Exploring dynamic data masking
With the new SQL Server 2016 and Dynamic Data Masking (DDM), you have an additional tool that helps you limit the exposure of sensitive data by masking it to non-privileged users. The masking is done on the SQL Server side, and thus you don't need to implement any changes to applications so they can start using it. DDM is available in the Standard, Enterprise, and Developer Editions; you can read the official documentation about it at:
https://docs.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking.
This section introduces DDM, including:
- Defining masked columns
- DDM limitations
Defining masked columns
You define DDM at the column level. You can obfuscate values from a column in a table by using four different masking functions:
- TheÂ
default
function implements full masking. The mask depends on the data type of the column. A string is masked by changing each character of a string toX
. Numeric values are masked to zero. Date and time data type...