AZ Lamps #2 — Dynamic Data Masking
When you discover a bug in a test environment, it will unlikely be an issue: you have logs, you can query the database, you have everything to reproduce it.
Handling production issues is much more complicated. A prod database stores customers’ sensitive data, thus the development team typically does not have any access. Finding a root cause takes much more time as the result.
Today I’ll tell you about an Azure SQL feature that can become a win-win solution for all parties — to allow the team read access from one hand and ensure that sensitive information is safe from the other. Here it goes — a Dynamic Data Masking feature.
The feature allows you to put a mask on certain columns or tables in the database. Let’s imagine, we want to hide a user’s name and a zip code. See the results of the query in the image below. I would like to emphasize that we control how the mask is applied — it either completely hides the value (shows 0 instead of the zip code) or transforms it in a custom way (shows the first character of the name and hides the rest).
Dynamic Data Masking does not require any code changes and does not lead to any additional costs. It’s one of the best unobtrusive security best practices I know. Furthermore, it could help to reassure the client that the development team’s access to production is secure.
