Built on industry-leading infrastructure, designed with best-in-class security features, and rigorously audited, Databricks takes an innovative and holistic approach to addressing enterprise security for Apache Spark™ natively within Databricks’ Unified Analytics Platform.
Databricks’ security program is based on the following guiding principles:
Databricks has a dedicated security team that is responsible for infrastructure security, application security, security operations, and compliance. The Security Team partners with engineering and is involved in all phases of the development process including security design reviews, code testing, security testing of new features, penetration testing, and it provides secure coding training. All members of the team have technical degrees and hold a variety of security certifications including CISSP, CISM, CISA, and CEH.
Databricks employs a multi-layered approach to security and data protection — providing the most advanced level of defense for your data and Apache Spark™-based systems from malicious attacks.
Databricks designs and implements its Defense in Depth strategy based on AWS- and Azure- shared responsibility models and security best practices.
Databricks takes a holistic approach to solving the enterprise security challenge by building all the facets of security — encryption, identity management, role-based access control, data governance, and compliance standards — natively into the Unified Analytics platform.
Databricks engages with independent CPA firms to perform annual and semi-annual audits. Both firms are registered with Public Company Accounting Oversight Board (PCAOB) and subject to strict auditing standards, inspections, and enforcement.
Below are our certifications and compliance attestations:
The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls. Each of the principles have defined criteria (controls) which must be met to demonstrate adherence to the principles and produce an unqualified opinion (no significant exceptions found during your audit). The great thing about the trust principles is that the criteria businesses must meet are predefined, which makes it easier for business owners to know what compliance needs are required and for users of the report to read and assess the adequacy. Details about the Trust Service principles that Databricks is audited against are as follows:
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.
Databricks is architected in compliance with HIPAA’s Security Rule technical safeguards including end-to-end encryption, access and authentication, and comprehensive logging and monitoring controls.
Databricks will sign a business associate agreement (BAA) with customers upon request.
ISO 27001 is a compliance framework that establishes Information Security Management System (ISMS) standards to identify and manage information risks through a comprehensive set of company-wide processes and controls. Additionally, ISMS embodies principles of continuous improvement to keep abreast with changes in the threats landscape to address them proactively.
Expected in Q2 2018.
ISO 27018 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO 27002 control set.
Databricks is actively taking steps to provide our customers with the capabilities and support they need to achieve GDPR compliance by May 25, 2018 and is on track to be compliant by the May deadline. Data security and privacy has always been at the heart of what we do and complying with GDPR is a natural extension of this focus.
Planned for 2018/2019.
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves an estimated 30-40% of government costs, as well as both time and staff required to conduct redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.