Security and Trust Center

Your data security is our priority

trust-image-new-header

Overview Trust Security Features Architecture Compliance Privacy

Report an Issue

Protect Your Data With Enhanced Security and Compliance

At Databricks, we recognize that maintaining data security and compliance is a top priority for our customers. That is why Databricks is introducing Enhanced Security and Compliance (ESC) to help simplify the complexity of meeting security and regulatory requirements for our customers.

What is Enhanced Security and Compliance?

ESC is made up of two halves:

enhanced-security-compliance

With Enhanced Security Monitoring (ESM), we enable the use of enhanced hardened images, add additional security tools for behavioral-based malware monitoring and provide vulnerability reports for our images. ESM is currently available on AWS. The Compliance Security Profile (CSP) builds on top of ESM and provides features required for compliance, like FIPS 140-2 encryption and cluster update enforcement.

The benefits of using Enhanced Security Monitoring

On top of Databricks’ existing security features, Enhanced Security Monitoring provides customers with increased visibility, threat protection and security hardening for their workloads. Benefits of ESM include:

An AMI with enhanced CIS Level 1 hardening
Behavior-based malware monitoring and file integrity monitoring (Capsule8)
Malware and antivirus detection (ClamAV)
Qualys vulnerability reports of the host OS1

With ESM, security event logs from Capsule8 and ClamAV are automatically delivered along with your regular Databricks audit logs, providing comprehensive security monitoring in your organization’s SIEM or Databricks platform. These logs come with contextual information that assists analysts in quickly determining the origin of suspicious activity without requiring a lengthy investigation.

enhanced-security-compliance-2

Figure 1: Audit logging of security features in the ESM host image

¹Vulnerability scans are performed on a representative host image in the Databricks environment and reports are provided to customers on a biweekly basis.

Benefits of Compliance Security Profile

Compliance Security Profile (CSP) provides customers the means to run cloud-ready HIPAA, PCI-DSS and FedRAMP Moderate workloads. CSP is our most secure baseline for the data plane — and includes all of the benefits of ESM — making it easier to meet and manage compliance control requirements. Key benefits of CSP include:

The ESM security enhancements listed above
FIPS 140-2 Level 1 validated encryption modules (where available)
AWS Nitro VM enforcement for data at rest and in transit encryption
Cluster update enforcement (auto-restart after 25 days)
HIPAA, PCI-DSS, FedRAMP Moderate compliant features and controls

How to get started

Customers can choose to enable Compliance Security Profile (CSP) at the account or workspace level and Enhanced Security Monitoring (ESM) at the workspace level, depending on your organization’s security risk profile and compliance requirements. To enable ESM or CSP:

Prepare any existing workspaces that will use ESM or CSP
Contact your account team to request that Databricks enable ESM or CSP for your account or workspace
Wait for confirmation that the profile is now enabled
If any clusters or SQL warehouses were running, restart them

Once you enable CSP or ESM on your account or workspace, all compute resources load with the ESM AMI, and Databricks takes care of the rest.