This guide provides an overview of security features and capabilities that an enterprise data team can use to harden their Azure Databricks environment according to their risk profile and governance policy.
This guide does not cover information about securing your data. For that information, see Data governance best practices.
Authentication and access control
In Azure Databricks, a workspace is an Azure Databricks deployment in the cloud that functions as the unified environment that a specified set of users use for accessing all of their Azure Databricks assets. Your organization can choose to have multiple workspaces or just one, depending on your needs. An Azure Databricks account represents a single entity for purposes of billing, user management, and support. An account can include multiple workspaces and Unity Catalog metastores.
Account admins handle general account management, and workspace admins manage the settings and features of individual workspaces in the account. Both account and workspace admins manage Azure Databricks users, service principals, and groups, as well as authentication settings and access control.
Azure Databricks provides security features to configure strong authentication. Admins can configure these settings to help prevent account takeovers, in which credentials belonging to a user are compromised using methods like phishing or brute force, giving an attacker access to all of the data accessible from the environment.
Access control lists determine who can view and perform operations on objects in Azure Databricks workspaces, such as notebooks and SQL warehouses.
To learn more about authentication and access control in Azure Databricks, see Authentication and access control.
Azure Databricks provides network protections that enable you to secure Azure Databricks workspaces and help prevent users from exfiltrating sensitive data. You can use IP access lists to enforce the network location of Azure Databricks users. Using a customer-managed VPC, you can lock down outbound network access. To learn more, see Network access.
Data security and encryption
Security-minded customers sometimes voice a concern that Databricks itself might be compromised, which could result in the compromise of their environment. Azure Databricks has an extremely strong security program which manages the risk of such an incident. See the Security and Trust Center for an overview on the program. That said, no company can completely eliminate all risk, and Azure Databricks provides encryption features for additional control of your data. See Data security and encryption.
Sometimes accessing data requires that you authenticate to external data sources. Azure Databricks recommends that you use Azure Databricks secrets to store your credentials instead of directly entering your credentials into a notebook. For more infromation, see Secret management.
Auditing, privacy, and compliance
Azure Databricks provides auditing features to enable admins to monitor user activities to detect security anomalies. For example, you can monitior account takeovers by alerting on unusual time of logins or simultaneous remote logins.
For more information, see Auditing, privacy, and compliance.
Here are some resources to help you build a comprehensive security solution that meets your organization’s needs:
- The Databricks Security and Trust Center, which provides information about the ways in which security is built into every layer of the Databricks Lakehouse Platform.
- Security Best Practices, which provides a checklist of security practices, considerations, and patterns that you can apply to your deployment, learned from our enterprise engagements.
- Data governance best practices to implement data governance controls for your organization.
Submit and view feedback for