Dynamic data masking plays a significant role in data security in the context of Azure SQL Database. It is way of restricting access of sensitive information to a specific set of users. Dynamic data masking is available for Azure SQL Database, Azure SQL Managed Instance and Azure Synapse Analytics.
Dynamic data masking can be implemented as a security policy which can be implemented on all the SQL Databases across an Azure subscription. Customers can control the level of masking as per their requirements. Dynamic data masking only masks the query results for specific column values on which the data masking has been applied, it does not affect the actual stored data in the database.
Dynamic data masking policy can be found under the SQL Database Security configuration blade on the Azure portal. For Azure Synapse Analytics and SQL Managed Instance PowerShell or REST API can be used.
To implement dynamic data masking for various scenarios, there are some masking functions available:
|Masking Function Name||Masking Logic||Example|
|Default||Full Masking – varies by data type||For numeric data: 0|
For string data: XXXX etc.
|Credit Card||Expose the last 4 digits only||XXXX-XXXX-XXXX-1234|
|Expose first letter, mask domain |
|Random Number||Generate random number within|
|Random no. between 1 to 100|
|Custom Text||Expose first and last character |
and replace the rest with custom padding string