Exam AZ-305 topic 2 question 30 discussion

I agree with the answer. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal effect on the application layer. https://learn.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national/regional identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database, Azure SQL Managed Instance, and SQL Server databases. https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine

CORRECT

Dynamic data masking Always Encrypted

The given answer is correct. Dynamic Data Masking: Masks sensitive data in the result set of a query, limiting data exposure without changing the data in the database. Always Encrypted: Ensures sensitive data is encrypted both at rest and in motion, and can only be decrypted by the client application that has the encryption keys.

Based on Gemini AI: Box2 for SSN: "Always Encrypted": This feature encrypts data at rest and in transit, ensuring it remains unreadable even by Azure administrators with access to the database server. The decryption keys are stored in Azure Key Vault, separate from the database, requiring stricter access controls. Why not the other options? - Column Encryption: While it encrypts data at rest, the decryption key is stored within the database server, potentially accessible to cloud administrators. - Dynamic Data Masking: This technique masks data within the query results but doesn't encrypt the data itself. Cloud administrators could still access the underlying data.

Can't Dynamic Data Masking also be used to mask the SSN's?