Dynamic Data Masking
SQL Server 2019 provides dynamic data masking (DDM), which limits sensitive data exposure by masking it to non-privileged users. This is not really a form of encryption at disk but nevertheless is useful in certain scenarios, such as if you want to hide sections of a credit card number from support staff personnel. Traditionally, this logic would have been implemented at the application layer; however, this is not the case now because it is controlled within SQL Server.
Note
A masking rule cannot be applied on a column that is Always Encrypted.
Types
You can choose from four different masks where selection usually depends on your data types:
- DEFAULT: Full masking according to the data types of the designated fields
- EMAIL: A masking method that exposes the first letter of an email address, such as
aXXX@XXXX.com
- RANDOM: A random masking function for use on any numeric type to mask the original value with a random value within...