Answer-first summary for fast verification
Answer: Utilize dynamic data masking within Azure SQL Database to conditionally mask sensitive data based on the user's role and permissions, without altering the underlying data.
Option B is the most effective approach as it leverages Azure SQL Database's dynamic data masking feature to protect sensitive data in real-time based on user roles and permissions. This method complies with GDPR by not storing altered data, minimizes costs by utilizing built-in Azure features, and preserves data utility for analytics by allowing authorized users to access unmasked data. Dynamic data masking provides a flexible and secure solution that meets all the specified requirements without the need for data duplication or exclusion, making it the optimal choice for this scenario.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You are tasked with implementing a data masking solution for a dataset that contains sensitive customer information, including credit card numbers, in a Microsoft Azure environment. The solution must comply with GDPR regulations, minimize operational costs, and allow authorized users to perform analytics without compromising data security. Considering these requirements, which of the following approaches would be the most effective to protect the sensitive data while maintaining data utility for analytics? Choose one option.
A
Implement static data masking by creating a copy of the dataset with all sensitive data permanently altered, ensuring all users access this masked version for analytics.
B
Utilize dynamic data masking within Azure SQL Database to conditionally mask sensitive data based on the user's role and permissions, without altering the underlying data.
C
Exclude all columns containing sensitive data from any views or queries, providing users access only to non-sensitive data for analytics purposes.
D
Apply Transparent Data Encryption (TDE) to the entire dataset, requiring decryption for any access, including analytics, which is only permitted for users with specific decryption privileges.