Dynamic Data Masking is a neat new feature in SQL Server 2016. I didn’t think much of it when it was introduced in Azure SQL Database, but since then I realize there is some value here. Even if it’s just making life simpler for developers.
I’ve been experimenting with this a bit, learning how it works, and one of the options we have for masking data is to use the default option. However, what seems misleading to me here is that this doesn’t use a default from the column. Instead it replaces the values with
- 4 x’s (xxxx) if the column size is > 4 characters (same for numerals)
- the number of x’s that fit in the column if the size is < 4.
- 0 for numbers
This makes some sense, but not completely. I think I’d prefer to set a default mask for all types, so that I don’t disclose a value is a number or string (or date or anything). I also see that NULLs are disclosed, another potential area I’d prefer to keep hidden.
I also think the name is misleading. I’ d prefer to see this called something like xmask, or defaultmask, not default.