SlideShare a Scribd company logo

Databricks secure deployments and security baselines, doug march 2022

H
Henrik Brattlie

Databricks resources deployed to a pre-provisioned VNET Databricks traffic isolated from regular network traffic Prevent data exfiltration Internal traffic between cluster nodes internal and encrypted Access to Databricks control plane limited and controlled

Data & Analytics
1 of 25
Download to read offline
Databricks Oslo User Group MeetUp #5 March 16th 2022
©2019 Avanade Inc. All Rights Reserved • This is a group for anyone interested in Databricks. All skill levels are welcome. • Established in June 2019 • We are about 220 members • The user group aims to arrange 3-5 physical meetings per year in the Oslo area. • Avanade Norway started this group to meet other people excited about the possibilities in Databricks and to exchange knowledge and experiences. • This MeetUp group is not sponsored by (or affiliated with) Databricks. It is an unofficial community group. • The MeetUp group is part of Azure Tech Communities and sponsored by Microsoft Databricks Oslo User Group - DOUG 2
©2019 Avanade Inc. All Rights Reserved 17:00 - Doors open / mingling / coffee 17:30 – Welcome 17:40 – Databricks Enterprise Security Databricks secure deployments and security baselines Azure Data Factory and Databricks interaction - with security focus Vacuum of delta tables for GDPR compliance Antonio Abalos Castillo and Marino Grønseth (Avanade) 18:25 – Break – 15 minutes 18:40 - Experiences building an enterprise Data Lakehouse using Azure Databricks Halvar Trøyel Nerbø & Sindre Grindheim (Glitni) 19:25 - Wrap up / mingling Agenda 3
Databricks secure deployments and security baselines DOUG, March 2022 Antonio Abalos Castillo, @antonioabalos
©2019 Avanade Inc. All Rights Reserved The perfectly secure deployment is like travelling at light-speed, the more secure we want to be, the more energy it requires. Travelling at light-speed 5
©2019 Avanade Inc. All Rights Reserved Where is data stored? What kind of questions can we expect? 6 Is data protected while in-transit? Is data encrypted at-rest? What region is data stored on? Can data be transferred to another region?
©2019 Avanade Inc. All Rights Reserved 1. Databricks resources deployed to a pre-provisioned VNET 2. Databricks traffic isolated from regular network traffic • Prevent data exfiltration 3. Internal traffic between cluster nodes internal and encrypted 4. Access to Databricks control plane limited and controlled Goals for secure deployments 7
©2019 Avanade Inc. All Rights Reserved Databricks 8
©2019 Avanade Inc. All Rights Reserved Databricks 9 Databricks + Azure User subscription Isolated VNET At-rest encryption Access control Deploy Azure Databricks in your Azure virtual network (VNet injection) Service endpoint / private link
©2019 Avanade Inc. All Rights Reserved Most secure features require Premium (*) • Single sign-on • Role-based access control • Credentials passthrough • VNET injection • Secure cluster connectivity • IP access list • Customer-managed keys for control plane data encryption • Customer-managed keys for DBFS (data plane) data encryption Databricks pricing plan 10 (*) All but SSO require the Premium plan. Enterprise security for Azure Databricks - Azure Databricks 1 VM x 1 DBU x 1 hour Standard kr6,97 Premium kr8,31 (+19%)
©2019 Avanade Inc. All Rights Reserved - Service Endpoints - No extra cost - Private Link - Inbound traffic: kr0,0909/GB - Outbound traffic: kr0,0909/GB Other price considerations 11 Pricing - Azure Private Link | Microsoft Azure Azure virtual network service endpoints | Microsoft Docs
©2019 Avanade Inc. All Rights Reserved Default Azure Databricks deployment - VNET created by Databricks - Resources created in locked resource group - Subnets created and managed by Databricks VNET injection 12 Deploy Azure Databricks in your Azure virtual network (VNet injection) VNET injection - VNET managed by user - Subnets created and managed by the user - Custom DNS settings - Custom route tables - On-premises data connection available (*) You cannot replace the VNet for an existing workspace
©2019 Avanade Inc. All Rights Reserved - Workspace and VNET must reside in the same region - Workspace and VNET must reside in the same subscription - Address space for VNET: between CIDR /16 and /24 (65k and 256 respectively) - Several workspaces can share the same VNET - 2 dedicated subnets exclusive for each workspace: - Public/host subnet - Private/container subnet - 5 IP addresses reserved for Azure in each subnet VNET injection requirements 13
©2019 Avanade Inc. All Rights Reserved VNET injection example 14 VNET Databricks Container/private subnet Host/public subnet Cluster VMs VNET Hub Azure Firewall VNET peering Service connections Credentials passthrough Service Principal TLS inter-node communications Storage Blob ADLS Route tables Key Vault Enterprise App VNET VMs How to Deploy Databricks Clusters in Your Own Custom VNET Deploy Azure Databricks in your Azure virtual network (VNet injection)
©2019 Avanade Inc. All Rights Reserved Service connections 15 Azure virtual network service endpoints Securely Accessing Azure Data Sources from Azure Databricks No additional price Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure network backbone.
©2019 Avanade Inc. All Rights Reserved Data exfiltration protection Private-endpoints 16 Securely Accessing Azure Data Sources from Azure Databricks Pricing - Azure Private Link | Microsoft Azure Extends your private network address space to Azure Data services, i.e. the Azure data service effectively gets a private IP in one of your VNETs and could be treated as part of your larger private network.
©2019 Avanade Inc. All Rights Reserved Secure Cluster Connectivity (No Public-IP) 17 Secure cluster connectivity (No Public IP / NPIP) * You cannot add secure cluster connectivity to an existing workspace * Using Secure Cluster Connectivity with default (managed) VNET creates a NAT gateway, incurring in extra costs
©2019 Avanade Inc. All Rights Reserved Data exfiltration full overview 18 How to protect Data Exfiltration with Azure Databricks to help ensure Cloud Security
©2019 Avanade Inc. All Rights Reserved Other secure characteristics 19
©2019 Avanade Inc. All Rights Reserved Restrict access to Azure Databricks Control Plane by using Conditional Access. Authenticated connections allowed only from pre-defined IP addresses. - Requires Azure AD Premium P1 Azure AD Conditional access 20 What is Conditional Access in Azure Active Directory?
©2019 Avanade Inc. All Rights Reserved Access control • Workspace object access control: folder and notebook access • Cluster access control: access to changing clusters (attach, restart, manage) • Pool access control: changing access to pools (attach, manage) • Jobs access control: job results (view, manage run, owner, manage) • Table access control (premium): table access (deny) • Secret access control: create, view, delete Databricks Access Control 21 Security guide - Azure Databricks | Microsoft Docs
©2019 Avanade Inc. All Rights Reserved DBFS encryption 22 Configure customer-managed keys for DBFS root Key vault in the same region and same Azure Active Directory (Azure AD) tenant as your Azure Databricks workspace. They can be in different subscriptions. Key identifier Encryption Keys can be rotated without re-encrypting storage account content. Databricks workspace needs key permissions in Key Vault to perform wrap and unwrap key operations.
©2019 Avanade Inc. All Rights Reserved 1. Network Security 2. Logging and Monitoring 3. Identity and Access Control 4. Data Protection 5. Vulnerability Management 6. Inventory and Asset Management 7. Secure Configuration 8. Malware Defense 9. Data Recovery 10. Incident Response 11. Penetration Tests and Red Team Exercises Azure Databricks security baseline (34 pages) https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/databricks-security-baseline
Vacuum of delta tables for GDPR compliance - Demo DOUG, March 2022 Marino Bråthen Grønseth, LinkedIn
©2019 Avanade Inc. All Rights Reserved We hope to see you next time! The DOUG crew Henrik Brattlie, LinkedIn

