accessing files at the cloud storage layer can only access encrypted data. Data is only accessible through Unity Catalog-governed paths and is subject to fine-grained controls. You can configure a separate customer-managed key (CMK) for each catalog for further isolation at rest and then deny all access to the data by revoking access to the customer-managed key (CMK) at any time.
Databricks Multi-Key Protection will soon be available in Public Preview on Default Storage for customers using Express Setup on AWS. See our webpage for more information, and contact your account team if you’re interested in trying it out.
Expanded compliance offerings to meet regulatory demands at scale
Databricks continues to expand its comprehensive compliance portfolio across all major cloud platforms. Whether you're managing regulated healthcare data, processing financial transactions, or deploying AI solutions in the public sector, our enhanced capabilities are designed to help you confidently meet regulatory requirements.
Compliance Everywhere for Serverless and Model Serving
We’re rolling out wider support for compliance standards across all regions globally. Beginning with Azure in July, we will start adding support for all compliance standards across all serverless regions, with AWS and Google Cloud to follow later this year. Additionally, Databricks on AWS GovCloud will introduce serverless services this summer.
In parallel, we are extending Model Serving capabilities across all regions and all available compliance standards on Azure and AWS, with availability on AWS GovCloud expected later this year. These advancements also lay the groundwork for the rollout of our latest Mosaic AI features, scheduled to begin later this year.
Enhanced Security and Compliance Add-On for GCP is now in Public Preview
Already available on AWS and Azure, the Enhanced Security and Compliance Add-On is now in Public Preview for GCP, supporting HIPAA workloads today and PCI-DSS by the end of June. This advanced security offering simplifies compliance with features like hardened CIS Level 1 images, malware detection, vulnerability reporting, and enriched audit logs. It also enforces compliance-specific security baselines with FIPS 140 encryption and automatic cluster updates to help customers meet the applicable requirements for compliance standards.
Check the Databricks Trust Center for updated regional availability and compliance mappings.
AWS GovCloud is Generally Available with FedRAMP High and DoD IL5 authorization
We recently announced the General Availability of Databricks on AWS GovCloud, which now supports FedRAMP® High and DoD IL5 (Provisional Authorization) and is ready to meet your ITAR and HIPAA requirements. Expanded product coverage, including serverless and model serving-based features, will be available in the coming months. See our documentation and announcement blog for complete details.
Updated AWS pricing model for the Enhanced Security and Compliance add-on
We are simplifying access to the Enhanced Security and Compliance Add-On, making it available to every customer without the need to have a contract or modify existing ones.
To address this, we are:
- Introducing Pay-as-you-go (PayGo) ESC Add-On availability for AWS Commercial.
- Transitioning from contract-level to workspace-level pricing to align AWS with Azure’s model.
See our pricing page for more details.
Stay up to date with Databricks security
Security is never “done.” We constantly evolve the platform based on your feedback, industry shifts, and emerging threats.
To stay ahead:
- Review our Security Best Practices resources to secure your deployments
- Bookmark the Security and Trust Blog to get the latest product updates
- Tune into our What’s New in Security and Compliance session at Data + AI Summit 2025 for a live walkthrough of these announcements and more
- Visit the Databricks Security and Trust Center for our product overviews and resources
Whether you're a CISO, platform team, or data scientist working with sensitive workloads, Databricks is your trusted partner for securing data and AI at scale
