Exam DP-300 topic 2 question 11 discussion

inferring work is the key. With data-masking you cannot prevent to ask if a column is equal to a certain value. Also, the salespeople don't need any information of the credit card, maybe customer support would have a use of the masked credit card. So, column-level security is the solution.

Data- Masking is correct Question says "...solution to provide salespeople with the ability to view all the entries in Customers" See use cases of column-level security https://docs.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/column-level-security#use-cases

Data masking is a feature in Azure Synapse Analytics that allows you to obfuscate sensitive data, such as credit card information, while still enabling users (like salespeople) to view the rest of the data in the table.

Agree its D. Data masking may still leave part of the data visible , allowing educated guesses or brute-force attempts to complete it. Only column-level security completely obscures the data to prevent inference.

Exam Topics team needs to work on this. Misleading answers and explanation is disappointing.

To provide salespeople with the ability to view all the entries in the Customers table while preventing them from viewing or inferring the credit card information, you can use **column-level security**. Column-level security allows you to restrict access to specific columns in a table based on user roles or permissions. To implement column-level security, you can create a new role in the database and grant the role SELECT permission on the Customers table. You can then use the **DENY** statement to deny the role access to the credit card information column. Therefore, the solution you should recommend is **column-level security**.

Answer is row level security To achieve the goal of allowing salespeople to view entries in the Customers table while preventing access to credit card information, you can implement Row-Level Security (RLS) in Azure Synapse Analytics. RLS allows you to control access to rows in a table based on the characteristics of the user executing a query.

Answer is column-level security "Column-level security simplifies the design and coding of security in your application, allowing you to restrict column access to protect sensitive data. " Reference: https://docs.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/column-level-security

Data masking do not prevent inferring with critical data. Column level security is more adapted to this situation (https://learn.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/column-level-security).

Final answer for me is column level security. https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=sql-server-ver16.

Data masking isn't enough to ensure the data cannot be viewed or inferred

Column-level security is the most appropriate answer (it can be used to restrict the salespeople from seeing the SSN column) although you could argue for Always On with Randomised encryption. Data Masking is incorrect becasue of the potential ability of users to infer the data

My vote goes to D. And here is why - data masking prevent unauthorized access of viewing data, but it "doesn't aim to prevent database users from connecting directly to the database and running exhaustive queries that expose pieces of the sensitive data" and we assume that in this question salespeople does have access to DB. So column-level security on my opinion is the best choice as it is allowing you to restrict column access to protect sensitive data even if you have access to DB. Links https://docs.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver16 and https://docs.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/column-level-security

B is correct as in data masking there is even a specific option to mask credit card numbers in the Azure Portal for your database that uses the partial masking function: MASKED WITH (FUNCTION = 'partial(0, "xxxx-xxxx-xxxx-", 4)')

C is met the requirement, however D (Always Encrypted) would provide best protection to secure the credit card info.

It needs to be D

I wunder why isn't Always On?