Compliance security profile
This article describes the compliance security profile and its compliance controls.
This feature is in Private Preview. To join this preview, contact your Databricks account team and enable it in the Previews page.
Compliance security profile overview
The compliance security profile enables additional monitoring, a hardened compute image, and other features, and controls on Databricks workspaces. The compliance security profile includes controls that help meet the applicable security requirements of some compliance standards.
Enabling the compliance security profile is required to use Databricks to process data that is regulated under HIPAA compliance.
If your workspace enabled HIPAA compliance prior to the release of the compliance security profile, you must enable the compliance security profile for your workspace.
You can also choose to enable the compliance security profile for its enhanced security features without conforming to a compliance standard.
You are solely responsible for ensuring your own compliance with all applicable laws and regulations.
If you enable this feature on any workspace, you are charged for the Enhanced Security and Compliance add-on as described on the pricing page.
Which compute resources get enhanced security
The compliance security profile enhancements apply to classic and serverless compute resources in all regions.
For more information on compute plane architecture, see Databricks architecture overview.
Compliance security profile features and technical controls
Security enhancements include:
-
An enhanced hardened operating system image based on Ubuntu Advantage.
Ubuntu Advantage is a package of enterprise security and support for open source infrastructure and applications that includes the following:
- A CIS Level 1 hardened image.
- FIPS 140 validated encryption modules.
-
Automatic cluster update is automatically enabled.
Clusters are restarted to get the latest updates periodically during a maintenance window that you can configure. See Automatic cluster update.
-
Enhanced securing monitoring is automatically enabled.
Security monitoring agents generate logs that you can review. For more information on the monitoring agents, see Monitoring agents in Databricks compute plane images.
-
Communications within the cluster and for egress use TLS 1.2 encryption or higher, including connecting to the metastore.
Requirements
- Your Databricks workspace is on the Premium pricing tier.
Step 1: Prepare a workspace for the compliance security profile
- Check your workspace for long-running clusters before you enable the compliance security profile. When you enable the compliance security profile, long-running clusters are automatically restarted during the configured frequency and window of automatic cluster update. See Automatic cluster update.
Step 2: Enable the compliance security profile on a workspace
Databricks Assistant is disabled by default on workspaces that have enabled the compliance security profile. Workspace admins can enable it by following the instructions For an account: Disable or enable Databricks Assistant features.
-
Enable the compliance security profile.
To enable the compliance security profile on a workspace and optionally add compliance standards, see Enable enhanced security and compliance features on an existing workspace.
To create a new workspace with the compliance security profile and optionally add compliance standards, see Create a new workspace with enhanced security and compliance features.
You can also configure account-level settings to enable the security profile (with compliance standards) on all new workspaces. See Set account-level defaults for all new workspaces.
Updates might take up to six hours to propagate to all environments. Workloads that are actively running continue with the settings that were active at the time of starting the compute resource, and new settings apply the next time these workloads are started.
-
Restart all running compute.
Step 3: Confirm that the compliance security profile is enabled for a workspace
You can confirm a workspace is using the compliance security profile in the Security and compliance tab on the workspace page in the account console.
The workspace also has a shield logo displayed in the workspace UI. A shield logo appears in the top-right of the page, to the right of the workspace name. Click the workspace name to see a list of the workspaces that you have access to. The workspaces that enable the compliance security profile have a shield icon.
If the shield icons are missing for a workspace with the compliance security profile enabled, contact your Databricks account team.