Recommended

Azure data platform overview
Azure data platform overviewAzure data platform overview
Azure data platform overview
James Serra
 
Databricks Fundamentals
Databricks FundamentalsDatabricks Fundamentals
Databricks Fundamentals
Dalibor Wijas
 
Five Things to Consider About Data Mesh and Data Governance
Five Things to Consider About Data Mesh and Data GovernanceFive Things to Consider About Data Mesh and Data Governance
Five Things to Consider About Data Mesh and Data Governance
DATAVERSITY
 
Making Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeMaking Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta Lake
Databricks
 
Enabling a Data Mesh Architecture with Data Virtualization
Enabling a Data Mesh Architecture with Data VirtualizationEnabling a Data Mesh Architecture with Data Virtualization
Enabling a Data Mesh Architecture with Data Virtualization
Denodo
 
Building Modern Data Platform with Microsoft Azure
Building Modern Data Platform with Microsoft AzureBuilding Modern Data Platform with Microsoft Azure
Building Modern Data Platform with Microsoft Azure
Dmitry Anoshin
 
Open Metadata and Governance with Apache Atlas
Open Metadata and Governance with Apache AtlasOpen Metadata and Governance with Apache Atlas
Open Metadata and Governance with Apache Atlas
DataWorks Summit
 
Data Lakehouse, Data Mesh, and Data Fabric (r1)
Data Lakehouse, Data Mesh, and Data Fabric (r1)Data Lakehouse, Data Mesh, and Data Fabric (r1)
Data Lakehouse, Data Mesh, and Data Fabric (r1)
James Serra
 

