Data Masking (Dynamic Data Masking)

Dynamic Data Masking (DDM) is a SQL Server feature that limits exposure of sensitive data by masking it at query time for unauthorized users. It doesn’t alter the actual data in the table but controls how it’s presented to certain users or roles.

Introduced in SQL Server 2016, DDM simplifies application logic and increases security compliance. For example, a credit card column might display only the last four digits (XXXX-XXXX-XXXX-1234) to non-privileged users.

Types of masks include:

Default (entirely obfuscates value)
Email (hides part of email addresses)
Partial (reveals a prefix/suffix)
Random (for numeric types)

Dynamic Data Masking is easy to implement using the MASKED WITH clause during column definition or ALTER TABLE. However,it should be noted that DDM is a presentation-layer feature—it doesn’t encrypt or redact data in logs or backups.

It’s an excellent lightweight tool for enhancing data privacy in test environments and user-facing apps, especially in regulated industries.

Monitor & Protect

Idera SQL

Webyog

Data Modeling & Management

Aqua Data Studio

ER/Studio

WhereScape

Migration & Intelligence

BitTitan

Perspectium

Yellowfin

Free Trial

Resources

Support

Events

Contact Sales

Customers

Free Trial

Enterprises

Database

Cloud Services

Applications

Free Trial

SQL Diagnostic Manager

SQL Compliance Manager

SQL Secure

SQL Safe Backup

SQL Inventory Manager

SQL Admin Toolset

DB PowerStudio

Free Tools

Data Masking (Dynamic Data Masking)