Another feature of SQL Server 2016 is dynamic data masking. This can be used to protect sensitive information (like a social security number or a credit card number) from being displayed in query results without affecting the underlying data. This can be set up without any application changes or any changes to existing queries or stored procedures.
Either a default mask can be used, or a custom mask can be defined.
I’m running 2016 CTP 2.0, so I’ll need to set some trace flags in order to use masking.
This isn’t needed for CTP 2.1 or later.
We can set up masking when we create our table. We’ll use the default masks in this example.
create table dbo.TestTable( RecordId int not null identity(1,1) primary key, Name varchar(30) not null, SSN varchar(9) masked with (function = 'default()') not null, CreditCardNumber varchar(16) masked with (function = 'default()') not null )
I had originally used the ‘char’ data type for SSN, but masking didn’t work for that data type.
To view the masks, you’ll need to use a non-admin user to run your select query. Once that is done we’ll see ‘XXXX’ in the SSN and CreditCardNumber columns.
RecordId Name SSN CreditCardNumber
1 Record1 xxxx xxxx
For numeric columns we’ll see ‘0’ and date types are masked as ‘2000-01-01′.
There is also an ’email()’ function for masking. So the address ‘firstname.lastname@example.org’ would be masked as ‘uXXX@XXXX.com’.
We can also define a custom masking function using ‘partial’. This will take 3 parameters: prefix, padding and suffix.
So for SSN, we can decide to mask the first 5 digits and allow the last 4 digits to be exposed.
SSN varchar(9) masked with (function = 'partial(0, "XXXXX", 4)') not null
will mask the value ‘000000000’ as ‘XXXXX0000’.