Exam SC-100 All QuestionsBrowse all questions from this exam
Go to Exam
Question 148

HOTSPOT

-

You have an Azure SQL database named DB1 that contains customer information.

A team of database administrators has full access to DB1.

To address customer inquiries, operators in the customer service department use a custom web app named App1 to view the customer information.

You need to design a security strategy for DB1. The solution must meet the following requirement:

• When the database administrators access DB1 by using SQL management tools, they must be prevented from viewing the content of the CreditCard attribute of each customer record.

• When the operators view customer records in App1, they must view only the last four digits of the CreditCard attribute.

What should you include in the design? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
kanag1

For the database administrators: Always Encrypted For the operators: Dynamic Data Masking Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national/regional identification numbers. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine. https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver16 Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal effect on the application layer. https://learn.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview?view=azuresql

ServerBrain

But then when you do Always encrypted the admins are as good as not having full access. Block 1 should be Row-level security as it's just the CreditCard row they should not see

ServerBrain

looks like i'm wrong...

ttttt23212121

Row Level Security For 1 Dynamic Data Masking for 2

billo79152718

Correct is: 1: Always encrypted 2: Dynamic data masking

Murtuza

ways Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national/regional identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database, Azure SQL Managed Instance, and SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine. This provides a separation between those who own the data and can view it, and those who manage the data but should have no access - on-premises database administrators, cloud database operators, or other high-privileged unauthorized users.

Socgen1

A. Always Encrpyted B. Dynamic data masking in exam - 14/07/2024

emartiy

Since it says; When the database administrators access DB1 by using SQL management tools, they must be prevented from viewing the content of the CreditCard attribute of each customer record - For administrators row-level security fulfill this requirement https://learn.microsoft.com/en-us/sql/relational-databases/security/row-level-security?view=sql-server-ver16 for the operators: Dynamic data masking fulfills the requirements.

Cleggs

I believe both are Dynamic Data Masking. Reason: RLS blocks the entire customer row Always Encrypt has no basis on this question since we need to block only certain blocks of data (CC) from the DBAs TDE the same. There was never a statement about handling the CCs during processing or transmission. Just viewing the data via the SQL management apps or App1. The only item there that can do both Dynamic Data Masking.

Cleggs

correction: I was doing some more reading and I believe since admins can get past Dynamic Data Masking that the given answer is the correct of Always Encrypt and Data Masking.

Murtuza

What should you use to ensure credit card numbers in an Azure SQL database are protected while data is being processed? Final answer: To protect credit card numbers in an Azure SQL database while processing, you should use Transparent Data Encryption (TDE) and Always Encrypted.

karincauk

1- Always encrypt "2- Low level "should be correct. because db operator can see last 4 digit.

Ramye

no, those operators are non-privileged (not any admin type) users, so they will see only what are not masked - the last 4 digits

Victory007

1. Dynamic Masking. 2. Always Encrypted. To meet the requirements, you should include Dynamic Data Masking for the operators and Always Encrypted for the database administrators in your design. Dynamic Data Masking (DDM) is a feature that limits sensitive data exposure by masking it to non-privileged users. It can be used to greatly simplify the design and coding of security in your application.