SQL Database Dynamic Data Masking restricts delicate data vulnerability by masking it to unauthorized users. Dynamic data masking is established for the V12 version of Azure SQL Database.
Dynamic data masking helps to limit illegal access to sensitive data by allowing customers to specify how much of the confidential information to reveal with minimum impact on the application layer. It’s a policy-based data security feature that covers the sensitive data in the result set of a question over designated database fields while the data in the database is not changed.
When executing queries in the database, whether from an application or directly using a query tool like Server Management Studio (SSMS) data is masked for the designated fields according to the policy you defined. You can also list particular database users eliminated from masking so they will always get the new data when they query the database.
Dynamic Data Masking is one of several security features for Azure SQL Database, which serve to preserve data, control access, and monitor database activity. Each of these functions is important and in total they provide a complete database security solution.
The benefits Dynamic Data Masking are:
- It is exceptionally easy to create a data masking policy, whether via PowerShell cmdlets, the Azure Portal, or T_SQL Configuration
- There is no need to alter database systems or application code
- DDM offers limited if any execution influence on database actions
- DDM maintains AAD authentication, and AAD users and groups can be given DDM suspension permissions
Dynamic data masking policy
SQL users eliminated from masking – A set of SQL users or AAD identities that will get unmasked data in the SQL inquiry results. Note that user with administrator rights will always be eliminated from masking, and will see the real data without any mask.
Masking functions – A set of techniques that examine the disclosure of data for different scenarios.
Masking rules – A collection of standards that determine the assigned fields to be masked and the masking function that will be used. The allocated fields can be defined using a database schema name, column name and table name.