Platform Security

Security that unblocks the true potential of your Data Lake

Ensure end-to-end security that protects your data while providing private, isolated, compliant workspaces for your data engineers, business analysts, and data scientists

  • *

Benefits for Security Teams


Using Platform-as-a-Service (PaaS) often means losing control over your sensitive data. With Databricks, keep your data in your cloud account and encrypt it with your keys. All access to data is granted through a system of least privileged access based on individual user identity.



Create compliant and private analytics workspaces for your platform users within isolated networks (VNETs / VPCs) with no public IPs and IP access lists to limit attack surface.


Use your existing corporate directory (AD, Okta) to decide who gets to access what data using cloud native controls.




Your Data, in Your Account: Leave your data and infrastructure in your cloud account with different data and control planes. The Databricks control plane runs and controls clusters within an isolated VNET/VPC inside your cloud account (data plane) using your compute to process the data in your cloud storage. Learn More About Platform Security.

Data-Centric Security: Use your existing identity provider to define access policies for data in your data lake as well as data in your tables using your metastore.

Customer managed keys for Notebooks: You have full control over your keys used to encrypt your data as well as the metadata. Key hierarchy enables the use of different keys for different notebooks. Revoking a key severs access to your data.

Encrypted Clusters: Ensure that data stored anywhere by Databricks clusters is always encrypted without having to worry about key and cert management.

Identity Federation: Federate identity between your identity provider, access management and Databricks to ensure seamless and secure access to data in Azure Data Lake and AWS S3.


Single Sign-On (SSO): Use cloud-native Identity Providers that support SAML protocol to authenticate your users.
SCIM: Native support for System for Cross-domain Identity Management (SCIM) allows customers to automatically on-board and off-board users by syncing user management with your SSO identity provider such as Azure Active Directory, Okta, Ping Identity etc.


Customer managed VPC/VNET: Create your own custom VPC/VNET with your custom network configurations to comply with internal cloud and data governance policies as well as adhere to external regulations.

Access Control Lists / IP Whitelisting: Use strict IP access lists to specify what connections can or cannot be made in and out of your workspace thus minimizing the attack surface. All incoming access to the Web application and REST APIs requires the user connect from an authorized IP address or VPN.

Code Isolation: Different users can run data analytics on the same cluster while ensuring that each user has access only to data they are authorized to access.

Private Network between Data and Control Planes: All communications between control and data planes happen through the cloud providers private network and are not sent over the public network.


Compliance: Databricks has put in place a number of controls to meet the unique compliance needs of highly regulated industries. Learn more about the Databricks Compliance and Assurance Program.

*Availability of certification differs based on the cloud service provider used. Please check with support ensure availability on your deployment