SQL Server中的动态数据屏蔽

Security has been one of the prime concerns of database developers since the inception of database management systems. Various data protection schemes have been introduced to provide secure access to sensitive data.

自数据库管理系统问世以来，安全性一直是数据库开发人员关注的主要问题之一。已经引入了各种数据保护方案以提供对敏感数据的安全访问。

One such security feature introduced in SQL Server 2016 is called dynamic data masking. Dynamic data masking (as distinct from static data masking) is used to hide data from the user on the client-side.

SQL Server 2016中引入的一种此类安全功能称为动态数据屏蔽。动态数据屏蔽（不同于静态数据屏蔽）用于在客户端向用户隐藏数据。

It is important to mention that data masking is not the same as data encryption and should not be used as a primary security layer. It is only used to mask sensitive information such as social security numbers, email addresses, phone numbers, credit card numbers, etc. Following are the examples of dynamic data masking:

重要的是要提到数据屏蔽与数据加密不同，不应将其用作主要安全层。它仅用于屏蔽敏感信息，例如社会保险号，电子邮件地址，电话号码，信用卡号等。以下是动态数据屏蔽的示例：

Phone number -> xxxx-xxx-xx-5458 电话号码-> xxxx-xxx-xx-5458
Email -> xxxx@xxxx.com 电子邮件-> xxxx@xxxx.com

The data is actually not masked physically in the database. Rather, the data is masked in the query result. By default, all the users will see the masked data in the output. The unmasked data is visible in the actual database.

数据实际上并没有在数据库中被物理屏蔽。而是，数据在查询结果中被屏蔽。默认情况下，所有用户都将在输出中看到被屏蔽的数据。未屏蔽的数据在实际数据库中可见。

For an introduction to Dynamic Data Masking in Azure see Implementing Dynamic Data Masking in Azure SQL database article, and for an overview of Dynamic Data Masking see Using Dynamic Data Masking in SQL Server 2016 to protect sensitive data article.

有关Azure中动态数据屏蔽的介绍，请参见在Azure SQL数据库中实现动态数据屏蔽。有关动态数据屏蔽的概述，请参见在SQL Server 2016中使用动态数据屏蔽来保护敏感数据。

数据屏蔽类型 (Data masking types)

默认 (Default)

The default mask, masks complete values in the specified column. To specify a mask for a particular column, you have to use the “MASKED WITH” clause. Inside the MASKED WITH clause, you have to specify the FUNCTION that you want to use for masking. If you want to perform default masking, you use the “default()” function.

默认掩码将掩码指定列中的完整值。要为特定列指定掩码，您必须使用“ MASKED WITH”子句。在MASKED WITH子句内部，您必须指定要用于屏蔽的FUNCTION。如果要执行默认屏蔽，请使用“ default（）”函数。

Let’s take a look at a simple example of default masking. Let’s create a database named Masks. Execute the following script:

让我们看一下默认遮罩的简单示例。让我们创建一个名为Masks的数据库。执行以下脚本：

CREATE DATABASE Masks

Inside the Masks database, we will create a table DefaultMask with four columns: ID, Name, BirthDate, and Social_Security. The Name, BirthDate and Social_Security columns will have default dynamic data masking. Execute the following script:

在Masks数据库内部，我们将创建一个包含四个列的表DefaultMask：ID，Name，BirthDate和Social_Security。 Name，BirthDate和Social_Security列将具有默认的动态数据屏蔽。执行以下脚本：

USE MasksDROP TABLE IF EXISTS DefaultMask;CREATE TABLE DefaultMask
(
ID             INT              IDENTITY (1,1) PRIMARY KEY NOT NULL
,Name VARCHAR(255)  MASKED WITH (FUNCTION = 'default()') NULL
,BirthDate     DATE     MASKED WITH (FUNCTION = 'default()') NOT NULL
,Social_Security  BIGINT        MASKED WITH (FUNCTION = 'default()') NOT NULL
);
GO

Let’s now insert some dummy data in the DefaultMask table that we just created:

现在让我们在刚刚创建的DefaultMask表中插入一些虚拟数据：

INSERT INTO DefaultMask
(
Name, BirthDate, Social_Security
)
VALUES
('James Jones',  '1998-06-01', 784562145987),
( 'Pat Rice',  '1982-08-12', 478925416938),
('George Eliot',  '1990-05-07', 794613976431);

Execute the following query to SELECT all the records from the DefaultMask table:

执行以下查询以从DefaultMask表中选择所有记录：

SELECT * FROM DefaultMask

The output looks like this:

