Use Dynamic Data Masking To Protect Sensitive Data In Azure SQL Database

Introduction

In this article, we will cover the Dynamic Data masking topic and how to mask the Database columns in Azure SQL Database through Azure Portal. Before we begin into this let us first understand the concept of Dynamic Data masking and its policies.

What is Azure SQL - Dynamic Data masking?

Fundamentally, dynamic data masking helps in hiding sensitive information for unauthorized users who are accessing the data with minimal impact on the application layer. It creates one layer of security on top of data. It's a policy-based security feature that helps in hiding the data as a result of a set of queries. We can mask the particular columns for which we feel it's sensitive information that cannot be exposed to other users without any impact on the data in the database.

Use Dynamic Data Masking to Protect Sensitive Data in Azure SQL Database

Everything you need to know about the Dynamic Data masking Policies

There are three main policies included in this Dynamic Data masking

Admin users are always excluded from masking

A bunch of SQL users who are all having admin privileges or Active Directory Identities are excluded from data masking. Users without having access will only be able to see the masked data while querying in SQL server management studio or within the Azure portal.

What are Data Masking Rules and why it is required?

A set of rules will be applicable on the column level of column data that users want to encrypt with its specific type over the SQL table. You can select a masking rule for each source field on the masking page that you want to mask. The rules that you can select from depending on the data type of the field that you want to mask.

What are Data Masking Functions?

A covering capacity characterizes how the Rule Engine veils information. The Rule Engine applies covering capacities to approaching SELECT SQL proclamations that unapproved customer ships off the data set. Dynamic Data Masking revises the SQL proclamation. At the point when the data set gets the solicitation, the information base sends covered information to the customer.

Implement Data masking through Azure Portal

To configure the Data masking we need the SQL Server and SQL Database has to be configured inside the resource group and to configure that, I have already made an article on that, Please go through with the below link to set up the Server and along with Database in Azure

Link: Azure SQL Server and SQL Database Setup

Open the Azure Portal and switch to SQL Database if it is already configured and in the left side menu there we find an option Query Editor click that option and login with credentials to query the data for any of the tables so there is a table already existing in my database and will see how we can mask the data for specific columns.

Use Dynamic Data Masking to Protect Sensitive Data in Azure SQL Database

In the List menu under the security, there is an option of Dynamic Data masking click on that where it will take you to another page to add the masking configuration. On the right side menu Click on + Add mask  to add column specific configuration 

Note
Admins are always excluded from this masking Data, If someone wants to check the masking data they must need specific access to a database other than this admin role in order to see the masked data.

Use Dynamic Data Masking to Protect Sensitive Data in Azure SQL Database 

SQL - Masking Data

Let us take the two columns from the user's table (Name, Phone no) to be added as masking columns in the configuration. Once we reached to masking rule we need to select the table, column, and masking field format from the drop-down list and click on Add in the top see the below image.

Use Dynamic Data Masking to Protect Sensitive Data in Azure SQL Database

Let's add another column (Contact no) in the same way as the masking rule and we will see those two masking columns in the Data masking dashboard with mask table and along with its mask function and click on Save to apply those necessary changes to the SQL database.

Use Dynamic Data Masking to Protect Sensitive Data in Azure SQL Database

Testing the Data masking columns

Login with another user to check the masked data for all the users except the SQL admin. Open the Query editor and execute the user's table to see the masked data.

Use Dynamic Data Masking to Protect Sensitive Data in Azure SQL Database

Conclusion

We can check the same data in the SQL Server management studio as well and I hope this article helps everyone in understanding the concept of Data masking and its implementation.

Thank you for reading, please let me know your questions, thoughts, or feedback in the comments section. I appreciate your feedback and encouragement.

Keep Learning ...!