IRAP compliance controls

IRAP compliance controls provide enhancements that help you with Infosec Registered Assessors Program (IRAP) compliance for your workspace.

IRAP provides high-quality information and communications technology (ICT) security assessment services to the Australian government. IRAP provides a framework for assessing the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements. Databricks is IRAP certified.

IRAP compliance controls require enabling the compliance security profile, which adds monitoring agents, enforces instance types for inter-node encryption, provides a hardened compute image, and other features. For technical details, see Enable the compliance security profile. It is your responsibility to confirm that each workspace has the compliance security profile enabled if it’s needed.

IRAP compliance controls are only available in the ap-southeast-2 region.

Which compute resources get enhanced security

The compliance security profile enhancements apply to compute resources in the classic compute plane, such as clusters and non-serverless SQL warehouses. This applies in all regions.

Serverless SQL warehouse support for the compliance security profile varies by region. See Serverless SQL warehouses support the compliance security profile in some regions.

Requirements

• Your Databricks account must include the Enhanced Security and Compliance add-on. For details, see the pricing page.

• Your Databricks workspace is in the ap-southeast-2 region.

• Your Databricks workspace is on the E2 version of the platform.

• Your Databricks workspace is on the Enterprise tier.

• Single sign-on (SSO) authentication is configured for the workspace.

• Enabling the compliance security profile at the account level or for specific workspaces. Note that the instance types are limited to ones that enforce inter-node encryption in transit: C5a, C5ad, C5n, C6i, C6id, C6in, D3, D3en, G4dn, G5, I3en, I4i, M5dn, M5n, M5zn, M6i, M6id, M6idn, M6in, P3dn, R-fleet, R5dn, R5n, R6i, R6id, R6idn, R6in, and Databricks fleet instance types M-fleet, MD-fleet, and RD-fleet..

Enable IRAP compliance controls

To configure your account or workspace to support processing of data regulated by the IRAP Protected standard standard, enable the compliance security profile. One of those steps includes contacting your Databricks account team, at which point also request the IRAP compliance controls. When ordering, you have the option to enable this functionality across all workspaces on an account, or only on individual workspaces.

If you’ve already enabled the security profile, contact your Databricks account team to request the IRAP compliance controls.

You are solely responsible for ensuring your own compliance with all applicable laws and regulations.

Preview features that are supported for processing data under the IRAP Protected standard

The following preview features are supported for processing of processing data regulated under IRAP Protected standard:

• SCIM provisioning

• IAM passthrough

• Secret paths in environment variables

• Automatic cluster update

• System tables

• Serverless SQL warehouse usage when compliance security profile is enabled, with support in some regions

• Filtering sensitive table data with row filters and column masks

• Unified login

• Lakehouse Federation to Redshift

Does Databricks permit the processing of data regulated under IRAP Protected standard?

Databricks permits the processing of data regulated under IRAP Protected standard if you have enrolled your account in the IRAP compliance controls. Contact your Databricks account team for more information.