Recommended

Azure data platform overview
Azure data platform overviewAzure data platform overview
Azure data platform overview
James Serra
 
Databricks Fundamentals
Databricks FundamentalsDatabricks Fundamentals
Databricks Fundamentals
Dalibor Wijas
 
Five Things to Consider About Data Mesh and Data Governance
Five Things to Consider About Data Mesh and Data GovernanceFive Things to Consider About Data Mesh and Data Governance
Five Things to Consider About Data Mesh and Data Governance
DATAVERSITY
 
Making Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeMaking Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta Lake
Databricks
 
Enabling a Data Mesh Architecture with Data Virtualization
Enabling a Data Mesh Architecture with Data VirtualizationEnabling a Data Mesh Architecture with Data Virtualization
Enabling a Data Mesh Architecture with Data Virtualization
Denodo
 
Building Modern Data Platform with Microsoft Azure
Building Modern Data Platform with Microsoft AzureBuilding Modern Data Platform with Microsoft Azure
Building Modern Data Platform with Microsoft Azure
Dmitry Anoshin
 
Open Metadata and Governance with Apache Atlas
Open Metadata and Governance with Apache AtlasOpen Metadata and Governance with Apache Atlas
Open Metadata and Governance with Apache Atlas
DataWorks Summit
 
Data Lakehouse, Data Mesh, and Data Fabric (r1)
Data Lakehouse, Data Mesh, and Data Fabric (r1)Data Lakehouse, Data Mesh, and Data Fabric (r1)
Data Lakehouse, Data Mesh, and Data Fabric (r1)
James Serra
 
Data Mesh
Data MeshData Mesh
Data Mesh
Piethein Strengholt
 
Time to Talk about Data Mesh
Time to Talk about Data MeshTime to Talk about Data Mesh
Time to Talk about Data Mesh
LibbySchulze
 
Data mesh
Data meshData mesh
Data mesh
ManojKumarR41
 
Modernizing to a Cloud Data Architecture
Modernizing to a Cloud Data ArchitectureModernizing to a Cloud Data Architecture
Modernizing to a Cloud Data Architecture
Databricks
 
Azure Databricks is Easier Than You Think
Azure Databricks is Easier Than You ThinkAzure Databricks is Easier Than You Think
Azure Databricks is Easier Than You Think
Ike Ellis
 
Data Lake Overview
Data Lake OverviewData Lake Overview
Data Lake Overview
James Serra
 
Building a modern data warehouse
Building a modern data warehouseBuilding a modern data warehouse
Building a modern data warehouse
James Serra
 
Introducing Confluent Cloud: Apache Kafka as a Service
Introducing Confluent Cloud: Apache Kafka as a Service Introducing Confluent Cloud: Apache Kafka as a Service
Introducing Confluent Cloud: Apache Kafka as a Service
confluent
 
The ABCs of Treating Data as Product
The ABCs of Treating Data as ProductThe ABCs of Treating Data as Product
The ABCs of Treating Data as Product
DATAVERSITY
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureArchitect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh Architecture
Databricks
 
[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...
[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...
[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...
DataScienceConferenc1
 
Delta lake and the delta architecture
Delta lake and the delta architectureDelta lake and the delta architecture
Delta lake and the delta architecture
Adam Doyle
 
Databricks Delta Lake and Its Benefits
Databricks Delta Lake and Its BenefitsDatabricks Delta Lake and Its Benefits
Databricks Delta Lake and Its Benefits
Databricks
 
Microsoft Purview
Microsoft PurviewMicrosoft Purview
Microsoft Purview
Mohammed Chaaraoui
 
Building the Data Lake with Azure Data Factory and Data Lake Analytics
Building the Data Lake with Azure Data Factory and Data Lake AnalyticsBuilding the Data Lake with Azure Data Factory and Data Lake Analytics
Building the Data Lake with Azure Data Factory and Data Lake Analytics
Khalid Salama
 
Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?
Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?
Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?
Kai Wähner
 
Webinar Data Mesh - Part 3
Webinar Data Mesh - Part 3Webinar Data Mesh - Part 3
Webinar Data Mesh - Part 3
Jeffrey T. Pollock
 
What’s New with Databricks Machine Learning
What’s New with Databricks Machine LearningWhat’s New with Databricks Machine Learning
What’s New with Databricks Machine Learning
Databricks
 
Modern data warehouse
Modern data warehouseModern data warehouse
Modern data warehouse
Rakesh Jayaram
 
Serverless Kafka and Spark in a Multi-Cloud Lakehouse Architecture
Serverless Kafka and Spark in a Multi-Cloud Lakehouse ArchitectureServerless Kafka and Spark in a Multi-Cloud Lakehouse Architecture
Serverless Kafka and Spark in a Multi-Cloud Lakehouse Architecture
Kai Wähner
 
Multiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on KubernetesMultiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on Kubernetes
Janos Matyas
 
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoringAz 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
AzureEzy1
 

More Related Content

What's hot

Data Mesh
Data MeshData Mesh
Data Mesh
Piethein Strengholt
 
Time to Talk about Data Mesh
Time to Talk about Data MeshTime to Talk about Data Mesh
Time to Talk about Data Mesh
LibbySchulze
 
Data mesh
Data meshData mesh
Data mesh
ManojKumarR41
 
Modernizing to a Cloud Data Architecture
Modernizing to a Cloud Data ArchitectureModernizing to a Cloud Data Architecture
Modernizing to a Cloud Data Architecture
Databricks
 
Azure Databricks is Easier Than You Think
Azure Databricks is Easier Than You ThinkAzure Databricks is Easier Than You Think
Azure Databricks is Easier Than You Think
Ike Ellis
 
Data Lake Overview
Data Lake OverviewData Lake Overview
Data Lake Overview
James Serra
 
Building a modern data warehouse
Building a modern data warehouseBuilding a modern data warehouse
Building a modern data warehouse
James Serra
 
Introducing Confluent Cloud: Apache Kafka as a Service
Introducing Confluent Cloud: Apache Kafka as a Service Introducing Confluent Cloud: Apache Kafka as a Service
Introducing Confluent Cloud: Apache Kafka as a Service
confluent
 
The ABCs of Treating Data as Product
The ABCs of Treating Data as ProductThe ABCs of Treating Data as Product
The ABCs of Treating Data as Product
DATAVERSITY
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureArchitect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh Architecture
Databricks
 
[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...
[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...
[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...
DataScienceConferenc1
 
Delta lake and the delta architecture
Delta lake and the delta architectureDelta lake and the delta architecture
Delta lake and the delta architecture
Adam Doyle
 
Databricks Delta Lake and Its Benefits
Databricks Delta Lake and Its BenefitsDatabricks Delta Lake and Its Benefits
Databricks Delta Lake and Its Benefits
Databricks
 
Microsoft Purview
Microsoft PurviewMicrosoft Purview
Microsoft Purview
Mohammed Chaaraoui
 
Building the Data Lake with Azure Data Factory and Data Lake Analytics
Building the Data Lake with Azure Data Factory and Data Lake AnalyticsBuilding the Data Lake with Azure Data Factory and Data Lake Analytics
Building the Data Lake with Azure Data Factory and Data Lake Analytics
Khalid Salama
 
Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?
Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?
Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?
Kai Wähner
 
Webinar Data Mesh - Part 3
Webinar Data Mesh - Part 3Webinar Data Mesh - Part 3
Webinar Data Mesh - Part 3
Jeffrey T. Pollock
 
What’s New with Databricks Machine Learning
What’s New with Databricks Machine LearningWhat’s New with Databricks Machine Learning
What’s New with Databricks Machine Learning
Databricks
 
Modern data warehouse
Modern data warehouseModern data warehouse
Modern data warehouse
Rakesh Jayaram
 
Serverless Kafka and Spark in a Multi-Cloud Lakehouse Architecture
Serverless Kafka and Spark in a Multi-Cloud Lakehouse ArchitectureServerless Kafka and Spark in a Multi-Cloud Lakehouse Architecture
Serverless Kafka and Spark in a Multi-Cloud Lakehouse Architecture
Kai Wähner
 

What's hot (20)

Data Mesh
Data MeshData Mesh
Data Mesh
 
Time to Talk about Data Mesh
Time to Talk about Data MeshTime to Talk about Data Mesh
Time to Talk about Data Mesh
 
Data mesh
Data meshData mesh
Data mesh
 
Modernizing to a Cloud Data Architecture
Modernizing to a Cloud Data ArchitectureModernizing to a Cloud Data Architecture
Modernizing to a Cloud Data Architecture
 
Azure Databricks is Easier Than You Think
Azure Databricks is Easier Than You ThinkAzure Databricks is Easier Than You Think
Azure Databricks is Easier Than You Think
 
Data Lake Overview
Data Lake OverviewData Lake Overview
Data Lake Overview
 
Building a modern data warehouse
Building a modern data warehouseBuilding a modern data warehouse
Building a modern data warehouse
 
Introducing Confluent Cloud: Apache Kafka as a Service
Introducing Confluent Cloud: Apache Kafka as a Service Introducing Confluent Cloud: Apache Kafka as a Service
Introducing Confluent Cloud: Apache Kafka as a Service
 
The ABCs of Treating Data as Product
The ABCs of Treating Data as ProductThe ABCs of Treating Data as Product
The ABCs of Treating Data as Product
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureArchitect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh Architecture
 
[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...
[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...
[DSC Europe 22] Lakehouse architecture with Delta Lake and Databricks - Draga...
 