输出看起来像这样：

In the output, you can see the unmasked values. This is because we returned the record as a database user that has full access rights. Let’s create a new user that can only access the DefaultMask table and then select the records using our new user. Execute the following script:

在输出中，您可以看到未屏蔽的值。这是因为我们以具有完全访问权限的数据库用户身份返回记录。让我们创建一个只能访问DefaultMask表的新用户，然后使用我们的新用户选择记录。执行以下脚本：

DROP USER IF EXISTS DefaultMaskTestUser;
CREATE USER DefaultMaskTestUser WITHOUT LOGIN;GRANT SELECT ON DefaultMask TO DefaultMaskTestUser;EXECUTE AS USER = 'DefaultMaskTestUser';
SELECT * FROM DefaultMask;REVERT;

In the output, you can see that all of the data has been masked:

在输出中，您可以看到所有数据都已被屏蔽：

部分的 (Partial)

The default mask hides everything in the column it is applied to. What if we want to partially display the information in the column while leaving some part of it hidden?

默认遮罩将其所应用的列中的所有内容隐藏起来。如果我们想部分显示该列中的信息，而又隐藏其中的一部分，该怎么办？

This is where partial masks come in handy. To use a partial mask, you have to pass “partial(start characters, mask, end characters” as the value for the function parameter of the MASKED WITH clause. It is important to mention that the partial mask is only applicable to string type columns.

这是局部遮罩派上用场的地方。要使用部分掩码，必须传递“ partial（开始字符，掩码，结束字符”）作为MASKED WITH子句的功能参数的值。重要的是要提到部分掩码仅适用于字符串类型的列。

Let’s take a look at a simple example of a partial mask. Let’s create a table PartialMask in the Masks database that we created earlier. Execute the following script:

让我们看一个简单的局部遮罩示例。让我们在之前创建的Masks数据库中创建一个表PartialMask。执行以下脚本：

USE MasksDROP TABLE IF EXISTS PartialMask;CREATE TABLE PartialMask
(
ID             INT              IDENTITY (1,1) PRIMARY KEY NOT NULL
,Name VARCHAR(255)  MASKED WITH (FUNCTION = 'partial(2, "XXXX",2)') NULL
,Comment   NVARCHAR(255)        MASKED WITH (FUNCTION = 'partial(5, "XXXX", 5)') NOT NULL
);
GO

The PartialMask table has three columns ID, Name and Comment. The Name and the Comment columns have been partially masked. For the Name column, we used the “partial(2, XXXX, 2)” mask. This mask will display the first two characters and the last two characters of the string value in the Name column. The remaining characters will be replaced by XXXX. Similarly, for the Comment column. the first 5 and last 5 characters will be displayed while the remaining characters will be masked by XXXX.

PartialMask表具有三列ID，名称和注释。 “名称”和“注释”列已被部分屏蔽。对于“名称”列，我们使用了“ partial（2，XXXX，2）”掩码。此掩码将在“名称”列中显示字符串值的前两个字符和后两个字符。其余字符将被XXXX代替。同样，对于“评论”列。将显示前5个字符和后5个字符，而其余字符将被XXXX屏蔽。

Let’s insert some dummy data in our PartialMask table:

让我们在PartialMask表中插入一些虚拟数据：

INSERT INTO PartialMask
(Name,  Comment
)
VALUES
('James Jones',  'The tea was fantastic'),
( 'Pat Rice',  'I like these mangoes' ),
('George Eliot',  'I do not really like this');

Let’s select all the records from the PartialMask table using the database user:

让我们使用数据库用户从PartialMask表中选择所有记录：

SELECT * FROM PartialMask

The output looks like this:

输出看起来像这样：

Again, let’s create a new user and grant him/her access to the PartialMask table to see what results he/she gets. Execute the following script:

同样，让我们创建一个新用户并授予他/她访问PartialMask表的权限，以查看他/她得到了什么结果。执行以下脚本：

DROP USER IF EXISTS PartialMaskTestUser;
CREATE USER  PartialMaskTestUser WITHOUT LOGIN;GRANT SELECT ON PartialMask TO PartialMaskTestUser;  EXECUTE AS USER = 'PartialMaskTestUser';
SELECT * FROM PartialMask

The output of the script looks like this:

脚本的输出如下所示：

As you can see from the output, for Name column, we have the first 2 and last 2 characters displayed and for the Comment column, we have the first 5 and last 5 characters displayed while the rest of the data is hidden.

