Data Masking (Dynamic Data Masking)

A SQL Server security feature that obfuscates sensitive data in query results for unauthorized users, without altering the underlying stored data.

  • Dynamic Data Masking (DDM) applies masking rules at the column level: Unauthorized users see masked values (e.g., ‘XXXX-XXXX-XXXX-1234’) while privileged users see the actual data.
  • Masking is applied at query time: The data stored in the database is never modified, making DDM easy to implement without schema changes.
  • SQL Server supports several masking formats: Default (full masking), partial (custom prefix/suffix), email (masks middle portions of email addresses), and random (numeric ranges).
  • DDM reduces exposure of sensitive data: It protects data from application users, support staff, and developers without requiring application-level changes.
  • Important limitation: DDM does not protect against inference attacks by users who can craft queries. It should be combined with proper access controls, encryption, and auditing.
  • Data Scrambling (static data masking) is used for non-production environments: It provides permanently obfuscated copies for development and testing purposes.
  • Relevant Idera tools: SQL Secure audits masking configurations and identifies unmasked sensitive columns that may require protection.
  • Related terms: Data Scrambling, Row-Level Security, Transparent Data Encryption, SQL Secure.
SQL_Duck

Tired of Slow SQL Servers?

Find the root cause of performance issues in minutes, not hours. SQL Diagnostic Manager gives you real-time visibility and proactive alerts. 

Start your free trial today