Skip to main content
13.4k
Cloud
Self-host
Cloud
Self-host

SQL Server · Data MaskingSQL Server has data masking. It just isn't a security boundary.

Native DDM rewrites the displayed result — but a WHERE predicate still filters on the real value, so a curious analyst infers what the mask hides. Bytebase governs the query itself: role-based masking on the read path, with approval and audit, across SQL Server, Azure SQL, and RDS.

SQL Server Dynamic Data Masking is a display filter: a principal without UNMASK runs SELECT salary and sees the masked value 0, but the same principal can run WHERE salary BETWEEN 99999 AND 100001, which still filters on the real value — the matching row reveals the salary the mask was meant to hide. Microsoft documents that DDM does not prevent this inference.

Native DDM is free, in-core, and on every edition since 2016 — but it guards the display, not the data. The gaps are documented:

Inference leaks the value

A user with SELECT but not UNMASK probes: WHERE salary BETWEEN 99999 AND 100001 returns a masked 0, but the matching rows give the value away. Microsoft is explicit — DDM stops accidental exposure, not inference.

UNMASK was all-or-nothing

Before SQL Server 2022, one UNMASK grant exposed every masked column in the database. Scoped grants arrived in 2022 — only if the whole fleet is on 16.x.

High privilege bypasses it

db_owner and sysadmin read cleartext. The roles most likely to be over-provisioned are the ones the mask never touches.

No approval, no audit trail

Masks and UNMASK grants are T-SQL DDL, per database, one at a time. No request, no review, no record of who unmasked what, when.

Dynamic data masking in Bytebase

Govern the query, not just the display.

Queries route through the SQL Editor; Bytebase masks results before they leave it, by who is asking. db_owner and sysadmin on the instance don't bypass the policy, and inference becomes an access decision — Query rights run through Request, Review, Approve, every step audited.

How Bytebase dynamic data masking works for SQL Server: an analyst and a fraud investigator query through the Bytebase policy layer — global masking rule, column masking, masking exemption — to any SQL Server flavor. The analyst sees masked values, the exempted investigator sees cleartext, every read is audited, and the application's direct connection bypasses masking.
01

Global Masking Rule

Workspace rules, first match wins. Conditions on environment, project, database, and classification pick the algorithm — full, partial, MD5, range, custom. One rule covers on-prem SQL Server, Azure SQL, and RDS alike.

02

Column Masking

Project-level override for a single column.

03

Masking Exemption

Time-bound Query or Export exemptions for named users — service accounts excluded. Every grant logged. Every access logged.

Inference is closed on this path: the predicate runs against masked output, and granting cleartext is a reviewed, time-bound, audited exemption — not a standing UNMASK.

What the analyst sees

Same query. Different result by role.

Partial masking on Customers.Email and Customers.SSN — the table untouched:

-- Run in Bytebase SQL Editor as an analyst
SELECT TOP 2 Id, Email, SSN FROM dbo.Customers;

Id  Email                 SSN
--  --------------------  -----------
1   a******@example.com   ***-**-4801
2   m******@example.com   ***-**-2210

An exempted investigator runs the same query and sees cleartext. Both reads land in the audit log with per-column masking metadata.

Enforcement boundary

What this masks — and what it doesn't.

Bytebase masks the through-Bytebase path: SQL Editor queries and approved exports. Your application's direct connection bypasses it, by design — the gateway governs human access.

The pattern is symmetric: native DDM at the database for application traffic and BCP exports, Bytebase on the human query path where approval and audit matter. Pair it with just-in-time access so humans hold no standing credentials.

How to implement DDM by access pathDatabase access control

SQL Server data masking questions

Common questions.

Does SQL Server have built-in dynamic data masking?
Yes. DDM ships in-core on every edition since SQL Server 2016, plus Azure SQL, Managed Instance, Synapse, and Fabric. Define a mask with MASKED WITH, and principals without UNMASK see masked output. But Microsoft documents it as limiting accidental exposure, not a security boundary — WHERE-predicate inference still reveals the value.
Is native DDM enough for compliance?
It depends on your threat model. DDM stops a casual SELECT from showing cleartext, but query access still infers masked values through predicates, and db_owner or sysadmin bypass it entirely. For GDPR, HIPAA, or PCI, pair it with row-level security, least privilege, and an audited approval path for cleartext.
Does masking change the data stored in SQL Server?
No. Values transform in the query result, at read time. Data at rest is untouched. Destroying data for lower environments is static masking — a different tool.
Which SQL Server flavors are supported?
Any SQL Server Bytebase can connect to — on-prem SQL Server, Azure SQL Database, Azure SQL Managed Instance, Synapse, Fabric SQL database, and AWS RDS for SQL Server. Masking runs outside the database, so there's no edition or version requirement.
How does this compare to native DDM with UNMASK?
Native DDM enforces at the database on every client, including BCP and SELECT INTO, but its UNMASK grant is coarse (database-wide before 2022), unaudited, and bypassed by high-privilege roles. Bytebase enforces on the through-Bytebase path with role-based rules, scoped time-bound exemptions, and a full audit trail. They compose: native DDM for application traffic, Bytebase for human query traffic.

Go deeper

Related reading.

Explore the standard for database development

Self-host
Cloud