Canadian Centre for Cybersecurity (CCCS) Medium (Protected B) compliance controls

Preview

The ability for admins to add Enhanced Security and Compliance features is a feature in Public Preview. The compliance security profile and support for compliance standards are generally available (GA).

Canadian Centre for Cybersecurity (CCCS) Medium (Protected B) compliance controls provide enhancements that help you with Canadian Centre for Cybersecurity (CCCS) Medium (Protected B) compliance for your workspace. CCCS Medium (Protected B) compliance controls are for sensitive government information.

Canadian Centre for Cybersecurity (CCCS) Medium (Protected B) compliance controls require enabling the compliance security profile, which adds monitoring agents, enforces instance types for inter-node encryption, provides a hardened compute image, and more. For technical details, see Compliance security profile. It is your responsibility to confirm that each workspace has the compliance security profile enabled and confirm that CCCS Medium (Protected B) is added as a compliance program.

Canadian Centre for Cybersecurity (CCCS) Medium (Protected B) compliance controls is only available in the ca-central-1 region.

Which compute resources get enhanced security

The compliance security profile enhancements apply to compute resources in the classic compute plane in all supported regions.

Support for serverless SQL warehouses for the compliance security profile varies by region. See Serverless SQL warehouses support the compliance security profile in some regions.

Requirements

• Your Databricks account must include the Enhanced Security and Compliance add-on. For details, see the pricing page.

• Your Databricks workspace must be on the Enterprise pricing tier.

• Your Databricks workspace must be in the ca-central-1 AWS region.

• Single sign-on (SSO) authentication is configured for the workspace.

• Your workspace must enable the compliance security profile and include the CCCS Medium (Protected B) compliance standard as part of the compliance security profile configuration.

• You must use the following VM instance types:

  • General purpose: M-fleet, Md-fleet, M5dn, M5n, M5zn, M6i, M7i, M6id, M6in, M6idn

  • Compute optimized: C5a, C5ad, C5n, C6i, C6id, C7i, C6in

  • Memory optimized: R-fleet, Rd-fleet, R6i, R7i, R7iz, R6id, R6in, R6idn

  • Storage optimized: D3, D3en, P3dn, R5dn, R5n, I4i, I3en

  • Accelerated computing: G4dn, G5, P4d, P4de, P5

• Ensure that sensitive information is never entered in customer-defined input fields, such as workspace names, cluster names, and job names.

Enable Canadian Centre for Cybersecurity (CCCS) Medium (Protected B) compliance controls on a workspace

To configure your workspace to support processing data regulated by the CCCS Medium (Protected B) standard, the workspace must have the compliance security profile enabled. You can enable the compliance security profile and add the CCCS Medium (Protected B) compliance standard across all workspaces or on select workspaces.

To enable the compliance security profile and add the CCCS Medium (Protected B) compliance standard for an existing workspace, see Enable enhanced security and compliance features on an existing workspace.

To set an account-level setting to enable the compliance security profile and CCCS Medium (Protected B) for new workspaces, see Set account-level defaults for all new workspaces.

Preview features that are supported for processing of data regulated under CCCS Medium (Protected B) standard

The following preview features are supported for processing data regulated under CCCS Medium (Protected B) standard:

• Workspace-level SCIM provisioning

  Workspace-level SCIM provisioning is legacy. Databricks recommends using account-level SCIM provisioning, which is generally available.

• Secret paths in environment variables

• System tables that are in Public Preview

• Unity Catalog-enabled DLT pipelines

• Delta Live Tables Hive metastore to Unity Catalog clone API

• AI/BI Genie

• IAM credential passthrough

  Credential passthrough is deprecated starting with Databricks Runtime 15.0 and will be removed in future Databricks Runtime versions. Databricks recommends that you upgrade to Unity Catalog. Unity Catalog simplifies security and governance of your data by providing a central place to administer and audit data access across multiple workspaces in your account. See What is Unity Catalog?.

Does Databricks permit the processing of data regulated under CCCS Medium (Protected B) standard on Databricks?

Yes, if you comply with the requirements, enable the compliance security profile, and add the CCCS Medium (Protected B) compliance standard as part of the compliance security profile configuration.