从输出中可以看到，对于Name列，我们显示了前2个和最后2个字符，对于Comment列，我们显示了前5个和最后5个字符，而其余数据被隐藏。

电子邮件 (Email)

The email mask is used to dynamically mask data which is in the email format. The function used is “email()”. Let’s create a new table with a column called Email and mask it using an email mask. Execute the following script:

电子邮件掩码用于动态掩码电子邮件格式的数据。使用的函数是“ email（）”。让我们用名为Email的列创建一个新表，并使用电子邮件掩码对其进行掩码。执行以下脚本：

USE MasksDROP TABLE IF EXISTS EmailMask;CREATE TABLE EmailMask
(ID    INT IDENTITY (1,1) PRIMARY KEY NOT NULL,Email VARCHAR(255)   MASKED WITH (FUNCTION =  'email()') NULL);
GO

The following script inserts some dummy records into the EmailMask table:

以下脚本将一些虚拟记录插入EmailMask表：

INSERT INTO EmailMask
(Email
)
VALUES
('nickijames@yahoo.com'),
( 'loremipsum@gmail.com' ),
('geowani@hotmail.com');

Let’s first retrieve the records using the database user:

让我们首先使用数据库用户检索记录：

SELECT * FROM EmailMask

The output looks like this:

输出看起来像这样：

Let’s create a new user and then access the data from the EmailMask table to see masked data. Execute the following script:

让我们创建一个新用户，然后访问EmailMask表中的数据以查看被屏蔽的数据。执行以下脚本：

DROP USER IF EXISTS EmailMaskTestUser;
CREATE USER EmailMaskTestUser WITHOUT LOGIN;GRANT SELECT ON EmailMask TO EmailMaskTestUser;EXECUTE AS USER = 'EmailMaskTestUser';
SELECT * FROM EmailMaskREVERT;

The output looks like this:

输出看起来像这样：

随机 (Random)

The Random mask is used to mask the integer columns with random values. The range for random values is specified by the random function. Look at the following example. Execute the following script:

随机掩码用于用随机值掩码整数列。随机值的范围由随机函数指定。看下面的例子。执行以下脚本：

USE MasksDROP TABLE IF EXISTS RandomMask;CREATE TABLE RandomMask
(ID    INT IDENTITY (1,1) PRIMARY KEY NOT NULL,SSN BIGINT    MASKED WITH (FUNCTION = 'random(1,99)') NOT NULL   ,Age INT MASKED WITH (FUNCTION = 'random(1,9)') NOT NULL   );
GO

In the script above, we masked the SSN and Age columns. The values in the SSN column will be replaced by a value between 1 and 99 while the values in the Age column will be replaced by a value between 1 and 9.

在上面的脚本中，我们屏蔽了SSN和Age列。 SSN列中的值将替换为1到99之间的值，而Age列中的值将替换为1到9之间的值。

Let’s insert some dummy data in the RandomMask table that we just created:

让我们在刚刚创建的RandomMask表中插入一些虚拟数据：

INSERT INTO RandomMask
(SSN, Age
)
VALUES
(478512369874, 56),
(697412365824, 78),
(896574123589, 28);

Finally, we will create a new user that will access the data from the RandomMask table:

最后，我们将创建一个新用户，该用户将访问RandomMask表中的数据：

DROP USER IF EXISTS RandomMaskTestUser;
CREATE USER  RandomMaskTestUser WITHOUT LOGIN;GRANT SELECT ON RandomMask TO RandomMaskTestUser;  EXECUTE AS USER = 'RandomMaskTestUser';
SELECT * FROM RandomMaskREVERT;

The output looks like this:

输出看起来像这样：

From the output, you can see that the values for the SSN and Age columns have been masked using our random mask.

从输出中，您可以看到使用我们的随机掩码掩盖了SSN和Age列的值。

结论 (Conclusion)

In this article, we saw how to perform dynamic data masking with the help of several examples. Dynamic Data Masking feature was introduced in SQL Server 2016 to enhance data security on the client-side. There are four major types of masks available in SQL Server: Default, Partial, Random, and Email and we went through all of them.

在本文中，我们通过几个示例了解了如何执行动态数据屏蔽。 SQL Server 2016中引入了动态数据屏蔽功能，以增强客户端的数据安全性。 SQL Server中有四种主要的掩码类型：默认，部分，随机和电子邮件，我们仔细研究了所有这些掩码。

Suggested Links:

推荐链接：

Static Datamasking in SSMS 18SSMS 18中的静态数据屏蔽

翻译自: https://www.sqlshack.com/dynamic-data-masking-in-sql-server/