SQL Server 2016新特性：动态数据屏蔽（DDM）

编辑手记：对于敏感数据的适当屏蔽一直是数据安全中一个重要的部分，在SQL Server 2016上推出了动态数据屏蔽的新特性，使得开发人员或者数据库管理员能够控制敏感数据的暴露程度，并且在数据库层面生成数据，大大简化了数据库应用层的安全设计和编码。

Microsoft has introduced an impressive new feature in SQL Server 2016 called Dynamic Data Masking (DDM). Dynamic Data Masking allows a developer or administrator to decide how much of the sensitive data to reveal with minimal impact on the application layer. This feature also helps to simplify the design and coding of security in your application by making the data at the database level.

在SQL Server 2016上推出了一个很强的新特性叫做Dynamic Data Masking (DDM)-动态数据屏蔽，为了尽可能少的对应用层造成影响，该特性允许开发人员或者数据库管理员能够控制敏感数据的暴露程度，并且在数据库层面生成数据，大大简化了数据库应用层的安全设计和编码。

Dynamic Data Masking does not modify or change the actual data stored in a table; it applies the masking functions on the table’s column at the time of returning a data as the result of a query. Dynamic Data Masking supports four data masking functions, as listed below, using which you can mask the data at the database level:

1. Default
2. Random
3. Custom String
4. Email

动态数据屏蔽并不会真正改动表中存储的实际数据，只是在查询的时候应用该特性控制查询返回的数据，动态数据屏蔽支持四种数据屏蔽函数，可以通过以下四个函数在数据库层面进行屏蔽：

1、默认屏蔽

2、随机屏蔽

3、自定义屏蔽

4、邮件屏蔽

Note: There are two ways using which you can apply the DDM functions. You can apply this at the time you create the table or you can apply this function in the existing table that contains data using an ALTER statement. 注：应用数据屏蔽函数有两种方式，在创建表的时候应用或者在现有的表上使用ALTER语句应用。

接下来我们将介绍四种屏蔽函数。

1、Default 默认函数

The default function of Dynamic Data Masking masks data on the basis of the column's data type.

默认屏蔽函数是针对基本类型的数据列进行屏蔽的。

• If the data type is date and time, then it shows the data in 1900-01-01 00:00:00.000 formats. 如果数据类型包含日期和时间，会以“1900-01-01 00:00:00.000”格式显示；
• If the data type is numeric then it shows a 0. 如果数据类型是数字类型的，会显示0；
• If data type is string, then it displays data by adding Xs in the string. This function can add maximum 4 X’s in string data, if string contains less than 4 characters, then it will show X for fewer characters only. 如果是字符串类型的，将会在字符串后面添加X，最多能添加4个，如果字符串包含的字符少于4个，则会以实际的X数目显示。

An example of the Default Dynamic Data Masking function is shown below.

以下是使用默认屏蔽函数的一个案例。

In this whole article, we will use the same table, so let's create this table. The below script will create a table named DDM_Student_Sample. While creating the table, we will apply the default DDM function on the Student_DOB column. The actual data of the Student_DOB column will not be visible to the user who has read permission. Instead of the actual data, SQL Server will return data in the 1900-01-01 00.00.00.000 format.

首先我们来创建一张表，命名为“DDM_Student_Sample”，在创建的时候，我们在Student_DOB列上应用以下默认屏蔽函数，此时Student_DOB列上的真实数据将不能被正常访问，哪怕用户具有读取表的权限，当数据被访问到的时候，将会返回1900-01-01 00.00.00.000格式的数据。

After table creation, we need to insert some data into table to check how the Default DDM function works. So we will use below query to insert four rows into the table.

创建完成以后，我们需要插入一些数据来验证默认屏蔽函数的作用。使用以下语句在表中插入四行数据。

After inserting the data we will use the below script to check an actual data stored in the table- DDM_Student_Sample. ( here we are using the user credentials who is having full access or adequate permission which require to check an actual data of the table and those users only will be able to see the sensitive information like as shown in above figure.)

插入数据以后，我们将采用以下脚本检查表中的真实数据。我们使用具有足够权限的高级用户来做查询，这类用户能够查看真实数据，只是在返回的时候会提示敏感信息。

-- Check the actual data in the table DDM_Student_Sample using the below querySelect * from [dbo].[DDM_Student_Sample]

Now we will create a user and grant read permission on DDM_Student_Sample table using below script:

现在我们创建一个用户 ，使用以下语句对其授DDM_Student_Sample表的读取权。

CREATE USER DDM_Read WITHOUT LOGIN

As we have applied Default DDM function on column Student_DOB, so lets check how the data will appear when user having read permission on a table using below script.

在这张表的Student_DOB列我们已经应用了默认屏蔽函数，接下来我们看在查询到的时候数据会如何返回。

EXECUTE AS USER = 'DDM_Read'SELECT * FROM [dbo].[DDM_Student_Sample]REVERT

On above output we can see that user DDM_Read is not able to see the actual data for the Student_DOB column because we have applied the Default Dynamic Data Masking function on this column. Hence, data of column Student_DOB showing in the 1900-01-01 00.00.00.000 format.

在上面的结果中我们看到，用户虽然具有访问表的权限，但并不能读取到真实的数据，因为应用了默认屏蔽函数，所以该列最终返回1900-01-01 00.00.00.000。

If you want to allow a few users who have less privileges, like the user, DDM_Read, then grant the UNMASK permission for this set of users:

如果你想用权限更低的用户，比如DDM_Read，然后我们对这类用户授非屏蔽权限。

Grant UNMASK to DDM_Read

after granting UNMASK permission to the user, DDM_Read, they will be able to see the actual data, like shown in the below figure.

授权非屏蔽之后，就能看到真实的数据，如下所示：

Use the below script to revoke the UNMASK permission of user, DDM_Read.

回收刚才的DDM_Read用户的非屏蔽权限

Revoke UNMASK to DDM_Read

2、随机屏蔽函数

This DDM function is applied on numeric data types only. It displays a random value for the specified range. In the below example we will apply the Random function on the Student_ID column.

随机屏蔽函数只对数字类型起作用。它会将某一个范围内的值随机显示。在下面的案例中，我们在Student_ID列上应用了随机屏蔽函数。

Alter Table[dbo].[DDM_Student_Sample] Alter Column Student_ID Add masked with (function='Random(1,4)')

After applying the Random function, when we try to check the data of table using the DDM_Read user (user with read permission only), the data of the table will look like shown in below figure:

应用完随机屏蔽函数之后，我们通过DDM_Read用户访问表的数据，结果如下所示：

In the above figure, we can see that actual values for Student_ID are replaced with some random numeric values. Again, if you want to allow less privileged user to check the actual data of the table, then grant the UNMASK permission.

在上面的表中，我们看到Student_ID列的真实数据被随机的数值代替，同样，如果你想尝试用权限低一点的用户，可以授非屏蔽权限。

3、Custom String 自定义屏蔽

This DDM function uses the below syntax to mask the data:

自定义屏蔽函数使用以下语法进行屏蔽数据。

Syntax : Partial(prefix,[padding],suffix)

语法：Partial(prefix,[padding],suffix)

• Prefix – Starting numbers of character to be displayed.（要显示的字符的起始编号）
• Suffix – Last number of characters to be displayed from specified column value（从指定列值显示的最后一个字符数）
• Padding –Custom padding string for masking.（用于屏蔽的自定义填充字符串）

We will apply the Custom String DDM function on Student_Name column with the below values :

在我们的案例中，将会用以下值对表的数据做自定义屏蔽。

• Prefix = 3 -- It will displayed first three characters of Student_Name column values.（.它将显示Student_Name列值的前三个字符。）
• Suffix= 9 -- It will display last 9 characters of Student_Name column values.（它将显示Student_Name列值的最后9个字符。）
• Padding = &&**& -- It will start masking from 4th character and display this Padding string.（&&**& 它将从第4个字符开始屏蔽并显示此Padding字符串。）

Use the below script to apply Custom String function on a Student_Name column of table DDM_Student_Sample.

使用以下脚本在表DDM_Student_Sample的Student_Name列上应用自定义字符串函数

Alter Table[dbo].[DDM_Student_Sample] Alter Column Student_Name Add masked with (function='Partial(3,"&&**&",9)')

And then check the data using DDM_Read user.

使用DDM_Read用户检查数据

The data in the column, Student_Name, will look like it does above for the user, DDM_Read, due to the Custom String DDM function.

因为自定义屏蔽函数的使用， Student_Name列上的值将会如上图显示。

4、The Email Function 邮件函数

This DDM function will displays the first character of an email address, masking the rest of the characters with XXX@XXXX until the suffix “.com”. For example, if we apply the email DDM function for an email address like abc@ddm.com, then this email address will appear as "aXXX@XXXX.com".

此DDM功能将显示电子邮件地址的第一个字符，用XXX @ XXXX屏蔽其余字符，直到后缀“.com”。 例如，如果我们对abc@ddm.com这样的电子邮件地址应用电子邮件DDM功能，则此电子邮件地址将显示为“aXXX@XXXX.com”。

Using the below script, we will apply the email DDM function on the Student_Email_Id column of the table, DDM_Student_Sample, and check how the data will appear to the user, DDM_Read user.

使用以下语句，我们将在表的Student_Email_Id列DDM_Student_Sample上应用电子邮件DDM函数，并检查数据对用户DDM_Read用户的显示方式。

Alter Table[dbo].[DDM_Student_Sample] Alter Column Student_Email_Id Add masked with (function='Email()') 

And the values of Student_Email_ID appear in the below format to the user, DDM_Read:

并且Student_Email_ID的值以下面的格式显示给用户DDM_Read：

So, in the above image we can see that how data will look after applying the Default, Random, Custom String, and Email Dynamic Data Masking functions to the user who is having less (read only) permission on the table.

因此，在上面的图像中，我们可以看到在对表具有较少（只读）权限的用户应用默认，随机，自定义字符串和电子邮件动态数据屏蔽功能后，数据的外观。

We can use below script to remove all the Dynamic Data masking functions on the table

我们可以使用下面的脚本删除表上的所有动态数据屏蔽功能

After removal of all Dynamic Data Masking function a sensitive data will be visible to the user DDM_Read as shown in below figure.

删除所有动态数据屏蔽功能后，敏感数据将对用户DDM_Read可见，如下图所示。

Dynamic Data Masking Feature in SQL Server 2016 allows user to mask the data at database level without altering or obfuscating the actual stored data in a table. We can say this feature adds an advantage for the DBA, allowing them to hide the sensitive data from set of user who are having less privileges. This feature saves the extra effort of obfuscating or masking data when a vendor visits your company to fix some issue related to data in a database.

SQL Server 2016中的动态数据屏蔽功能允许用户在数据库级别屏蔽数据，而不会更改或混淆表中的实际存储数据。 我们可以说这个功能为DBA增加了一个优点，允许他们从具有较少权限的用户集中隐藏敏感数据。 此功能节省了当供应商访问您的公司以修复与数据库中的数据相关的某些问题时，对数据进行模糊处理或屏蔽的额外工作量。