Security and Compliance
Who this is for:
Architecture / Concept Overview: Security and Compliance
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
A[Identity Layer] -->|authenticates| B[Network Layer]
B -->|secures transit| C[Platform Layer]
C -->|enforces policies| D[Data Layer]
D -->|encrypts| E[Storage Layer]
E -->|audits access| F[Compliance Layer]
A:::source
B:::ingestion
C:::processing
D:::storage
E:::serving
F:::governance
*Defence-in-depth: each security layer protects the next, creating multiple barriers against unauthorized access.*
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
IDP[Identity Provider] --> SSO[SSO/MFA]
SSO --> RBAC[Role-Based Access]
RBAC --> ACL[Object ACLs]
ACL --> UC[Unity Catalog]
UC --> Encryption[Encryption CMK]
Encryption --> Audit[Audit Logs]
IDP:::source
SSO:::ingestion
RBAC:::processing
ACL:::storage
UC:::serving
Encryption:::governance
Audit:::source
*Security controls flow from identity verification through data governance, with each stage adding granular enforcement.*
Key Terms
Prerequisites and Setup
- A Databricks account with Premium or Enterprise tier (security features require Premium+)
- Account-level admin access for configuring identity, network, and compliance settings
- An identity provider (Entra ID, Okta, or OneLogin) configured for SAML/OIDC
- Cloud provider admin access for VPC/VNet peering and Private Link setup
- Unity Catalog metastore attached to target workspaces
Step-by-Step Implementation
Configuration Reference
| Setting | Scope | Values | Default |
|---|---|---|---|
| SSO Enforcement | Account | Enabled / Disabled | Disabled |
| MFA Requirement | Account | Enforced / Optional | Optional |
| Public Access | Workspace | Enabled / Disabled | Enabled |
| Private Link | Workspace | Enabled / Disabled | Disabled |
| CMK Encryption | Workspace | MANAGED_SERVICES, STORAGE | Platform-managed |
| IP Access Lists | Workspace | Allow / Block CIDR ranges | No restriction |
| Token Lifetime | Workspace | 1-730 days | 90 days |
| Audit Log Delivery | Account | JSON / CSV | Not configured |