Delta lake and the delta architecture
Delta lake and the delta architectureDelta lake and the delta architecture
Delta lake and the delta architecture
 
Databricks Delta Lake and Its Benefits
Databricks Delta Lake and Its BenefitsDatabricks Delta Lake and Its Benefits
Databricks Delta Lake and Its Benefits
 
Microsoft Purview
Microsoft PurviewMicrosoft Purview
Microsoft Purview
 
Building the Data Lake with Azure Data Factory and Data Lake Analytics
Building the Data Lake with Azure Data Factory and Data Lake AnalyticsBuilding the Data Lake with Azure Data Factory and Data Lake Analytics
Building the Data Lake with Azure Data Factory and Data Lake Analytics
 
Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?
Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?
Data Warehouse vs. Data Lake vs. Data Streaming – Friends, Enemies, Frenemies?
 
Webinar Data Mesh - Part 3
Webinar Data Mesh - Part 3Webinar Data Mesh - Part 3
Webinar Data Mesh - Part 3
 
What’s New with Databricks Machine Learning
What’s New with Databricks Machine LearningWhat’s New with Databricks Machine Learning
What’s New with Databricks Machine Learning
 
Modern data warehouse
Modern data warehouseModern data warehouse
Modern data warehouse
 
Serverless Kafka and Spark in a Multi-Cloud Lakehouse Architecture
Serverless Kafka and Spark in a Multi-Cloud Lakehouse ArchitectureServerless Kafka and Spark in a Multi-Cloud Lakehouse Architecture
Serverless Kafka and Spark in a Multi-Cloud Lakehouse Architecture
 

Similar to Databricks secure deployments and security baselines, doug march 2022

Multiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on KubernetesMultiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on Kubernetes
Janos Matyas
 
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoringAz 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
AzureEzy1
 
Big data journey to the cloud 5.30.18 asher bartch
Big data journey to the cloud 5.30.18 asher bartchBig data journey to the cloud 5.30.18 asher bartch
Big data journey to the cloud 5.30.18 asher bartch
Cloudera, Inc.
 
Securing APIs for ultimate security and privacy with Azure | Codit Webinar
Securing APIs for ultimate security and privacy with Azure | Codit WebinarSecuring APIs for ultimate security and privacy with Azure | Codit Webinar
Securing APIs for ultimate security and privacy with Azure | Codit Webinar
Codit
 
Preparing for Multi-Cloud
Preparing for Multi-CloudPreparing for Multi-Cloud
Preparing for Multi-Cloud
Konstantin Tjuterev
 
Az 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and containerAz 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and container
AzureEzy1
 
Azure privatelink
Azure privatelinkAzure privatelink
Azure privatelink
Udaiappa Ramachandran
 
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In MinutesSecurely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Khash Nakhostin
 
ENT208 Transform your Business with VMware Cloud on AWS
ENT208 Transform your Business with VMware Cloud on AWSENT208 Transform your Business with VMware Cloud on AWS
ENT208 Transform your Business with VMware Cloud on AWS
Amazon Web Services
 
Presentation building and running your private cloud
Presentation building and running your private cloudPresentation building and running your private cloud
Presentation building and running your private cloudsolarisyourep
 
Presentation building and running your private cloud
Presentation building and running your private cloudPresentation building and running your private cloud
Presentation building and running your private cloud
xKinAnx
 
VMware vCloud Air: Networking
VMware vCloud Air: NetworkingVMware vCloud Air: Networking
VMware vCloud Air: Networking
VMware
 
AZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure SolutionsAZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AzureEzy1
 
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdfData & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Chris Bingham
 
Data platform modernization with Databricks.pptx
Data platform modernization with Databricks.pptxData platform modernization with Databricks.pptx
Data platform modernization with Databricks.pptx
CalvinSim10
 
Az 104 session 5: Azure networking
Az 104 session 5: Azure networkingAz 104 session 5: Azure networking
Az 104 session 5: Azure networking
AzureEzy1
 
Private cloud 201 cr
Private cloud 201 crPrivate cloud 201 cr
Private cloud 201 crChris Avis
 
Infoblox Cloud Solutions - Cisco Mid-Atlantic User Group
Infoblox Cloud Solutions - Cisco Mid-Atlantic User GroupInfoblox Cloud Solutions - Cisco Mid-Atlantic User Group
Infoblox Cloud Solutions - Cisco Mid-Atlantic User Group
NetCraftsmen
 
Private cloud 201 how to build a private cloud
Private cloud 201 how to build a private cloud Private cloud 201 how to build a private cloud
Private cloud 201 how to build a private cloud
Harold Wong
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNets
Khash Nakhostin
 

