1
00:00:00,850 --> 00:00:01,683
In this lesson,

2
00:00:01,683 --> 00:00:04,380
we are going to talk about "Implementing Data Protection

3
00:00:04,380 --> 00:00:06,050
"with Data Masking".

4
00:00:06,050 --> 00:00:08,150
Specifically, I'm going to show you how to design

5
00:00:08,150 --> 00:00:09,680
a masking strategy.

6
00:00:09,680 --> 00:00:11,020
We'll talk about how we implement

7
00:00:11,020 --> 00:00:13,730
that data masking strategy, and then I'll take you

8
00:00:13,730 --> 00:00:16,460
to the portal and I'll show you how it works.

9
00:00:16,460 --> 00:00:19,360
So let's start with talking about a data masking strategy.

10
00:00:19,360 --> 00:00:21,760
And before we get into the steps of that strategy,

11
00:00:21,760 --> 00:00:24,230
it's important to understand that data masking

12
00:00:24,230 --> 00:00:27,860
is not designed to keep someone out of a database.

13
00:00:27,860 --> 00:00:30,390
So someone needs to be authenticated first

14
00:00:30,390 --> 00:00:32,350
to get access to the database.

15
00:00:32,350 --> 00:00:33,930
And once they're there,

16
00:00:33,930 --> 00:00:36,220
data masking can provide an additional

17
00:00:36,220 --> 00:00:39,390
light layer of protection to help secure the data

18
00:00:39,390 --> 00:00:41,350
just a little bit further.

19
00:00:41,350 --> 00:00:43,040
So we start with our data masking strategy

20
00:00:43,040 --> 00:00:45,010
by defining the users.

21
00:00:45,010 --> 00:00:46,780
Who should have access to the system?

22
00:00:46,780 --> 00:00:50,410
And we do this through Synapse or Azure AD identities.

23
00:00:50,410 --> 00:00:53,080
So we're using RBAC, identity access management,

24
00:00:53,080 --> 00:00:56,320
to figure out who should have access to the system.

25
00:00:56,320 --> 00:00:59,010
Then we're going to create our masking rules.

26
00:00:59,010 --> 00:01:01,420
Now, our rules are really going to be defined

27
00:01:01,420 --> 00:01:04,110
around the fields that we want to be masked.

28
00:01:04,110 --> 00:01:06,160
And I'll show you what that looks like in a minute,

29
00:01:06,160 --> 00:01:08,010
but basically, it comes to us

30
00:01:08,010 --> 00:01:10,900
choosing columns that need to be masked.

31
00:01:10,900 --> 00:01:13,890
Next, we're going to take a look at our masking functions,

32
00:01:13,890 --> 00:01:15,690
and we're going to talk about how we control

33
00:01:15,690 --> 00:01:17,490
the exposure of the data.

34
00:01:17,490 --> 00:01:21,900
So if I'm masking a column, am I masking the entire column?

35
00:01:21,900 --> 00:01:26,080
Am I only masking the first 4 letters or the last half?

36
00:01:26,080 --> 00:01:27,210
What does that look like?

37
00:01:27,210 --> 00:01:30,540
This is how we define the masking function.

38
00:01:30,540 --> 00:01:33,480
And there are a couple of preset masking functions

39
00:01:33,480 --> 00:01:35,010
that we can choose from.

40
00:01:35,010 --> 00:01:36,650
The first being default.

41
00:01:36,650 --> 00:01:38,340
Default is just a full mask.

42
00:01:38,340 --> 00:01:40,603
It's going to hide everything in that column.

43
00:01:43,240 --> 00:01:46,100
Next, we can use use our credit card mask.

44
00:01:46,100 --> 00:01:49,763
This is going to hide everything but the last 4 digits.

45
00:01:51,170 --> 00:01:52,860
And then we have an email mask,

46
00:01:52,860 --> 00:01:56,180
and this is going to show us the first letter and then .com.

47
00:01:56,180 --> 00:01:58,710
So everything else will be hidden.

48
00:01:58,710 --> 00:02:00,340
Or we can use random number.

49
00:02:00,340 --> 00:02:01,610
If we use random number,

50
00:02:01,610 --> 00:02:04,230
it's literally going to generate a random number,

51
00:02:04,230 --> 00:02:06,530
and it's going to put that in place

52
00:02:06,530 --> 00:02:10,453
of whatever field or whatever data is in that column.

53
00:02:11,860 --> 00:02:13,190
And then finally, there's custom.

54
00:02:13,190 --> 00:02:15,370
And we can choose a custom padding string to,

55
00:02:15,370 --> 00:02:16,680
at a more granular level,

56
00:02:16,680 --> 00:02:19,513
decide how we want to mask a specific column.

57
00:02:21,600 --> 00:02:24,830
Now, it's important to note before we jump into the portal

58
00:02:24,830 --> 00:02:27,010
that this technology, this data masking,

59
00:02:27,010 --> 00:02:29,630
can be used on SQL Database --which again,

60
00:02:29,630 --> 00:02:32,610
not in the DP-203-- or in Synapse.

61
00:02:32,610 --> 00:02:35,970
So for the DP-203, we would be talking about Synapse.

62
00:02:35,970 --> 00:02:38,310
However, it's going to look very similar.

