Dynamic Data Masking


Dynamic Data Masking can be used to mask sensitive data for testing and different purpose, It doesn't encrypt the data, It can be controlled from the database level ,Basically DBA can implement the solution with out much complexity and accessed easily by users who has access to see the data

We have different types of data masking techniques used in DDM
1.Deafult Masking
2.Random Masking
3.Partial Masking

1.Default Masking –
We can include default function while creating table  or we can alter table to enable default data masking
ALTER TABLE [Person].[Address]
ALTER COLUMN PostalCode nvarchar(15)
MASKED WITH (FUNCTION = 'default()');

Creating user to test
USE Adventureworks;
  GO
  CREATE USER user1 WITHOUT LOGIN;
  GRANT SELECT ON OBJECT:: Person].[Address] TO test;  
  GO

EXECUTE AS USER = 'test';
         select top 10 * from  [Person].[Address]
         revert;

Output will column is totally masked as below


2.Random Masking-

Column will be randomly masked and sql server will take care of this completely if enable random masking and to enable we can use statement as below
MASKED WITH (FUNCTION = 'random(1, 5)') NOT NULL;

3. Partial Masking-

We can partially mask the column according the requirement and we can show first few characters or last few according to the requirement and we can create partial masking as below

ALTER TABLE [Person].[Address]
  ALTER COLUMN PostalCode nvarchar(15)
    MASKED WITH (FUNCTION = 'partial(1, "xxxx", 2)') NOT NULL;

The output of the above statement  in PostalCode column as we can see first character as we passed 1 in the parameter and everything in middle is masked and we are passing 2 display last characters in the column

To see what type of masking is enabled in the column we can query database using below TSQL


 SELECT OBJECT_NAME(object_id) TableName, 
    name ColumnName, 
    masking_function MaskFunction
  FROM sys.masked_columns
  ORDER BY TableName, ColumnName; 

 




Permissions
We can grant permission to users as below
GRANT UNMASK TO test;
  GO
And revoke the permissions to users as below
REVOKE UNMASK TO test;  
GO
We can see the result as below 

Comments

  1. Cyber NewsMarch 9, 2020 at 11:17 PM

    Data masking helps businesses meet privacy and security requirements.Your Business sensitive data is protected even if the masked data is stolen.

    Static Data Masking

    Dynamic data Masking

    ReplyDelete

Post a Comment

Popular posts from this blog

How to read MSDTC Trace logs

I have recently come across situation where i need to read the logs of MSDTC  and it is not straight forward approach after researching little bit i am able to figure out the method ,Please find detail information on how to read MSDTC logs and let me know if you have questions in comments Steps to read MSDTC logs tracefmt.exe  will play important role reading MSDTC logs 1.Please check if you have tracefmt.exe in  C:\WINDOWS\system32\MsDtc location and  copy to C:\WINDOWS\system32\MsDtc\trace ,  if you don’t have tracefmt.exe in the location please download from https://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11800 and need to install complete package from below link (I have attached tacefmt.exe in zip folder) 2.Once you install go to C:\WinDDK\7600.16385.1\tools\tracing\amd64 and you will find tracefmt.exe  and copy tracefmt.exe   to C:\WINDOWS\system32\MsDtc\Trace where you have trace files 3.If you al...
Read more

CDC Monitoring

Change data capture(CDC) is feature where we can track the changes on table if we enable CDC on that table and CDC should be enabled from DB level first and we can enable it for tables  As i see so many articles about CDC in the internet i don't  want to go through CDC this topic will discuss only about system tables in CDC and how to do basic monitoring , tracking the errors for CDC enabled tables  To Monitor the empty scans we can use this select statement and empty_scan_count column in sys.dm_cdc_log_scan_sessions is set to 1 whenever log scan result is empty and it will increment when ever it got empty result from scan SELECT * from sys.dm_cdc_log_scan_sessions where empty_scan_count <> 0 And for latency between actuall table and CDC we can use below select SELECT latency FROM sys.dm_cdc_log_scan_sessions WHERE session_id = 0 We can store data from the views     sys.dm_cdc_log_scan_sessions view and the sys.dm_cdc_er...
Read more

Error - Exclusive access could not be obtained because the database is in use. Msg 3101, Level 16, State 1, Line 3 Exclusive access could not be obtained because the database is in use. Msg 3013, Level 16, State 1, Line 3 RESTORE DATABASE is terminating abnormally.

We need to alter database and change to single user mode before restoring the DB and to avoid connection issues if application still connecting to DB we can include in restore command ,So it will automatically make DB to single user mode before restoring and it will change to multi user mode after restoring automatically Use master Go Alter database set single_user with rollback immediate Go Restore database command Go Alter database set multi_user with rollback immediate Go
Read more