Security and Trust Center

Your data security is our priority

background-image

BG视讯注册登录知道,数据是您最宝贵的资产之一,而且总是需要受到保护——这就是为什么Databricks bg视讯娱乐网站平台的每一层都建立了安全机制. Our transparency enables you to meet your regulatory needs while taking advantage of our platform.

icon-title
Security Features

BG视讯注册登录提供全面的安全能力,以保护您的数据和工作负载, such as encryption, network controls, auditing, identity integration, access controls and data governance.

Learn more
icon-title
Compliance

Customers all over the world and across industries rely on the Databricks bg视讯娱乐网站 platform. BG视讯注册登录拥有认证和认证,以满足高度监管行业的独特合规需求.

Learn more
icon-title
Privacy

BG视讯注册登录重视您的数据隐私,并理解这对您的组织和客户都很重要. Databricks can help you comply with privacy laws and meet regulatory requirements.

Learn more

Perform your own self-service security review of Databricks using our due diligence package, which includes documentation and compliance materials.

Quote 1
“With simplified administration and governance, the Databricks platform has allowed us to bring data-based decision-making to teams across our organization. The ease of adding users, 与云提供商的本地安全集成和面向一切的api,使BG视讯注册登录能够将所需的数据和工具带给Wehkamp的每一位员工.”

— Tom Mulder, Lead Data Scientist at Wehkamp

Quote 2
“The nearly dozen solutions we have developed are all built on Azure Databricks as a core foundation. 这使BG视讯注册登录能够利用一个快速的从实验室到操作的部署模式, 同时维护数据安全和计算可伸缩性.”

— Jeff Feldman, CTO of Arden Street Labs

Quote 3
"Despite the increasing embrace of big data and AI, most financial services companies still experience significant challenges around data types, privacy and scale. 瑞士信贷正通过开放标准化来克服这些障碍, cloud-based platforms, including Azure Databricks, 在整个组织内提高操作和ML的速度和规模."

- Credit Suisse customer story

background-image

Trust

BG视讯注册登录的可信平台是通过在软件开发和交付生命周期中嵌入安全性来构建的. BG视讯注册登录遵循严格的操作安全规范,如渗透测试, vulnerability assessments and strong internal access controls. BG视讯注册登录相信透明度是赢得信任的关键——BG视讯注册登录公开分享BG视讯注册登录如何运作,并与BG视讯注册登录的客户和合作伙伴密切合作,以满足他们的安全需求.

Contractual commitment

除了文档和最佳实践,你会发现BG视讯注册登录的安全 & Trust Center, we also provide a contractual commitment to security to all our customers. This commitment is captured in the Security Addendum, which is part of our customer agreement. 安全附录以清晰的语言描述了BG视讯注册登录为保证您的数据安全所遵循的安全措施和实践.

Vulnerability management

检测并快速修复易受攻击的软件是任何软件或服务提供商最重要的职责之一, 漏洞是否存在于您的代码或您所依赖的软件中. We take this responsibility very seriously, 并在BG视讯注册登录的安全附录中提供有关BG视讯注册登录的补救时间表的信息.

在内部,BG视讯注册登录使用几个知名的安全扫描工具来识别平台中的漏洞. Databricks还使用第三方服务来分析BG视讯注册登录面向公众的网站,并识别潜在风险. Severity-0 vulnerabilities, such as zero days that are known to be actively exploited, are treated with the highest urgency, and their fix is prioritized above all other rollouts.

Penetration testing and bug bounty

We perform penetration testing through a combination of an in-house offensive security team, qualified third-party penetration testers and a year-round public bug bounty program. BG视讯注册登录通常每年进行8-10次外部第三方渗透测试和15-20次内部渗透测试. BG视讯注册登录公开共享平台范围内的第三方测试报告作为BG视讯注册登录的一部分 due diligence package.

We are committed to helping customers gain confidence in the workloads they run on Databricks. If your team would like to run a pen test against Databricks, we encourage you to:

  • Run vulnerability scans within the data plane systems located in your cloud service provider account.
  • Run tests against your own code, 前提是这些测试完全包含在您的云服务提供商帐户中的数据平面(或其他系统)中,并且正在评估您自己的控制.
  • Participate in the bug bounty program.

Join the Databricks Bug Bounty 程序通过HackerOne实现,并可以访问不被实时客户使用的Databricks部署.

Internal access

We apply strict policies and controls to internal employee access to our production systems, customer environments and customer data.

BG视讯注册登录需要多因素身份验证来访问核心基础设施控制台,如云服务提供商控制台(AWS), GCP and Azure). Databricks有策略和过程来避免使用显式凭据, such as passwords or API Keys, wherever possible. For example, only appointed security members can process exception requests for new AWS IAM principals or policies.

Databricks employees can access a production system under very specific circumstances. 任何访问都需要通过databrics构建的系统进行身份验证,该系统验证访问并执行策略检查. Access requires that employees be on our VPN, BG视讯注册登录的单点登录解决方案需要多因素身份验证.
Learn more →

BG视讯注册登录的内部安全标准在可能的情况下实行职责分离. For example, BG视讯注册登录将云身份认证和授权过程集中起来,将授权访问(Mary应该访问一个系统)和授权访问(Mary现在可以访问一个系统)分开。.

We prioritize least privileged access, 在内部系统和BG视讯注册登录对生产系统的访问. Least privilege is explicitly built into our internal policies and reflected in our procedures. For example, 大多数客户可以控制Databricks员工对其工作空间的访问, 在访问权限被授予之前,BG视讯注册登录会自动进行大量的检查,并在一段有限的时间后自动撤销访问权限.
Learn more →

Secure software development lifecycle

Databricks has a software development lifecycle (SDLC) that builds security into all steps, from feature requests to production monitoring, 支持用于跟踪特性在整个生命周期的工具. We have automatic security scanning of systems, libraries and code, and automated vulnerability tracking.

Databricks leverages an Ideas Portal 它跟踪功能请求,并允许为客户和员工投票. BG视讯注册登录的功能设计过程包括隐私和安全设计. After an initial assessment, high-impact features are subject to Security Design Review from a security expert in engineering, along with threat modeling and other security-specific checks.

We use an agile development methodology and break up new features into multiple sprints. Databricks不外包平台的开发, and all developers are required to go through secure software development training, including the OWASP Top 10 at hire and annually thereafter. Production data and environments are separated from the development, QA and staging environments. 所有代码都签入到需要单点登录和多因素身份验证的源代码控制系统中, with granular permissions. Code merge requires approval from the functional engineering owners of each area impacted, and all code is peer reviewed.

We run quality checks (such as unit tests and end-to-end tests) at multiple stages of the SDLC process, including at code merge, after code merge, at release and in production. BG视讯注册登录的测试包括阳性测试、回归测试和阴性测试. Once deployed, we have extensive monitoring to identify faults, and users can get alerts about system availability via the Status Page. In the event of any P0 or P1 issue, Databricks自动化触发了一个“5个为什么”的根本原因分析方法,该方法选择了一个事后分析团队的成员来监督审查, and follow-ups are tracked.

BG视讯注册登录使用最好的工具来识别易受攻击的包或代码. 在预生产环境中,自动化会对操作系统和安装的包进行经过身份验证的主机和容器漏洞扫描, along with dynamic and static code analysis scans. Engineering tickets are created automatically for any vulnerabilities and assigned to relevant teams. 产品安全团队还对关键漏洞进行分类,以评估其在Databricks架构中的严重性.

Databricks有一个正式的发布管理过程,其中包括在发布代码之前的一个正式的放行/不放行决定. 更改要经过测试,以避免回归,并验证新功能已经在实际工作负载上测试过. Additionally, there is a staged rollout with monitoring to identify issues at early stages. To implement separation of duties, 只有BG视讯注册登录的部署管理系统可以将更改发布到生产环境中, and multi-person approval is required for all deployments.

We follow the immutable infrastructure model, where systems are replaced rather than patched, 提高可靠性和安全性,避免配置漂移的风险. When new system images or application code is launched, we transfer workloads to new instances with the new code. This is true both for the control plane and the data plane (有关Databricks架构的更多信息,请参阅安全特性部分). Once code is in production, a verification process confirms that artifacts are not added, removed or changed.

SDLC过程的最后一个阶段是创建面向客户的文档. Databricks docs are managed similarly to code, 在同一个源代码控制系统中,文档存储在哪里. 重大的变更在合并和发布之前需要技术审查和文档团队的审查.
Visit documentation →

background-image
Network access Cloud

Option to deploy into a VPC/VNet that you manage and secure. 默认情况下,数据平面没有入站网络连接

AWS, Azure

Private access (or private link) from user or clients to the Databricks control plane UI and APIs

AWS, Azure

Private access (or private link) from the classic data plane to the Databricks control plane

AWS, Azure

Private access (or private link) from the classic data plane to data on the cloud platform

AWS, Azure

IP access lists to control access to Databricks control plane UI and APIs over the internet

AWS, Azure, GCP

Automatic host-based firewalls that restrict communication

AWS, Azure, GCP

User and group administration Cloud

Use the cloud service provider identity management for seamless integration with cloud resources

AWS, Azure, GCP

支持Azure活动目录条件访问策略

Azure (AWS / GCP not applicable)

SCIM provisioning to manage user identities and groups

AWS, Azure, GCP

Single Sign-On with identity provider integration (you can enable MFA via the identity provider)

AWS (Azure / GCP not applicable*)

Service principals or service accounts to manage application identities for automation

AWS, Azure, GCP

用户帐户锁定暂时禁用用户访问Databricks

AWS (Azure / GCP not applicable*)

Disable local passwords with password permission

AWS (Azure / GCP not applicable*)

Access management Cloud

Fine grained permission based access control to all Databricks objects including workspaces, jobs, notebooks, SQL

AWS, Azure, GCP

带有权限管理的个人访问令牌的安全API访问

AWS, Azure, GCP

OAuth token support

Azure, GCP

Segment users, workloads and data with different security profiles in multiple workspaces

AWS, Azure, GCP

Data security Cloud

Encryption of control plane data at rest

AWS, Azure, GCP

Customer-managed keys encryption available

AWS, Azure

Encryption in transit of all communications between the control plane and data plane

AWS, Azure, GCP

Intra-cluster spark encryption in transit or platform-optimized encryption in transit

AWS, Azure

Fine-grained data security and masking with dynamic views

AWS, Azure, GCP

Fine-grained data governance with Unity Catalog

Coming soon

Admin controls to limit risk of data exfiltration

AWS, Azure, GCP

Workload security Cloud

Manage code versions effectively with repos

AWS, Azure, GCP

内置秘密管理,以避免在代码中硬编码凭据

AWS, Azure, GCP

Managed data plane machine image regularly updated with patches, security scans and basic hardening

AWS, Azure (GCP not applicable)

通过集群策略控制成本,加强安全性和验证需求

AWS, Azure, GCP

不可变的短寿命基础设施,以避免配置漂移

AWS, Azure, GCP

Auditing and logging Cloud

全面和可配置的审计日志的活动的Databricks用户

AWS, Azure, GCP

Databricks SQL command history logging

AWS, Azure

Databricks cluster logging

AWS, Azure

Security validations (Compliance) Cloud

ISO 27001, 27017, 27018 compliance

AWS, Azure, GCP

SOC 2 Type 2 report available

AWS, Azure, GCP

GDPR and CCPA compliance

AWS, Azure, GCP

PCI DSS-compliant deployments

AWS (Single Tenant only)

FedRAMP Moderate compliance

AWS coming soon, Azure

FedRAMP High compliance

Azure

HIPAA-compliant deployments

AWS, Azure

HITRUST

Azure

* Azure Databricks is integrated with Azure Active Directory, and Databricks on GCP is integrated with Google Identity. You can’t configure these in Databricks itself, 但您可以根据需要配置Azure Active Directory或谷歌Identity.