63
00:02:38,310 --> 00:02:39,710
So with that, let's go ahead

64
00:02:39,710 --> 00:02:41,760
and jump into the portal and take a look.

65
00:02:42,650 --> 00:02:44,920
So here we find ourself in the portal,

66
00:02:44,920 --> 00:02:47,980
and what you do is you scroll down into Security,

67
00:02:47,980 --> 00:02:50,660
and you'll see dynamic data masking.

68
00:02:50,660 --> 00:02:51,600
So at the start,

69
00:02:51,600 --> 00:02:54,260
it's going to give you a list of recommended fields.

70
00:02:54,260 --> 00:02:57,860
And it's going to give you an option to add masks to those.

71
00:02:57,860 --> 00:02:59,340
Or we can create our own mask.

72
00:02:59,340 --> 00:03:02,380
And so let's just go ahead and create our own unique mask.

73
00:03:02,380 --> 00:03:05,440
And so first, it's going to ask me to pick my schema.

74
00:03:05,440 --> 00:03:08,530
And then from there, I pick the table that I want.

75
00:03:08,530 --> 00:03:09,430
And then from there,

76
00:03:09,430 --> 00:03:13,200
I'm going to choose the column that I'm interested in.

77
00:03:13,200 --> 00:03:15,890
So you can see from our address ID here

78
00:03:15,890 --> 00:03:19,050
that we can choose Default or Number.

79
00:03:19,050 --> 00:03:20,280
There's no letters in this,

80
00:03:20,280 --> 00:03:23,140
and so we can't choose any of the letter strings.

81
00:03:23,140 --> 00:03:26,140
But let's say that we changed it to City.

82
00:03:26,140 --> 00:03:29,520
If this is the case, now we can choose our email,

83
00:03:29,520 --> 00:03:32,280
or custom string, or credit card value.

84
00:03:32,280 --> 00:03:34,090
So we can choose different options

85
00:03:34,090 --> 00:03:36,700
based upon the column that we're looking at.

86
00:03:36,700 --> 00:03:37,720
All right?

87
00:03:37,720 --> 00:03:40,460
So it's really as simple as picking the column,

88
00:03:40,460 --> 00:03:43,470
choosing the type of mask that we want to apply,

89
00:03:43,470 --> 00:03:44,570
and then applying that.

90
00:03:44,570 --> 00:03:46,690
And if we want to use custom, you can see,

91
00:03:46,690 --> 00:03:49,900
this is going to tell us what exposed prefixes we have,

92
00:03:49,900 --> 00:03:51,530
what exposed suffixes we have.

93
00:03:51,530 --> 00:03:54,950
So how many letters or numbers at the start or finish

94
00:03:54,950 --> 00:03:56,060
of our string.

95
00:03:56,060 --> 00:03:57,160
And then we can choose the type

96
00:03:57,160 --> 00:03:59,323
of padding string that we want to employ.

97
00:04:00,720 --> 00:04:03,530
All right, we would just simply choose our column,

98
00:04:03,530 --> 00:04:05,960
choose our masking field, click on the Add button.

99
00:04:05,960 --> 00:04:07,630
And then it's going to add

100
00:04:07,630 --> 00:04:10,763
<v ->-here's our add, right here-- our mask.</v>

101
00:04:13,000 --> 00:04:15,330
All right, so just a couple of key points to remember.

102
00:04:15,330 --> 00:04:16,980
One, security level.

103
00:04:16,980 --> 00:04:19,250
So this is a blended strategy.

104
00:04:19,250 --> 00:04:23,290
Don't use masks as your only access point into Azure.

105
00:04:23,290 --> 00:04:24,850
It's not designed to do that.

106
00:04:24,850 --> 00:04:26,110
It's designed to be used

107
00:04:26,110 --> 00:04:28,420
after someone's already authenticated themselves

108
00:04:28,420 --> 00:04:31,090
and passed through the other defense layers

109
00:04:31,090 --> 00:04:32,963
to get to the database.

110
00:04:34,390 --> 00:04:36,930
Data masking does not change the database.

111
00:04:36,930 --> 00:04:38,730
That's a very important point.

112
00:04:38,730 --> 00:04:40,610
When we look at those masks,

113
00:04:40,610 --> 00:04:43,830
it's just simply putting a mask over top,

114
00:04:43,830 --> 00:04:48,090
think like tape, over top of what is beneath it, the data.

115
00:04:48,090 --> 00:04:49,890
It's not going to actually change

116
00:04:49,890 --> 00:04:51,633
your data in the database.

117
00:04:53,220 --> 00:04:55,470
Pretty short lesson, but pretty important lesson.

118
00:04:55,470 --> 00:04:57,750
Make sure, for the DP-203,

119
00:04:57,750 --> 00:04:59,840
that you understand the different types of mask

120
00:04:59,840 --> 00:05:01,210
that you could employ,

121
00:05:01,210 --> 00:05:03,460
and then make sure you understand the concept

122
00:05:03,460 --> 00:05:05,500
of the security and what you're actually doing

123
00:05:05,500 --> 00:05:06,620
when you mask.

124
00:05:06,620 --> 00:05:08,930
If you've got that down, congratulations.

125
00:05:08,930 --> 00:05:10,530
I'll see you in the next lesson.