Configure enhanced security and compliance settings
This feature is in Public Preview.
This page describes how to configure enhanced security and compliance settings on your Databricks workspace.
- Enabling the compliance security profile or adding compliance standards to a workspace is intended to be a permanent change.
- You cannot remove the compliance profile or individual standards from a workspace if it has ever processed regulated data. To revert, you must delete the workspace and create a new one without the profile or with a different standard. For help, contact Databricks support.
- Before processing PHI, make sure you have a BAA agreement in place with Databricks.
Requirements
- Your Databricks workspace is on the Premium pricing tier.
- Your Databricks account must include the Enhanced Security and Compliance add-on.
- Ensure that sensitive information is never entered in customer-defined input fields, such as workspace names, cluster names, tags, and job names.
Databricks Assistant is disabled by default on workspaces that have enabled the compliance security profile. Workspace admins can enable it by following the instructions For an account: Disable or enable partner-powered AI features.
Enable on an existing workspace
Account admins can enable the compliance security profile, add compliance standards, enable enhanced security monitoring, and enable automatic cluster update on a workspace.
-
Before enabling the compliance security profile, check your workspace for any long-running compute. Enabling the profile causes clusters to restart automatically based on the configured update schedule.
-
As an account admin, go to the account console.
-
Click Workspaces.
-
Click on your workspace's name.
-
Click Security and compliance.
-
To enable the compliance security profile, next to Compliance security profile, click Enable.
In the Compliance security profile dialog, optionally select compliance standards and click Save.
importantYou must have a BAA agreement with Databricks before processing any PHI data. Enabling HIPAA in the compliance security profile does not replace this requirement.
-
To enable enhanced security monitoring, select the checkbox Enhanced security monitoring.
If you enable the compliance security profile, enhanced security monitoring is automatically enabled.
-
To enable automatic cluster update, select or unselect the checkbox Automatic cluster update.
If you enable the compliance security profile, automatic cluster update is automatically enabled.
Set account-level defaults for all new workspaces
Account admins can configure settings for security profile (with compliance standards) or enhanced security monitoring at an account level to apply to all new workspaces. When you enable the compliance security profile as a default for new workspaces, enhanced security monitoring and automatic cluster update are also enabled for new workspaces.
-
As an account admin, go to the account console.
-
In the sidebar, click Settings.
-
Click the Security and compliance tab.
-
In the sidebar, click Enhanced Security and Compliance Settings.
-
To enable the compliance security profile, next to Compliance security profile, click Configure.
In the Compliance security profile for new workspaces dialog, select Enabled, select one or compliance standards or select None and click Save.
-
To enable enhanced security monitoring, select the checkbox Enhanced security monitoring for new workspaces.
Create a new workspace
Account admins can enable the compliance security profile, add compliance standards, and enable enhanced security monitoring during workspace creation. New workspaces must adhere to configured account-level defaults.
- Follow the instructions to create a workspace in Create a workspace using the account console. Ensure you choose a region that supports your compliance standard.
- Click Advanced configurations.
- To enable the compliance security profile, select the checkbox Compliance security profile.
- To enable enhanced security monitoring, select the checkbox Enhanced security monitoring.
- In Compliance standard, select one or more compliance standards or select None.
- Click Next and Create workspace.
Confirm that the compliance security profile is enabled for a workspace
You can confirm a workspace is using the compliance security profile in the Security and compliance tab on the workspace page in the account console.
The workspace also has a shield logo displayed in the workspace UI. A shield logo appears in the top-right of the page, to the right of the workspace name. Click the workspace name to see a list of the workspaces that you have access to. The workspaces that enable the compliance security profile have a shield icon.
If the shield icons are missing for a workspace with the compliance security profile enabled, contact your Databricks account team.