Canada Protected B compliance controls
Canada Protected B compliance controls provide enhancements that help you with Canadian Centre for Cybersecurity (CCCS) Medium (Protected B) compliance for your workspace. Canada Protected B compliance controls are for sensitive government information.
Canada Protected B compliance controls require enabling the compliance security profile, which adds monitoring agents, enforces instance types for inter-node encryption, provides a hardened compute image, and more. For technical details, see Compliance security profile. It is your responsibility to confirm that each workspace has the compliance security profile enabled and confirm that Canada Protected B is added as a compliance program.
Canada Protected B compliance controls is only available in the ca-central-1 region.
Which compute resources get enhanced security
The compliance security profile enhancements apply to compute resources in the classic compute plane in the ca-central-1 region.
Canada Protected B compliance controls does not support serverless compute resources. See Compliance security profile compliance standards with serverless compute availability.
For more information on the classic and serverless compute planes, see Databricks architecture overview.
Requirements
-
Your Databricks account must include the Enhanced Security and Compliance add-on. For details, see the pricing page.
-
Your Databricks workspace must be on the Enterprise pricing tier.
-
Your Databricks workspace must be in the
ca-central-1AWS region. -
Single sign-on (SSO) authentication is configured for the workspace.
-
Your workspace must enable the compliance security profile and include the Canada Protected B compliance standard as part of the compliance security profile configuration.
-
You must use the following VM instance types:
- General purpose:
M-fleet,Md-fleet,M5dn,M5n,M5zn,M6i,M7i,M6id,M6in,M6idn - Compute optimized:
C-fleet,C5a,C5ad,C5n,C6i,C6id,C7i,C6in - Memory optimized:
R-fleet,Rd-fleet,R6i,R7i,R7iz,R6id,R6in,R6idn - Storage optimized:
D3,D3en,P3dn,R5dn,R5n,I4i,I3en - Accelerated computing:
G4dn,G5,P4d,P4de,P5
- General purpose:
-
Ensure that sensitive information is never entered in customer-defined input fields, such as workspace names, cluster names, and job names.
Enable Canada Protected B compliance controls on a workspace
To configure your workspace to support processing data regulated by the Canada Protected B standard, the workspace must have the compliance security profile enabled. You can enable the compliance security profile and add the Canada Protected B compliance standard across all workspaces or on select workspaces. See Configure enhanced security and compliance settings.
- Enabling a compliance standard for a workspace is permanent.
- You are solely responsible for ensuring your own compliance with all applicable laws and regulations.
Preview features that are supported for processing of data regulated under Canada Protected B standard
The following preview features are supported for processing data regulated under Canada Protected B standard:
Public Preview:
-
Workspace-level SCIM provisioning
Workspace-level SCIM provisioning is a legacy feature. Databricks recommends using account-level SCIM provisioning instead.
-
Credential passthrough is deprecated starting with Databricks Runtime 15.0 and will be removed in future Databricks Runtime versions. Databricks recommends that you upgrade to Unity Catalog. Unity Catalog simplifies security and governance of your data by providing a central place to administer and audit data access across multiple workspaces in your account. See What is Unity Catalog?.
Private Preview:
- Unity Catalog attribute-based access control (ABAC)
- DLT Hive metastore to Unity Catalog clone API
- Tag policies
- DBFS disablement
- Document parsing
Does Databricks permit the processing of data regulated under Canada Protected B standard on Databricks?
Yes, if you comply with the requirements, enable the compliance security profile, and add the Canada Protected B compliance standard as part of the compliance security profile configuration.