SQL Server Data Masking on varchar column?

techresearch7777777 1,861 Reputation points
2024-08-14T20:31:16.51+00:00

Hello, goal is to mix up the data in a given column so it becomes unrecognizable...sounds like SQL Server Data Masking would be the recommended option (or something else)?

If yes Data Masking is going to be used... so as an example current data contains “Joe Smith” in the “Full_Name” column what are the steps to have it show “Uxwer Emnbiez” instead or something along those lines?

My research so far realizes there are about 5 different "Masking Function" options and the closest one looks like would be using the "Partial(Prefix, Padding, Suffix)" but is there a further way to get it to do something more specific/fine tuned (different types of various rows data) in my example above rather than entire xxxxx this being a varchar column?

Also, if we want to remove Data Masking on existing Table(s)/Column(s) without losing data...would we need to do the obvious:

  • 1st = COPY into a Temporary Table/Column with different name
  • 2nd = DROP the Original Table/Column
  • 3rd = Re-name the Temporary Table/Column back to Original name...or something else simpler with less steps?

Thanks in advance.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,682 questions
{count} votes

Accepted answer
  1. Erland Sommarskog 110.4K Reputation points MVP
    2024-08-14T20:52:58.83+00:00

    First some terminology. There is Dynamic Data Masking and Static Data Masking.

    The feature for SQL Server is for dynamic data masking. This means that you apply a masking function and data is returned to the client according to the masking function. The masking occurs at run-time, and the data in the table is left unmolested. Furthermore, if the user has the UNMASK permission on the table or column, the user can view the actual data. Not surprisingly members in the sysadmin and db_owner roles have this permission.

    Static data masking is something completely different. It is not really masking - it is destruction. That is, the original data is replaced with something else, and the original data is nowhere to be found. Obviously, you would not run static data masking on your production database. But if you work with sensitive data, regulations may require that you anonymise production data before you let into to downlevel environments such QA, Test or Dev.

    Microsoft does not have any solution for static masking, but there are a couple of third-party products out there. Red Gate have their Data Masker, which comes with a license fee. I believe there is also a solution in dbatools.io, and this is a free solution in the public domain.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. MikeyQiaoMSFT-0444 2,785 Reputation points
    2024-08-15T03:39:14.8566667+00:00

    Hi,techresearch7777777

    Also, if we want to remove Data Masking on existing Table(s)/Column(s) without losing data...would we need to do the obvious: 1st = COPY into a Temporary Table/Column with different name 2nd = DROP the Original Table/Column 3rd = Re-name the Temporary Table/Column back to Original name...or something else simpler with less steps?

    Dynamic data mask can achieve the removal of masking simply by using ALTER COLUMN, but this is ineffective for a static mask. As Erland mentioned, a static mask merely modifies the source data according to a certain rule.

    0 comments No comments

  2. MANISH RAJDOOT 0 Reputation points
    2024-08-15T06:02:46.3366667+00:00

    SQL Server Dynamic Data Masking is a powerful feature to protect sensitive data by obfuscating it for users without necessary permissions. When applied to varchar columns, it offers several masking options:

    • Default Masking: Replaces characters with 'X' (e.g., 'XXXX').
    • Partial Masking: Masks a specified number of characters from the beginning or end.
    • Random Masking: Replaces characters with random characters within a defined set.
    • Email Masking: Masks email addresses (e.g., 'g****@****.com').

    Key Points:

    • Masking is applied at query execution time, ensuring real-time protection.
    • Unmasked data remains accessible to authorized users.
    • Effective for protecting PII like names, addresses, and credit card numbers.
    • Can be combined with other security measures for comprehensive protection.
    • Consider performance implications for large datasets.

    By carefully selecting the appropriate masking function and managing user permissions, organizations can significantly enhance data security without compromising data availability for authorized users.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.