A SQL Server security feature that obfuscates sensitive data in query results for unauthorized users, without altering the underlying stored data.
- Dynamic Data Masking (DDM) applies masking rules at the column level: Unauthorized users see masked values (e.g., ‘XXXX-XXXX-XXXX-1234’) while privileged users see the actual data.
- Masking is applied at query time: The data stored in the database is never modified, making DDM easy to implement without schema changes.
- SQL Server supports several masking formats: Default (full masking), partial (custom prefix/suffix), email (masks middle portions of email addresses), and random (numeric ranges).
- DDM reduces exposure of sensitive data: It protects data from application users, support staff, and developers without requiring application-level changes.
- Important limitation: DDM does not protect against inference attacks by users who can craft queries. It should be combined with proper access controls, encryption, and auditing.
- Data Scrambling (static data masking) is used for non-production environments: It provides permanently obfuscated copies for development and testing purposes.
- Relevant Idera tools: SQL Secure audits masking configurations and identifies unmasked sensitive columns that may require protection.
- Related terms: Data Scrambling, Row-Level Security, Transparent Data Encryption, SQL Secure.
