dynamic data masking sql server 2016
TRANSCRIPT
SQ
Lsch
ool.g
rTe
am
Antonios ChatzipavlisSQL Server Evangelist • Trainer
Vassilis IoannidisSQL Server Expert • Trainer
Fivi PanopoulouSystem Engineer • Speaker
Sotiris KarrasSystem Engineer • Speaker
Follo
w u
sin
soci
al m
edia
@sqlschool / @panfivi
fb/sqlschoolgr
yt/c/SqlschoolGr
SQL School Greece group
Pre
senta
tion
Conte
nt Introducing Dynamic Data Masking
Using Dynamic Data Masking
DDM on Azure
Some points to keep
• Protect sensitive data and personally identifiable
information
• Regulatory Compliance
• Expose sensitive data only on a need-to-know basis
• Custom obfuscation in application, views or third party
solutions are used to address this need
The Need
Dynamic Data Masking in SQL Server 2016
• Built-in feature for SQL Server
2016 and Azure SQL DB
• Data masked on the fly when
queried, underlying data do
not change
• Control on how the data
appear in the result set
Dynamic data masking is a data protection feature that
masks the sensitive data in the result set of a query over
chosen database fields
• Protects against unauthorized disclosure of sensitive
data in the application
• Very simple to configure and use
• Does not require changes in application code
• Centralized masking logic
Benefits
• “Dynamic data masking does not aim to prevent
database users from connecting directly to the database
and running exhaustive queries that expose pieces of
the sensitive data”
• It is not a method for physical data encryption
• It is complementary to other SQL Server security
features
Keep in mind
• Decide which columns need to be masked
• Choose the masking function that best fits your needs
for each column
• Alter columns to add the masking rules
• The underlying data is unaffected
• Designate which users should see masked data and
configure the permissions.
Steps
Default
Masking Functions
Data Type Family Masked Data
String XXXX
Numeric 0
Date and Time 01.01.1900 00:00:00.0000000
Binary 0
ALTER COLUMN ColumnName
ADD MASKED WITH (FUNCTION = 'default()')
Full masking according to the data types of the designated
fields.
Masking Functions
ALTER COLUMN ColumnName
ADD MASKED WITH (FUNCTION = ‘email()')
Exposes the first letter of an email address and the constant
suffix ".com", in the form of an email address.
Random
Masking Functions
ALTER COLUMN ColumnName
ADD MASKED WITH (FUNCTION = 'random([start range], [end range])')
A random masking function for use on any numeric type to
mask the original value with a random value within a
specified range.
Custom String (Partial)
Masking Functions
ALTER COLUMN ColumnName
ADD MASKED WITH (FUNCTION = ‘partial(prefix,[padding],suffix)’
Exposes the first and last letters and adds a custom padding
string in the middle
• Phone: partial(4,”XXXXXXXXXXX”,0)
• Credit Card: partial(0,”XXXX-XXXX-XXXX-”,4)
• Email: partial(1,”xxxx@xxxx.”,2)
• To retrieve the original data the user must have the
UNMASK permission
• To add, replace, remove masking of existing columns
ALTER ANY MASK permission
• The CONTROL permission on the database includes
both the ALTER ANY MASK and UNMASK permission
! Users without UNMASK but with UPDATE permission can
still update data.
Permissions
system view to query for table-columns that have a
dynamic data masking function applied to them
• Simlar to sys.columns view
• is_masked
• masking_function
sys.masked_columns
Azure
Set up DDM using Azure Portal
• Define users excluded from
masking
• Define Masking rules• Designated fields and masking
functions for each one
There is a recommendations engine that
proposes potentially sensitive fields to
mask
Azure
Default Full Masking according to the
datatypes
Credit card XXXX-XXXX-XXXX-1234
Social Security
number
XXX-XX-1234
Email [email protected]
Random Number Random number between selected
boundaries
Custom Text Prefix, Padding String, Suffix
• Not compatible with Always Encrypted columns
• Not compatible with File Stream
• Not compatible with Column set
• A column with data masking cannot be a key for a
FULLTEXT index.
• Masking rule cannot be defined on a computed column
Limitations and Restrictions
• Dynamic Data Masking is applied when running SQL
Server Import and Export
• Dynamic Data Masking is applied when using SELECT
INTO or INSERT INTO to copy data from a masked
column
• Be careful with updates
Considerations
Minimal Performance Impact
Data masking is performed right before the data is
returned.
Performance
SELECT *
FROM Person.EmailAddress;