Similar to Databricks secure deployments and security baselines, doug march 2022 (20)

Multiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on KubernetesMultiple ways of building hybrid clouds on Kubernetes
Multiple ways of building hybrid clouds on Kubernetes
 
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoringAz 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
 
Big data journey to the cloud 5.30.18 asher bartch
Big data journey to the cloud 5.30.18 asher bartchBig data journey to the cloud 5.30.18 asher bartch
Big data journey to the cloud 5.30.18 asher bartch
 
Securing APIs for ultimate security and privacy with Azure | Codit Webinar
Securing APIs for ultimate security and privacy with Azure | Codit WebinarSecuring APIs for ultimate security and privacy with Azure | Codit Webinar
Securing APIs for ultimate security and privacy with Azure | Codit Webinar
 
Preparing for Multi-Cloud
Preparing for Multi-CloudPreparing for Multi-Cloud
Preparing for Multi-Cloud
 
Az 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and containerAz 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and container
 
Azure privatelink
Azure privatelinkAzure privatelink
Azure privatelink
 
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In MinutesSecurely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
Securely Connecting Your Customers to Their Cloud-Hosted App – In Minutes
 
ENT208 Transform your Business with VMware Cloud on AWS
ENT208 Transform your Business with VMware Cloud on AWSENT208 Transform your Business with VMware Cloud on AWS
ENT208 Transform your Business with VMware Cloud on AWS
 
Presentation building and running your private cloud
Presentation building and running your private cloudPresentation building and running your private cloud
Presentation building and running your private cloud
 
Presentation building and running your private cloud
Presentation building and running your private cloudPresentation building and running your private cloud
Presentation building and running your private cloud
 
VMware vCloud Air: Networking
VMware vCloud Air: NetworkingVMware vCloud Air: Networking
VMware vCloud Air: Networking
 
AZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure SolutionsAZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
 
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdfData & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
 
Data platform modernization with Databricks.pptx
Data platform modernization with Databricks.pptxData platform modernization with Databricks.pptx
Data platform modernization with Databricks.pptx
 
Az 104 session 5: Azure networking
Az 104 session 5: Azure networkingAz 104 session 5: Azure networking
Az 104 session 5: Azure networking
 
Private cloud 201 cr
Private cloud 201 crPrivate cloud 201 cr
Private cloud 201 cr
 
Infoblox Cloud Solutions - Cisco Mid-Atlantic User Group
Infoblox Cloud Solutions - Cisco Mid-Atlantic User GroupInfoblox Cloud Solutions - Cisco Mid-Atlantic User Group
Infoblox Cloud Solutions - Cisco Mid-Atlantic User Group
 
Private cloud 201 how to build a private cloud
Private cloud 201 how to build a private cloud Private cloud 201 how to build a private cloud
Private cloud 201 how to build a private cloud
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNets
 

Recently uploaded

Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdfUnleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
Enterprise Wired
 
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
mbawufebxi
 
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptxData_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
AnirbanRoy608946
 
Influence of Marketing Strategy and Market Competition on Business Plan
Influence of Marketing Strategy and Market Competition on Business PlanInfluence of Marketing Strategy and Market Competition on Business Plan
Influence of Marketing Strategy and Market Competition on Business Plan
jerlynmaetalle
 
Learn SQL from basic queries to Advance queries
Learn SQL from basic queries to Advance queriesLearn SQL from basic queries to Advance queries
Learn SQL from basic queries to Advance queries
manishkhaire30
 
Global Situational Awareness of A.I. and where its headed
Global Situational Awareness of A.I. and where its headedGlobal Situational Awareness of A.I. and where its headed
Global Situational Awareness of A.I. and where its headed
vikram sood
 
Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)
TravisMalana
 
The affect of service quality and online reviews on customer loyalty in the E...
The affect of service quality and online reviews on customer loyalty in the E...The affect of service quality and online reviews on customer loyalty in the E...
The affect of service quality and online reviews on customer loyalty in the E...
jerlynmaetalle
 
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
Walaa Eldin Moustafa
 
Machine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptxMachine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptx
balafet
 
Nanandann Nilekani's ppt On India's .pdf
Nanandann Nilekani's ppt On India's .pdfNanandann Nilekani's ppt On India's .pdf
Nanandann Nilekani's ppt On India's .pdf
eddie19851
 
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
u86oixdj
 
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
mzpolocfi
 
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdfEnhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
GetInData
 
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
Timothy Spann
 
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
slg6lamcq
 
My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.
rwarrenll
 
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
74nqk8xf
 
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
Timothy Spann
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
g4dpvqap0
 

