SQL Server Dynamic Data Masking DDM
Watch the Video
You can watch the short video on Dynamic Data Masking on Youtube.
Watch Here
Today, I'm going to walk you through a new feature in SQL Server 2016 called Dynamic Data Masking (DDM). You can read more about it on MSDN for DDM.
What is DDM?
Dynamic Data Masking limits the exposure to sensitive data to users that should not see the data being presented. DDM is used in conjunctions with other features in SQL Server such as SQL Auditing and Encryption (TDE and row-level encryption) to provide a completely secure database platform.
Database can be masked in different ways, either Full Masking or Partial Masking and there are functions builtin to provide ease of use like 'email()'.
Keep in mind that although a user may not see all the data, updates to the data (if permission applies to the user) will still be committed.
Permissions
Users with SELECT permission on a table can view the table data. Columns that are defined as masked, will display the masked data. Grant the UNMASK permission to a user to enable them to retrieve unmasked data from the columns for which masking is defined.
Use Cases
- Need to mask SSN in a column
- Need to mask email address in a column
- Need to mask phone number in a column
- Need to mask refresh copies of Production database in lower environments
- The case for masking data can be endless if you have a over protective Information Security Officer :)
Demo
Our demo today will start with a table in our HR database called employee. The demo will be a small sub-set of data for you to get the general idea on how to use DDM.