Databricks Security

Securing a Databricks deployment is a layered exercise: each layer covers a different threat surface — the network around the workspace, the identities that access it, the data within it, the detection signals that record activity, and the governance metadata that ties privilege to business intent. This landing page links the Databricks-specific deep dives that follow that same layering.

1. Layered Security Architecture

The diagram below shows the five layers of a Databricks security posture. Each layer maps to one or more dedicated pages.

┌────────────────────────────────────────────────────────────────────┐
│                           NETWORK LAYER                            │
│  PrivateLink  |  Secure Cluster Connectivity  |  IP Access Lists   │
└────────────────────────────────────────────────────────────────────┘
                                  │
                                  ▼
┌────────────────────────────────────────────────────────────────────┐
│                           IDENTITY LAYER                           │
│         SCIM  |  SSO / OIDC / SAML  |  Service Principals          │
└────────────────────────────────────────────────────────────────────┘
                                  │
                                  ▼
┌────────────────────────────────────────────────────────────────────┐
│                             DATA LAYER                             │
│         CMK  |  Encryption at Rest  |  UC Object Security          │
└────────────────────────────────────────────────────────────────────┘
                                  │
                                  ▼
┌────────────────────────────────────────────────────────────────────┐
│                          DETECTION LAYER                           │
│      Audit Logs  |  System Tables  |  Verbose  |  SIEM Export      │
└────────────────────────────────────────────────────────────────────┘
                                  │
                                  ▼
┌────────────────────────────────────────────────────────────────────┐
│                          GOVERNANCE LAYER                          │
│       UC Lineage  |  Tags  |  ABAC  |  Compliance Frameworks       │
└────────────────────────────────────────────────────────────────────┘

2. Network Hardening

Lock down inbound and outbound paths so workspace traffic never crosses the public internet. Customer-managed VPC injection, AWS PrivateLink for both front-end and back-end, and IP access lists keep the workspace reachable only from trusted networks.

• Workspace Isolation & PrivateLink — secure cluster connectivity (SCC / NPIP), front-end and back-end PrivateLink, customer-managed VPC, IP access lists.

3. Identity & Access

Federate human identities with your IdP and use service principals for automation. Unity Catalog grants are issued to groups; SCIM keeps membership in sync.

• SSO via SAML or OIDC, MFA enforced at the IdP layer.
• SCIM provisioning from Okta, Entra ID, or Google Workspace.
• Service principals (and their OAuth M2M tokens) replace personal access tokens for jobs.

4. Data Encryption

Every byte at rest is encrypted; CMKs let you own the key material and revoke access independently of Databricks.

• Customer-Managed Keys & Encryption — CMKs for managed services, workspace storage, and cluster EBS volumes; KMS rotation; revocation impact.
• Row Filters & Column Masks — Unity Catalog SQL UDFs that filter rows or mask columns dynamically based on the caller's group membership.

5. Detection & Audit

Capture every privileged action, ship it to a tamper-evident store, and write detection queries against the system tables.

• Audit Logs & Compliance — verbose audit, account-level diagnostic logs, system tables (system.access.audit, lineage), HIPAA / FedRAMP / PCI-DSS posture.

6. Unity Catalog Governance

Unity Catalog is the policy plane: it owns the privilege model, the securable hierarchy, lineage, and the tags that drive attribute-based access control.

• Unity Catalog Security — securable hierarchy, external locations & storage credentials, ABAC with governed tags, owner privileges, three-level namespace.