• 3 min read

Limit the exposure of sensitive data in Azure SQL Database using Dynamic Data Masking

Dynamic Data Masking is a policy-based security feature that helps limit the exposure of data in a database by returning masked data to non-privileged users who run queries over designated database fields.

We are excited to announce that this week we made Dynamic Data Masking available for preview on the new service version of SQL Database (V12).  Dynamic Data Masking is a policy-based security feature that helps limit the exposure of data in a database by returning masked data to non-privileged users who run queries over designated database fields, like credit card numbers, without changing data on the database. Dynamic Data Masking joins a growing set of security features for SQL Database including Auditing and Row-Level Security that help customers protect their sensitive data and further meet industry compliance policies.

Tomer Fefer the CTO of 10Bis says “SQL Database Dynamic Data Masking is a great feature to speed up troubleshooting by letting us grant temporary access to developers on production environments without compromising sensitive data in the underlying databases and it can also help to minimize the efforts of masking sensitive data in our Application GUI. It’s real-time, a money saver, and dynamic data masking policy can easily be created using the Azure Management Portal.”

The introduction of this feature helps address the concern for customers who store customer or PII data in Azure SQL Database and want to limit the exposure of this data from non-privileged application users or from developers that run SQL queries on production environments for troubleshooting purposes.  Dynamic Data Masking policies can be managed from the Azure Management Portal , New Azure Portal or via standard APIs. With an intuitive configuration interface, it is very easy to have a Dynamic Data Masking policy up and running on your database within minutes.

Slide1

 

Dynamic Data Masking scenarios

Dynamic Data Masking can limit access to sensitive data real-time to help prevent a security breach from occurring. Because Dynamic Data Masking controls how sensitive data appears in the output of databases queries, it’s perfect for scenarios where data needs to be accessed real-time. A couple great examples on how customers use Dynamic Data Masking to help prevent security breaches are:

  • Access to customer or employee records: Many job roles require access to complete customer or employee information. However, compliance policies might dictate that salary information or the last 4 digits of the social security numbers be obfuscated in a query result to prevent access.
  • Dev & test with production data: Many organizations require development testing on samples of production data to ensure thorough testing of their app development process or developers run SQL queries against production for troubleshooting purposes. In both cases, any sensitive data within those production data sets can be obfuscated in real-time.

How to setup Dynamic Data Masking

When configuring the Dynamic Data Masking policy, you specify the set of masking rules and the service reasons over the rules to apply the data mask in real-time. For each rule, first you specify what to mask by entering the designated database field (using table & column or alias). Then you define how it will be masked by selecting a masking function (either predefined or custom). Additionally, you can define a list of privileged database logins for which data masking will NOT apply.

You need to start with the latest service version of SQL Database (V12) and configure Dynamic Data Masking for your database with few simple steps in Azure management portals (shown below)

  1. Navigate to the target database in the Azure portal.
  2. Click on the Auditing & Security tab to launch the Dynamic Data Masking tab (in the Azure Portal) or launch the Dynamic Data Masking part (in the new Azure Portal).
  3. Simply enable Dynamic Data Masking to surface the making policy configuration.
  4. Specify a comma-separated list of database logins for which data masking will NOT apply.
  5. Add masking rules by entering designated database field and selecting a masking function.

 

Managing dynamic data masking policy using the New Azure Portal

Dynamic Data Maksing Ibiza

Managing dynamic data masking policy using Azure Management Portal

Dynamic Data Maksing AUX

Adding a dynamic data masking rule using Azure Management Portal

Dynamic Data Maksing Rule AUX

Once you’ve configured your Dynamic Data Masking policy, you need to update existing client applications connecting to the database to use the Security Enabled Connection Strings. This will enable the activity of these applications on the database to be masked. These connection strings have a slightly different format, and replace the previously used connection strings:

Connection string

Dynamic Data Masking provides another layer of security for your Azure SQL Database by limiting the exposure of sensitive data in the output of databases queries without changing data in the database.

Check out this Channel 9 video to see Dynamic Data Masking in action.

Once you have a database on the latest SQL Database service version, you can get started immediately with Dynamic Data Masking. Learn more by visiting the Getting Started page or dive in and configure a Dynamic Data Masking policy for your database in the Azure Management Portal or the New Azure Portal.