Recently uploaded (20)

Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdfUnleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
Unleashing the Power of Data_ Choosing a Trusted Analytics Platform.pdf
 
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
一比一原版(Bradford毕业证书)布拉德福德大学毕业证如何办理
 
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptxData_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
 
Influence of Marketing Strategy and Market Competition on Business Plan
Influence of Marketing Strategy and Market Competition on Business PlanInfluence of Marketing Strategy and Market Competition on Business Plan
Influence of Marketing Strategy and Market Competition on Business Plan
 
Learn SQL from basic queries to Advance queries
Learn SQL from basic queries to Advance queriesLearn SQL from basic queries to Advance queries
Learn SQL from basic queries to Advance queries
 
Global Situational Awareness of A.I. and where its headed
Global Situational Awareness of A.I. and where its headedGlobal Situational Awareness of A.I. and where its headed
Global Situational Awareness of A.I. and where its headed
 
Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)
 
The affect of service quality and online reviews on customer loyalty in the E...
The affect of service quality and online reviews on customer loyalty in the E...The affect of service quality and online reviews on customer loyalty in the E...
The affect of service quality and online reviews on customer loyalty in the E...
 
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
 
Machine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptxMachine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptx
 
Nanandann Nilekani's ppt On India's .pdf
Nanandann Nilekani's ppt On India's .pdfNanandann Nilekani's ppt On India's .pdf
Nanandann Nilekani's ppt On India's .pdf
 
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
 
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
 
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdfEnhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdf
 
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
 
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
 
My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.
 
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
 
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Dat...
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
 