Platform Architecture

The Databricks bg视讯娱乐网站 architecture is split into two separate planes to simplify your permissions, avoid data duplication and reduce risk. 控制平面是管理平面,Databricks在其中运行工作区应用程序和管理笔记本电脑, configuration and clusters. Unless you choose to use serverless compute, 数据平面运行在云服务提供商帐户内, processing your data without taking it out of your account. 你可以使用像客户管理的vpc /VNets和禁用导出的管理控制台选项这样的特性,将Databricks嵌入到你的数据导出保护架构中.

While certain data, such as your notebooks, configurations, logs and user information, is present within the control plane, 这些信息在控制平面内被加密, 与控制平面之间的通信在传输过程中是加密的. 你也可以选择某些数据的存放位置:你可以拥有自己的关于数据表的元数据存储(Hive metastore), store query results in your cloud service provider account, and decide whether to use the Databricks Secrets API.

假设你有一个数据工程师,他登录到Databricks,写一个笔记本,把Kafka中的原始数据转换成标准化的数据集发送到Amazon S3或者Azure data Lake storage. Six steps make that happen:

  1. The data engineer seamlessly authenticates, via your single sign-on if desired, to the Databricks web UI in the control plane, hosted in the Databricks account.
  2. 当数据工程师编写代码时,他们的web浏览器会将代码发送到控制平面. JDBC/ODBC请求也遵循相同的路径,使用令牌进行身份验证.
  3. When ready, 控制平面使用Cloud Service Provider api创建Databricks集群, made of new instances in the data plane, in your CSP account. 管理员可以应用集群策略来实施安全配置文件.
  4. Once the instances launch, the cluster manager sends the data engineer’s code to the cluster.
  5. The cluster pulls from Kafka in your account, 转换帐户中的数据并将其写入帐户中的存储.
  6. 集群向集群管理器报告状态和任何输出.

数据工程师不需要担心很多细节——他们只需编写代码,然后Databricks运行它.

Compliance

全世界的客户都信任BG视讯注册登录提供他们最敏感的数据. Databricks has put in place controls to meet the unique compliance needs of highly regulated industries.

Due diligence package

对于自助安全审查,您可以下载BG视讯注册登录的尽职调查包. 它包括通用的合规文件,如BG视讯注册登录的ISO认证和BG视讯注册登录的年度笔测试确认信. 您也可以联系您的Databricks客户团队,获取BG视讯注册登录的企业安全指南和SOC 2类型II报告的副本.

Download

Certifications and standards

background-image

Overview

Databricks takes privacy seriously. BG视讯注册登录理解您使用Databricks分析的数据对您的组织和客户都很重要, 并且可能受到各种隐私法律法规的制约.

To help you understand how Databricks fits into regulatory frameworks that may apply to you, we’ve prepared Privacy FAQs and documents that transparently set forth how Databricks approaches privacy.

background-image

帮助调查Databricks工作空间中的安全事件

如果您怀疑您的工作空间数据可能已经被破坏,或者您注意到数据中的不一致或不准确, please report it to Databricks ASAP.

报告来自Databricks的垃圾邮件或可疑通信

如果您收到垃圾邮件或任何您认为是欺诈的通信, or that have inappropriate, improper content or malware, please contact Databricks ASAP.

了解针对Databricks产品的内部漏洞扫描器报告

For help analyzing a vulnerability scan report, 请通过您的Databricks支持渠道提出支持请求, 提交产品版本, any specific configuration, the specific report output and how the scan was conducted.

了解CVE如何影响Databricks工作空间或运行时

If you need information on the impact of a third-party CVE, or a Databricks CVE, 请通过您的Databricks支持渠道提出支持请求, and provide the CVE description, severity and references found on the National Vulnerability Database

Report a bug in Databricks products or services

如果您在BG视讯注册登录的任何产品中发现了可复制的漏洞, we want to know so that we can resolve it. Please join our public bug bounty program facilitated by HackerOne.

background-image

HIPAA

HIPAA is a US regulation which includes a variety of protections for protected health information. Databricks has HIPAA-compliant deployment options.

Supported Clouds

Regions

Azure Multi-Tenant — All regions

AWS Single Tenant — All regions

AWS Multi-Tenant - us-east-1, us-east-2, ca-central-1, us-west-2