Skip to main content

Functionality

The Security Analysis Tool (SAT) is an observability utility designed to improve the security posture of Databricks deployments. It helps customers identify deviations from established security best practices and monitor the security health of their Databricks workspaces.

To promote continuous adherence to best practices, SAT includes a master checklist that prioritizes checks by severity. Running SAT as a routine scan across all workspaces builds confidence — especially when onboarding sensitive datasets and workflows — by ensuring that critical security gaps are addressed proactively.

Security Functionality

How It Works

SAT is typically run daily as an automated workflow within the customer’s environment. It performs the following actions:

  • Collects configuration details from Databricks accounts and workspaces via REST APIs.

  • Persists results in Delta tables within the customer’s storage environment for historical tracking and trend analysis.

  • Displays results in a centralized Databricks SQL dashboard, categorized into five distinct sections to help stakeholders review relevant workspace settings.

Key Features

  • Prioritized checks by severity, enabling focus on high-impact areas.

  • Documentation links for each check, guiding users to the most up-to-date configuration best practices for each feature.

  • Alerting capabilities, allowing notifications to be triggered on failed critical checks for immediate attention.

  • Detailed failure explanations, enabling admins to pinpoint, isolate, and remediate issues quickly.

SAT Insights

Data from all configured workspaces is consolidated and presented through a single-pane SQL Dashboard, which serves as the primary consumption layer for SAT insights. All findings are organized into the following well-defined categories:

  • Network Security
  • Identity & Access
  • Data Protection
  • Governance
  • Informational

Each category further classifies the check results by severity levels:

  • High
  • Medium
  • Low

This structured view helps stakeholders quickly assess risk areas and prioritize remediation efforts across multiple workspaces.

Security Dashboard

The SAT dashboard is organized into five primary security categories (pillars), each presented in a consistent and intuitive format. The layout is designed to help users quickly assess their security posture across all workspaces.

  • Workspace Security Summary

    • A high-level overview of security findings, broken down by category and categorized by severity (High, Medium, Low). Provides an at-a-glance view of the overall security health of each workspace.

  • Workspace Stats

    • Displays essential metadata about the analysis run, including:
      • Timestamp of the Analysis
      • Workspace Name
      • Service/Pricing Tier
      • Cloud Region

  • Individual Security Category Details

    • Each of the five security pillars (e.g., Network Security, Identity & Access) includes:
      • Summary counts of deviations from security best practices.
      • A detailed table of security findings, sorted by severity.
        • Each finding includes a description of the issue and a link to relevant documentation to facilitate remediation.

  • Informational Section

    • This section highlights observations that are less prescriptive but still valuable for in-depth security reviews. These findings can be reviewed by data and security teams to ensure thresholds and configurations align with organizational policies.

  • Additional Finding Details

    • Provides deep-dive information to help pinpoint the root cause of specific findings, including the logic used to detect each issue.
    • For example:

      If the finding is "Cluster policy not used", the dashboard will list the specific cluster workloads where no policy was applied — eliminating the guesswork and enabling simplified remediation.

Detection Example

The Security Analysis Tool (SAT) evaluates over 60 security best practices, with more being added regularly. In the example below, the SAT scan highlights two findings:

  • Deprecated Runtime Versions
    This check is marked red, indicating that some workloads are using deprecated Databricks runtime versions. While such workloads may continue to run, they will no longer receive support or security patches from Databricks. The Remediation column explains the risk and provides a link to the official documentation listing currently supported runtime versions.

  • Log Delivery
    This check is marked green, confirming that the workspace configuration aligns with Databricks' security best practices for log delivery.

Regularly running SAT checks enables a comprehensive view of your Databricks account and workspace security posture. It also supports continuous improvement by helping you detect and resolve potential security risks early.

Security Detection Dashboard

Customers can use the Additional Details section to view specific configuration settings or controls that caused a best practice check to fail.

For example, the image below shows additional context for the "Deprecated runtime versions" check, allowing administrators to quickly identify and investigate the affected workloads.

Security Detection Dashboard

In the example below, the customer can learn more about the "Log Delivery" check by referencing its identifier, GOV-3.

Security Detection Dashboard

Security Configuration Comparison

This section enables a side-by-side comparison of two SAT runs across all security dimensions. This drill-down view helps identify which best practice checks have improved or regressed, allowing security teams to take timely action.

For example, the diagram below highlights changes in individual checks across categories. The red rectangle illustrates an improvement in the "Enforce User Isolation" check, while also showing a regression in the "Admin Count" best practice.

Over time, the goal is for cross marks to turn into check marks, reflecting better alignment with best practices. If the opposite occurs, it signals a degradation and should be investigated immediately. Additionally, alerts are triggered for critical regressions, notifying relevant stakeholders via email.

Security Detection Dashboard

Setup and Usage Instructions

Note

SAT requires at least one set up in a workspace per account in AWS or GCP and at least one SAT set up in a workspace per Azure subscription.

SAT is currently not supported on AWS GovCloud.

Refer to the Standard Setup Guide or Terraform Setup Guide for installation instructions.

Refer to the Usage Guide for instructions on running the SAT workflows, viewing the dashboard, and customizing the security checks.