Databricks secure deployments and security baselines, doug march 2022

  • 1. Databricks Oslo User Group MeetUp #5 March 16th 2022
  • 2. ©2019 Avanade Inc. All Rights Reserved • This is a group for anyone interested in Databricks. All skill levels are welcome. • Established in June 2019 • We are about 220 members • The user group aims to arrange 3-5 physical meetings per year in the Oslo area. • Avanade Norway started this group to meet other people excited about the possibilities in Databricks and to exchange knowledge and experiences. • This MeetUp group is not sponsored by (or affiliated with) Databricks. It is an unofficial community group. • The MeetUp group is part of Azure Tech Communities and sponsored by Microsoft Databricks Oslo User Group - DOUG 2
  • 3. ©2019 Avanade Inc. All Rights Reserved 17:00 - Doors open / mingling / coffee 17:30 – Welcome 17:40 – Databricks Enterprise Security Databricks secure deployments and security baselines Azure Data Factory and Databricks interaction - with security focus Vacuum of delta tables for GDPR compliance Antonio Abalos Castillo and Marino Grønseth (Avanade) 18:25 – Break – 15 minutes 18:40 - Experiences building an enterprise Data Lakehouse using Azure Databricks Halvar Trøyel Nerbø & Sindre Grindheim (Glitni) 19:25 - Wrap up / mingling Agenda 3
  • 4. Databricks secure deployments and security baselines DOUG, March 2022 Antonio Abalos Castillo, @antonioabalos
  • 5. ©2019 Avanade Inc. All Rights Reserved The perfectly secure deployment is like travelling at light-speed, the more secure we want to be, the more energy it requires. Travelling at light-speed 5
  • 6. ©2019 Avanade Inc. All Rights Reserved Where is data stored? What kind of questions can we expect? 6 Is data protected while in-transit? Is data encrypted at-rest? What region is data stored on? Can data be transferred to another region?
  • 7. ©2019 Avanade Inc. All Rights Reserved 1. Databricks resources deployed to a pre-provisioned VNET 2. Databricks traffic isolated from regular network traffic • Prevent data exfiltration 3. Internal traffic between cluster nodes internal and encrypted 4. Access to Databricks control plane limited and controlled Goals for secure deployments 7
  • 8. ©2019 Avanade Inc. All Rights Reserved Databricks 8
  • 9. ©2019 Avanade Inc. All Rights Reserved Databricks 9 Databricks + Azure User subscription Isolated VNET At-rest encryption Access control Deploy Azure Databricks in your Azure virtual network (VNet injection) Service endpoint / private link
  • 10. ©2019 Avanade Inc. All Rights Reserved Most secure features require Premium (*) • Single sign-on • Role-based access control • Credentials passthrough • VNET injection • Secure cluster connectivity • IP access list • Customer-managed keys for control plane data encryption • Customer-managed keys for DBFS (data plane) data encryption Databricks pricing plan 10 (*) All but SSO require the Premium plan. Enterprise security for Azure Databricks - Azure Databricks 1 VM x 1 DBU x 1 hour Standard kr6,97 Premium kr8,31 (+19%)
  • 11. ©2019 Avanade Inc. All Rights Reserved - Service Endpoints - No extra cost - Private Link - Inbound traffic: kr0,0909/GB - Outbound traffic: kr0,0909/GB Other price considerations 11 Pricing - Azure Private Link | Microsoft Azure Azure virtual network service endpoints | Microsoft Docs
  • 12. ©2019 Avanade Inc. All Rights Reserved Default Azure Databricks deployment - VNET created by Databricks - Resources created in locked resource group - Subnets created and managed by Databricks VNET injection 12 Deploy Azure Databricks in your Azure virtual network (VNet injection) VNET injection - VNET managed by user - Subnets created and managed by the user - Custom DNS settings - Custom route tables - On-premises data connection available (*) You cannot replace the VNet for an existing workspace
  • 13. ©2019 Avanade Inc. All Rights Reserved - Workspace and VNET must reside in the same region - Workspace and VNET must reside in the same subscription - Address space for VNET: between CIDR /16 and /24 (65k and 256 respectively) - Several workspaces can share the same VNET - 2 dedicated subnets exclusive for each workspace: - Public/host subnet - Private/container subnet - 5 IP addresses reserved for Azure in each subnet VNET injection requirements 13
  • 14. ©2019 Avanade Inc. All Rights Reserved VNET injection example 14 VNET Databricks Container/private subnet Host/public subnet Cluster VMs VNET Hub Azure Firewall VNET peering Service connections Credentials passthrough Service Principal TLS inter-node communications Storage Blob ADLS Route tables Key Vault Enterprise App VNET VMs How to Deploy Databricks Clusters in Your Own Custom VNET Deploy Azure Databricks in your Azure virtual network (VNet injection)
  • 15. ©2019 Avanade Inc. All Rights Reserved Service connections 15 Azure virtual network service endpoints Securely Accessing Azure Data Sources from Azure Databricks No additional price Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure network backbone.
  • 16. ©2019 Avanade Inc. All Rights Reserved Data exfiltration protection Private-endpoints 16 Securely Accessing Azure Data Sources from Azure Databricks Pricing - Azure Private Link | Microsoft Azure Extends your private network address space to Azure Data services, i.e. the Azure data service effectively gets a private IP in one of your VNETs and could be treated as part of your larger private network.
  • 17. ©2019 Avanade Inc. All Rights Reserved Secure Cluster Connectivity (No Public-IP) 17 Secure cluster connectivity (No Public IP / NPIP) * You cannot add secure cluster connectivity to an existing workspace * Using Secure Cluster Connectivity with default (managed) VNET creates a NAT gateway, incurring in extra costs
  • 18. ©2019 Avanade Inc. All Rights Reserved Data exfiltration full overview 18 How to protect Data Exfiltration with Azure Databricks to help ensure Cloud Security
  • 19. ©2019 Avanade Inc. All Rights Reserved Other secure characteristics 19
  • 20. ©2019 Avanade Inc. All Rights Reserved Restrict access to Azure Databricks Control Plane by using Conditional Access. Authenticated connections allowed only from pre-defined IP addresses. - Requires Azure AD Premium P1 Azure AD Conditional access 20 What is Conditional Access in Azure Active Directory?
  • 21. ©2019 Avanade Inc. All Rights Reserved Access control • Workspace object access control: folder and notebook access • Cluster access control: access to changing clusters (attach, restart, manage) • Pool access control: changing access to pools (attach, manage) • Jobs access control: job results (view, manage run, owner, manage) • Table access control (premium): table access (deny) • Secret access control: create, view, delete Databricks Access Control 21 Security guide - Azure Databricks | Microsoft Docs
  • 22. ©2019 Avanade Inc. All Rights Reserved DBFS encryption 22 Configure customer-managed keys for DBFS root Key vault in the same region and same Azure Active Directory (Azure AD) tenant as your Azure Databricks workspace. They can be in different subscriptions. Key identifier Encryption Keys can be rotated without re-encrypting storage account content. Databricks workspace needs key permissions in Key Vault to perform wrap and unwrap key operations.
  • 23. ©2019 Avanade Inc. All Rights Reserved 1. Network Security 2. Logging and Monitoring 3. Identity and Access Control 4. Data Protection 5. Vulnerability Management 6. Inventory and Asset Management 7. Secure Configuration 8. Malware Defense 9. Data Recovery 10. Incident Response 11. Penetration Tests and Red Team Exercises Azure Databricks security baseline (34 pages) https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/databricks-security-baseline
  • 24. Vacuum of delta tables for GDPR compliance - Demo DOUG, March 2022 Marino Bråthen Grønseth, LinkedIn
  • 25. ©2019 Avanade Inc. All Rights Reserved We hope to see you next time! The DOUG crew Henrik Brattlie, LinkedIn