Configure enhanced security and compliance settings
This article describes the enhanced security and compliance settings available on your SAP Databricks workspace or account.
The compliance security profile provides enhanced security and controls for your compliance needs. Enabling the compliance security profile is required to use SAP Databricks to process data that is regulated under the following compliance standards:
Regional support for compliance standards
The compliance security profile is supported in all regions. Specific compliance standards have the following regional support:
Compliance standard | SAP Databricks regional support |
|---|---|
HIPAA | All regions |
PCI-DSS |
|
FedRAMP Moderate |
|
IRAP |
|
Enable compliance features on an existing workspace
- Neither the compliance security profile nor individual compliance standards can be removed from a workspace if regulated data was previously processed in that workspace. You can delete the workspace and create a new workspace without the compliance security profile or with a different compliance standard.
Account admins can enable the compliance security profile and add compliance standards on a workspace.
- As an account admin, go to the account console.
- Click Workspaces.
- Click your workspace's name.
- Click Security and compliance.
- Next to Compliance security profile, click Enable.
- In the Compliance security profile dialog, select any compliance standards you would like to enforce then click Save.
Set account-level compliance defaults for all new workspaces
Account admins can configure compliance settings to apply to all new workspaces in their account.
- As an account admin, go to the account console.
- In the sidebar, click Settings.
- Click the Security and compliance tab.
- In the sidebar, click Enhanced Security and Compliance Settings.
- Next to Compliance security profile, click Enable.
- In the Compliance security profile for new workspaces dialog, select Enabled, select one or compliance standards, or select None and click Save.
HIPAA
Before you process PHI data, it is your responsibility to check that you have a BAA agreement with SAP Databricks.
HIPAA compliance controls are supported for workspaces in all regions.
HIPAA applies to covered entities and business associates that create, receive, maintain, transmit, or access PHI. When a covered entity or business associate engages the services of a cloud service provider (CSP), such as SAP Databricks, the CSP becomes a business associate under HIPAA.
HIPAA regulations require that covered entities and their business associates enter into a contract called a Business Associate Agreement (BAA) to ensure the business associates will protect PHI adequately. Among other things, a BAA establishes the permitted uses and required disclosures of PHI by the business associate, based on the relationship between the parties and the activities and services being performed by the business associate.
PCI DSS v4.0
Workspaces in us-east-1 and ap-southeast-2 can enable PCI DSS v4.0 compliance controls to provide enhancements that help with Payment Card Industry Data Security Standard (PCI DSS) v4.0 compliance for your workspace.
FedRAMP Moderate
Workspaces in us-east-1 can enable FedRAMP Moderate compliance controls to provide enhancements that help you with FedRAMP Moderate compliance for your workspace.
- Databricks is a FedRAMP® Authorized Cloud Service Offering (CSO) at the moderate impact level in the AWS US East-1 regions.
- US Government agencies can access the Databricks on AWS FedRAMP® package on OMB Max by submitting a Package Access Request Form and submitting it to
package-access@fedramp.gov. - Additional information regarding Databricks and FedRAMP® compliance is located on the Databricks Security and Trust Center.
IRAP
Workspaces in ap-southeast-2 can enable IRAP compliance controls to provide enhancements that help you with Infosec Registered Assessors Program (IRAP) compliance for your workspace.
IRAP provides high-quality information and communications technology (ICT) security assessment services to the Australian government. IRAP provides a framework for assessing the implementation and effectiveness of an organization's security controls against the Australian government's security requirements. Databricks is IRAP certified.