Microsoft Released Static Data Masking for SQL Servers
posted by admin
on Apr 03, 2019
In early November 2018, Microsoft announced the release of a Static Data Masking (SDM) feature for Azure SQL databases and SQL servers, which is great news! Previously, companies had to rely on external software for this since Microsoft only provided Dynamic Data Masking (DDM) capabilities for their cloud services. Let’s take a deeper look into this exciting new feature.
Static Data Masking is ideal for tasks that require access to sensitive data such as deployment, testing, and outsourcing. It prevents the possibility of security and privacy breaches by reducing the need to expose sensitive data when sharing with non-production users. Use cases can include identifying defects in the early stages of the development cycle to drive down cost, troubleshooting, facilitating cloud adoption, and sharing data for use in analytics and training.
How SDM Works
We can get a better idea of how Static Data Masking (SDM) works by comparing it with Dynamic Data Masking (DDM). The former method permanently replaces sensitive data while it is inactive in storage (or “at rest”) with masked data. Meanwhile, DDM leaves the original dataset intact while replacing or temporarily hiding the sensitive data while it is being transmitted from one device to another. Overall, the two approaches aim to increase data security, but only SDM actually performs the “masking” of data.
With Static Data Masking on Azure, users can first choose the type of masking function to apply to each column of the database. There are many available options, such as null, group shuffle, single value, etc. The feature then alters a copy of the original database with new data according to the selected masking function. Note that this operation is irreversible, meaning that original data cannot be unmasked from a masked copy.
Below is an example of a masked dataset. Note that the information in the “After” example has either been changed to NULL values or to random strings.
Source: Microsoft Azure Blog
SDM versus DDM
Microsoft offers both SDM and DDM with this release. While they achieve similar goals as stated above, Static Data Masking can be more useful than its counterpart for several reasons.
First, SDM is hypothetically more secure than DDM because it operates on a copy of the database instead of the original database. This means that the original data is not retrievable and cannot be accessed from the masked copy. This is extremely important if your organization wants to share sensitive information; in fact, many organizations are hesitant to adopt DDM because of its data exposure and security breach risks.
Secondly, SDM is less complicated to adopt. With DDM, the user must undertake a detailed mapping of applications, users, database objects, and access permissions in order to configure masking rules. It can be a demanding task to maintain and change those configurations, which makes SDM more appealing; with Static Data Masking, all users have access to the same masked data, so there is less hassle.
Thirdly, SDM is a more mature technology. With well-defined use cases, customers do not have to worry about corruption, and it is easier to become familiar with the feature.
With all of these benefits, you might be wondering why anyone would use DDM. Dynamic Data Masking can still be an effective tool for read-only purposes, such as reporting or customer service inquiries, so it is up to each company to define its goals in order to select the feature that best fits its needs.
Downloading and Compatibility
Static Data Masking is available with SQL Server Management Studio 18.0 preview 5 and above. It is compatible with SQL Server (2012 and newer), Azure SQL Database, and SQL Server on Azure Virtual Machines.
Are you ready to make the leap into Static Data Masking is useful? Subscribe our