Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dynamic data masking sql server 2016

1,138 views

Published on

Dynamic data masking sql server 2016

Published in: Data & Analytics
  • Be the first to comment

Dynamic data masking sql server 2016

  1. 1. Dynamic Data Masking in SQL Server 2016
  2. 2. SQLschool.gr Team Antonios Chatzipavlis SQL Server Evangelist • Trainer Vassilis Ioannidis SQL Server Expert • Trainer Fivi Panopoulou System Engineer • Speaker Sotiris Karras System Engineer • Speaker
  3. 3. Followus insocialmedia @sqlschool / @panfivi fb/sqlschoolgr yt/c/SqlschoolGr SQL School Greece group
  4. 4. Helpneeded? help@sqlschool.gr
  5. 5. DynamicDataMasking
  6. 6. Presentation Content  Introducing Dynamic Data Masking  Using Dynamic Data Masking  DDM on Azure  Some points to keep
  7. 7. Introducing Dynamic Data Masking
  8. 8. • Protect sensitive data and personally identifiable information • Regulatory Compliance • Expose sensitive data only on a need-to-know basis • Custom obfuscation in application, views or third party solutions are used to address this need The Need
  9. 9. Dynamic Data Masking in SQL Server 2016 • Built-in feature for SQL Server 2016 and Azure SQL DB • Data masked on the fly when queried, underlying data do not change • Control on how the data appear in the result set  Dynamic data masking is a data protection feature that masks the sensitive data in the result set of a query over chosen database fields
  10. 10. • Protects against unauthorized disclosure of sensitive data in the application • Very simple to configure and use • Does not require changes in application code • Centralized masking logic Benefits
  11. 11. • “Dynamic data masking does not aim to prevent database users from connecting directly to the database and running exhaustive queries that expose pieces of the sensitive data” • It is not a method for physical data encryption • It is complementary to other SQL Server security features Keep in mind
  12. 12. Using Dynamic Data Masking  Steps  Masking Functions  Permissions  System view information
  13. 13. • Decide which columns need to be masked • Choose the masking function that best fits your needs for each column • Alter columns to add the masking rules • The underlying data is unaffected • Designate which users should see masked data and configure the permissions. Steps
  14. 14. Default Masking Functions Data Type Family Masked Data String XXXX Numeric 0 Date and Time 01.01.1900 00:00:00.0000000 Binary 0 ALTER COLUMN ColumnName ADD MASKED WITH (FUNCTION = 'default()') Full masking according to the data types of the designated fields.
  15. 15. Email Masking Functions ALTER COLUMN ColumnName ADD MASKED WITH (FUNCTION = ‘email()') Exposes the first letter of an email address and the constant suffix ".com", in the form of an email address. aXXX@XXXX.com
  16. 16. Random Masking Functions ALTER COLUMN ColumnName ADD MASKED WITH (FUNCTION = 'random([start range], [end range])') A random masking function for use on any numeric type to mask the original value with a random value within a specified range.
  17. 17. Custom String (Partial) Masking Functions ALTER COLUMN ColumnName ADD MASKED WITH (FUNCTION = ‘partial(prefix,[padding],suffix)’ Exposes the first and last letters and adds a custom padding string in the middle • Phone: partial(4,”XXXXXXXXXXX”,0) • Credit Card: partial(0,”XXXX-XXXX-XXXX-”,4) • Email: partial(1,”xxxx@xxxx.”,2)
  18. 18. • To retrieve the original data the user must have the UNMASK permission • To add, replace, remove masking of existing columns ALTER ANY MASK permission • The CONTROL permission on the database includes both the ALTER ANY MASK and UNMASK permission ! Users without UNMASK but with UPDATE permission can still update data. Permissions
  19. 19. system view to query for table-columns that have a dynamic data masking function applied to them • Simlar to sys.columns view • is_masked • masking_function sys.masked_columns
  20. 20. Dynamic Data Masking in Action
  21. 21. DDM on Azure
  22. 22. Azure Set up DDM using Azure Portal • Define users excluded from masking • Define Masking rules • Designated fields and masking functions for each one There is a recommendations engine that proposes potentially sensitive fields to mask
  23. 23. Azure Default Full Masking according to the datatypes Credit card XXXX-XXXX-XXXX-1234 Social Security number XXX-XX-1234 Email aXX@XXXX.com Random Number Random number between selected boundaries Custom Text Prefix, Padding String, Suffix
  24. 24. Some points to keep  Limitations and Restrictions  Considerations  Performance
  25. 25. • Not compatible with Always Encrypted columns • Not compatible with File Stream • Not compatible with Column set • A column with data masking cannot be a key for a FULLTEXT index. • Masking rule cannot be defined on a computed column Limitations and Restrictions
  26. 26. • Dynamic Data Masking is applied when running SQL Server Import and Export • Dynamic Data Masking is applied when using SELECT INTO or INSERT INTO to copy data from a masked column • Be careful with updates Considerations
  27. 27. Minimal Performance Impact Data masking is performed right before the data is returned. Performance SELECT * FROM Person.EmailAddress;
  28. 28. S E L E C T K N O W L E D G E F R O M S Q L S E R V E R Copyright © 2015 SQLschool.gr. All right reserved. PRESENTER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

×