Snowflake Dynamic Data Masking (DDM) is a data security feature that allows you to alter sections of data (from a table or a view) to keep their anonymity using a predefined masking strategy.
Data owners can decide how much sensitive data to reveal to different data consumers or data requestors using Snowflake’s Dynamic Data Masking function, which helps prevent accidental and intentional threats. It’s a policy-based security feature that keeps the data in the database unchanged while hiding sensitive data (i.e. PII, PHI, PCI-DSS), in the query result set over specific database fields.
There are two types of data masking: static and dynamic. By modifying data at rest, Static Data Masking (SDM) permanently replaces sensitive data. Dynamic Data Masking (DDM) strives to replace sensitive data in transit while keeping the original data at rest intact and unchanged. The unmasked data will remain visible in the actual database. DDM is primarily used to apply role-based (object-level) security for databases.
Below are the steps to create the Dynamic Data Masking policy:
The masking policy name, “ddr_Lname_Mask” is the unique identifier within the schema and the signature for the masking policy specifies the input columns in this example “last_name” alongside data type(string) to evaluate at query runtime. The return data type must match the input data type followed by the SQL expression that transforms or mask the data which is last_name in this example. The SQL expression can include a built-in function or UDF or conditional expression functions (like CASE in this example).
In this example, the last_name is masked if the current role of the user is Call_Center. Once the masking policy is created, it needs to be applied to a table or view column. This can be done during the table or view creation or using an alter statement.
Once the masking policy is applied, and a user (with a specific role) queries the table, the user(call center agent) will see the masked result .
Snowflake’s Dynamic Data Masking is a very powerful feature that allows you to bring all kinds of sensitive data into your data platform and manage it at scale. Snowflake’s policy-based approach, along with role-based access control (RBAC), allows you to prevent sensitive data from being viewed by table/view owners and users with privileged responsibilities.
If you’re looking to take advantage of Snowflake’s Dynamic Data Masking feature, the data experts at 64-squares would love to help make this a reality. Feel free to reach out today for more information.