Security & Trust Center

What is the Enhanced Security and Compliance Add-On?

The Enhanced Security and Compliance Add-On is made up of two features:

With Enhanced Security Monitoring, we enable the use of enhanced hardened images, add additional security tools for behavioral-based malware monitoring and provide vulnerability reports for our images. Enhanced Security Monitoring is currently available on the AWS and Azure classic compute planes. The Compliance Security Profile builds on top of Enhanced Security Monitoring and provides features required for compliance, like FIPS 140 encryption and cluster update enforcement. The Compliance Security Profile is currently available on the AWS and Azure classic compute planes as well as the AWS us-east-1 region for AWS Databricks SQL Serverless workloads.

The benefits of using Enhanced Security Monitoring

On top of Databricks' existing security features, Enhanced Security Monitoring provides customers with increased visibility, threat protection and security hardening for their workloads. Benefits of this offering include:

• A Canonical Ubuntu Advantage with enhanced CIS Level 1 hardening

• Behavior-based malware monitoring and file integrity monitoring

• Malware and antivirus detection

• Vulnerability reports of the host OS¹

With Enhanced Security Monitoring, security event logs are delivered along with your regular Databricks audit logs, providing comprehensive security monitoring in your organization's SIEM or Databricks platform. These logs come with contextual information that assists analysts in quickly determining the origin of suspicious activity without requiring a lengthy investigation.

Figure 1: Audit logging of security features in the Enhanced Security Monitoring host image

¹ Databricks classic compute plane only. Vulnerability scans are performed on a representative host image in the Databricks environment and reports are provided to customers on a biweekly basis.

Benefits of Compliance Security Profile

Compliance Security Profile (CSP) provides customers the means to run cloud-ready HIPAA, PCI-DSS and FedRAMP Moderate workloads. Compliance Security Profile is our most secure baseline for the data plane — and includes all of the benefits of Enhanced Security Monitoring — making it easier to meet and manage compliance control requirements. Key benefits of this offering include:

• The ESM security enhancements listed above

• FIPS 140 Level 1 validated encryption modules (where available)

• AWS Nitro VM enforcement for data at rest and in transit encryption

• Automatic Cluster Update with customizable maintenance window

How to get started

Customers can choose to enable Compliance Security Profile (AWS | Azure) at the account or workspace level and Enhanced Security Monitoring (AWS | Azure) at the workspace level, depending on your organization’s security risk profile and compliance requirements. To enable these offerings:

• Prepare any existing workspaces that will use Enhanced Security Monitoring or the Compliance Security Profile

• Contact your account team to request that Databricks enable these offerings for your account or workspace

• Wait for confirmation that the profile is now enabled

• If any clusters or SQL warehouses were running, restart them

Once you enable Compliance Security Profile or Enhanced Security Monitoring on your account or workspace, all compute resources load with the Enhanced Security Monitoring AMI, and Databricks takes care of the rest.