Databricks Security Overview: Defence-in-Depth Approach
Who this is for:
Architecture / Concept Overview: Databricks Security Overview: Defence-in-Depth Approach
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
Perimeter[Perimeter: IP Access Lists] --> Network[Network: Private Link / VPC]
Network --> Identity[Identity: SSO / MFA / SCIM]
Identity --> Platform[Platform: Compute Policies / ACLs]
Platform --> Data[Data: Unity Catalog / Encryption]
Data --> App[Application: Secret Mgmt / Token Control]
App --> Compliance[Compliance: Audit / Monitoring]
Perimeter:::source
Network:::ingestion
Identity:::processing
Platform:::storage
Data:::serving
App:::governance
Compliance:::source
*Six concentric security layers in the Databricks defence-in-depth model, from perimeter controls inward to compliance monitoring.*
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
Request[User Request] --> IPCheck[IP Access List]
IPCheck --> TLS[TLS 1.2+ Encryption]
TLS --> Auth[Authentication]
Auth --> Authz[Authorization]
Authz --> Compute[Compute Isolation]
Compute --> DataAccess[Data Access Grant]
Request:::source
IPCheck:::ingestion
TLS:::processing
Auth:::storage
Authz:::serving
Compute:::governance
DataAccess:::serving
*Request lifecycle: every API call and workspace interaction traverses multiple security checkpoints before reaching data.*
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
ControlPlane[Control Plane] --> |"Managed by Databricks"| API[API Gateway]
ControlPlane --> WebApp[Web Application]
ControlPlane --> Repos[Repos Service]
DataPlane[Data Plane] --> |"Customer VPC/VNet"| Clusters[Clusters]
DataPlane --> Storage[Cloud Storage]
DataPlane --> Network[Network Config]
API --> DataPlane
ControlPlane:::processing
API:::serving
WebApp:::serving
Repos:::serving
DataPlane:::storage
Clusters:::ingestion
Storage:::source
Network:::governance
*Control plane vs. data plane separation: Databricks manages the control plane while compute and storage remain in the customer's cloud account.*
Key Terms
Prerequisites and Setup
- Databricks Premium or Enterprise tier account
- Understanding of your organization's shared responsibility boundaries
- Cloud provider admin access for VPC/VNet configuration
- Network architecture diagrams for your current environment
- Inventory of sensitive data classifications and applicable regulations
Step-by-Step Implementation
Configuration Reference
| Layer | Control | Configuration Method | Tier Required |
|---|---|---|---|
| Perimeter | IP Access Lists | Workspace Admin API | Premium |
| Network | Private Link | Account API / Cloud Console | Enterprise |
| Identity | SSO/MFA | Account Console | Premium |
| Platform | Compute Policies | Workspace API | Premium |
| Data | Unity Catalog Grants | SQL / API | Premium |
| Application | Secret Scopes | Workspace API | All tiers |
| Compliance | Enhanced Monitoring | Account Settings | Enterprise |