IRAP compliance controls

Preview

The ability for admins to add Enhanced Security and Compliance features is a feature in Public Preview. The compliance security profile and support for compliance standards are generally available (GA).

IRAP compliance controls provide enhancements that help you with Infosec Registered Assessors Program (IRAP) compliance for your workspace.

IRAP provides high-quality information and communications technology (ICT) security assessment services to the Australian government. IRAP provides a framework for assessing the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements. Databricks is IRAP certified.

IRAP compliance controls require enabling the compliance security profile, which adds monitoring agents, enforces instance types for inter-node encryption, provides a hardened compute image, and other features. For technical details, see Compliance security profile. It is your responsibility to confirm that each affected workspace has the compliance security profile enabled and confirm that IRAP is added as a compliance program.

IRAP compliance controls are only available in the ap-southeast-2 region.

Which compute resources get enhanced security

The compliance security profile enhancements apply to compute resources in the classic compute plane in all regions.

Support for serverless SQL warehouses for the compliance security profile varies by region and it is supported in the ap-southeast-2 region. See Serverless SQL warehouses support the compliance security profile in some regions.

Requirements

  • Your Databricks account must include the Enhanced Security and Compliance add-on. For details, see the pricing page.

  • Your Databricks workspace is in the ap-southeast-2 region.

  • Your Databricks workspace is on the Enterprise tier.

  • Single sign-on (SSO) authentication is configured for the workspace.

  • Your workspace enables the compliance security profile and adds the IRAP compliance standard as part of the compliance security profile configuration.

  • You must use the following VM instance types:

    • General purpose: M-fleet, Md-fleet, M5dn, M5n, M5zn, M6i, M7i, M6id, M6in, M6idn, M6a, M7a

    • Compute optimized: C5a, C5ad, C5n, C6i, C6id, C7i, C6in, C6a, C7a

    • Memory optimized: R-fleet, Rd-fleet, R6i, R7i, R7iz, R6id, R6in, R6idn, R6a, R7a

    • Storage optimized: D3, D3en, P3dn, R5dn, R5n, I4i, I3en

    • Accelerated computing: G4dn, G5, P4d, P4de, P5

  • Ensure that sensitive information is never entered in customer-defined input fields, such as workspace names, cluster names, and job names.

Enable IRAP compliance controls

To configure your workspace to support processing of data regulated by the IRAP standard, the workspace must have the compliance security profile enabled. You can enable the compliance security profile and add the PCI-DSS compliance standard across all workspaces or only on some workspaces.

To enable the compliance security profile and add the IRAP compliance standard for an existing workspace, see Enable enhanced security and compliance features on a workspace. To set an account-level setting to enable the compliance security profile and IRAP for new workspaces, see Set account-level defaults for new workspaces.

Preview features that are supported for processing data under the IRAP Protected standard

The following preview features are supported for processing of processing data regulated under IRAP Protected standard:

Does Databricks permit the processing of data regulated under IRAP Protected standard?

Yes, if you comply with the requirements, enable the compliance security profile, and add the IRAP compliance standard as part of the compliance security profile configuration.