Dynamic data masking restricts the exposure of sensitive data by masking it to non-privileged users. It helps in preventing the unauthorized access to sensitive data by allowing customers to assign how much of the sensitive data to disclose with minimum impact on the application layer. It’s a data protection attribute that hides the critical information in the result set of a query over designated database fields while the data in the database is not changed.
Since masking rules are applied in the query results, dynamic data masking is easy to use with existing applications. Many applications can mask sensitive data without altering existing queries. For example, a customer care executive may recognize callers by several digits of their social security number or credit card number, but those data items should not be completely exposed to the executive. A masking rule can be defined that masks all but the last four digits of any social security number or credit card number in the result set of any query.
The primary aim of dynamic data masking is to restrict exposure to sensitive information, thwarting users who should not have access to the data from viewing it. Dynamic data masking does not intend to prevent database users from linking straight to the database and running large queries that expose parts of the sensitive data. Dynamic data masking is used in harmony with other SQL Server security features and it is highly suggested to use this feature in combination with them to better defend the sensitive data in the database.
Advantages of dynamic data masking
- The sensitive data never leaves the database!
- There is not any need for modifications to the application or the database layer.
- There is customized access per IP address, per user, or per application.
- There is not any requirement of duplicate or off-line databases.
- It averts the access to production and non-production databases.
- Actions are carried out on real data, saving time and providing authentic feedback to developers and quality assurance teams