Dynamic data masking is a data protection feature in SQL Server 2016 that masks sensitive data in query results without altering the actual data. It can help protect private information by exposing only obfuscated data to unauthorized users. Administrators can configure masking rules for specific columns using various masking functions like default, email, random, or custom string masking. The underlying data remains intact but masked data is returned for users without unmask permissions. It provides data security with minimal performance impact by masking results on-the-fly.

2. Dynamic Data
Masking
in SQL Server 2016

3. SQLschool.gr
Team
Antonios Chatzipavlis
SQL Server Evangelist • Trainer
Vassilis Ioannidis
SQL Server Expert • Trainer
Fivi Panopoulou
System Engineer • Speaker
Sotiris Karras
System Engineer • Speaker

4. Followus
insocialmedia
@sqlschool / @panfivi
fb/sqlschoolgr
yt/c/SqlschoolGr
SQL School Greece group

5. Helpneeded?
help@sqlschool.gr

6. DynamicDataMasking

7. Presentation
Content
 Introducing Dynamic Data Masking
 Using Dynamic Data Masking
 DDM on Azure
 Some points to keep

8. Introducing Dynamic Data Masking

9. • Protect sensitive data and personally identifiable
information
• Regulatory Compliance
• Expose sensitive data only on a need-to-know basis
• Custom obfuscation in application, views or third party
solutions are used to address this need
The Need

10. Dynamic Data Masking in SQL Server 2016
• Built-in feature for SQL Server
2016 and Azure SQL DB
• Data masked on the fly when
queried, underlying data do
not change
• Control on how the data
appear in the result set
 Dynamic data masking is a data protection feature that
masks the sensitive data in the result set of a query over
chosen database fields

11. • Protects against unauthorized disclosure of sensitive
data in the application
• Very simple to configure and use
• Does not require changes in application code
• Centralized masking logic
Benefits

12. • “Dynamic data masking does not aim to prevent
database users from connecting directly to the database
and running exhaustive queries that expose pieces of
the sensitive data”
• It is not a method for physical data encryption
• It is complementary to other SQL Server security
features
Keep in mind

13. Using Dynamic Data Masking
 Steps
 Masking Functions
 Permissions
 System view information

15. • Decide which columns need to be masked
• Choose the masking function that best fits your needs
for each column
• Alter columns to add the masking rules
• The underlying data is unaffected
• Designate which users should see masked data and
configure the permissions.
Steps

16. Default
Masking Functions
Data Type Family Masked Data
String XXXX
Numeric 0
Date and Time 01.01.1900 00:00:00.0000000
Binary 0
ALTER COLUMN ColumnName
ADD MASKED WITH (FUNCTION = 'default()')
Full masking according to the data types of the designated
fields.

17. Email
Masking Functions
ALTER COLUMN ColumnName
ADD MASKED WITH (FUNCTION = ‘email()')
Exposes the first letter of an email address and the constant
suffix ".com", in the form of an email address.
aXXX@XXXX.com

18. Random
Masking Functions
ALTER COLUMN ColumnName
ADD MASKED WITH (FUNCTION = 'random([start range], [end range])')
A random masking function for use on any numeric type to
mask the original value with a random value within a
specified range.

19. Custom String (Partial)
Masking Functions
ALTER COLUMN ColumnName
ADD MASKED WITH (FUNCTION = ‘partial(prefix,[padding],suffix)’
Exposes the first and last letters and adds a custom padding
string in the middle
• Phone: partial(4,”XXXXXXXXXXX”,0)
• Credit Card: partial(0,”XXXX-XXXX-XXXX-”,4)
• Email: partial(1,”xxxx@xxxx.”,2)

20. • To retrieve the original data the user must have the
UNMASK permission
• To add, replace, remove masking of existing columns
ALTER ANY MASK permission
• The CONTROL permission on the database includes
both the ALTER ANY MASK and UNMASK permission
! Users without UNMASK but with UPDATE permission can
still update data.
Permissions

21. system view to query for table-columns that have a
dynamic data masking function applied to them
• Simlar to sys.columns view
• is_masked
• masking_function
sys.masked_columns

22. Dynamic Data Masking in
Action

23. DDM on Azure

24. Azure
Set up DDM using Azure Portal
• Define users excluded from
masking
• Define Masking rules
• Designated fields and masking
functions for each one
There is a recommendations engine that
proposes potentially sensitive fields to
mask

25. Azure
Default Full Masking according to the
datatypes
Credit card XXXX-XXXX-XXXX-1234
Social Security
number
XXX-XX-1234
Email aXX@XXXX.com
Random Number Random number between selected
boundaries
Custom Text Prefix, Padding String, Suffix

26. Some points to keep
 Limitations and Restrictions
 Considerations
 Performance

27. • Not compatible with Always Encrypted columns
• Not compatible with File Stream
• Not compatible with Column set
• A column with data masking cannot be a key for a
FULLTEXT index.
• Masking rule cannot be defined on a computed column
Limitations and Restrictions

28. • Dynamic Data Masking is applied when running SQL
Server Import and Export
• Dynamic Data Masking is applied when using SELECT
INTO or INSERT INTO to copy data from a masked
column
• Be careful with updates
Considerations

29. Minimal Performance Impact
Data masking is performed right before the data is
returned.
Performance
SELECT *
FROM Person.EmailAddress;

32. S E L E C T K N O W L E D G E F R O M S Q L S E R V E R
Copyright © 2015 SQLschool.gr. All right reserved.
PRESENTER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION