Azure SQL Database Dynamic Data Masking

Dynamic data masking plays a significant role in data security in the context of Azure SQL Database. It is way of restricting access of sensitive information to a specific set of users. Dynamic data masking is available for Azure SQL Database, Azure SQL Managed Instance and Azure Synapse Analytics.

Dynamic data masking can be implemented as a security policy which can be implemented on all the SQL Databases across an Azure subscription. Customers can control the level of masking as per their requirements. Dynamic data masking only masks the query results for specific column values on which the data masking has been applied, it does not affect the actual stored data in the database.

Dynamic data masking policy can be found under the SQL Database Security configuration blade on the Azure portal. For Azure Synapse Analytics and SQL Managed Instance PowerShell or REST API can be used.

To implement dynamic data masking for various scenarios, there are some masking functions available:

Masking Function NameMasking Logic Example
DefaultFull Masking – varies by data type
For numeric data: 0
For string data: XXXX etc.
Credit CardExpose the last 4 digits only XXXX-XXXX-XXXX-1234
EmailExpose first letter, mask domain
with XXX
aXXX@XXXX.com
Random NumberGenerate random number within
specified range
Random no. between 1 to 100
Custom TextExpose first and last character
and replace the rest with custom padding string
1 -asdf*%-9

Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview#:~:text=Dynamic%20data%20masking%20limits%20sensitive,impact%20on%20the%20application%20layer.

2 thoughts on “Azure SQL Database Dynamic Data Masking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: