You need to recommend a solution to secure the MedicalHistory data in the ClaimsDetail table. The solution must meet the Contoso developer requirements. What should you include in the recommendation?
Anyone with admin privileges can see masked data.
https://docs.microsoft.com/en-us/learn/modules/protect-data-transit-rest/4-explain-object-encryption-secure-enclaves
@PlumpyTumbler, thank for all you're work here!
You are correct.
But the Contoso Developers Requirements states: The Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table, there is no mentioning of admin privileges by the Contoso developers.
db_owner has unrevocable permission to "UNMASK" in db, so can read masked data. I.e. C - always encrypted.
Please at least google before answering with that certainty, thank you! :)
Agreed. Just to make it easier for others to see the correct answer then:
C - Always encrypted.
Reason, ContosoDevelopers are assigned to the DB_Owner role; and Dynamic Data Masking will not mask the sensitive information for priv users.
Correct
Some more info to remove any doubt
“Administrative users and roles can always view unmasked data via the CONTROL permission, which includes both the ALTER ANY MASK and UNMASK permission. Administrative users or roles such as sysadmin, serveradmin, or db_owner have CONTROL permissions on the database by design, and can view unmasked data.”
Source: https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver16
Requirment "prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table", not the full table. Developer dont have admin Privilege. So E is the right answer.
Agree with E rather than C.
Since even encrypt all, the db_owner will still be able to see the date.
To me, encrypt data is prevent external view, ie, hackers
mask is prevent internal view, ie develops.
Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database, Azure SQL Managed Instance, and SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine. This provides a separation between those who own the data and can view it, and those who manage the data but should have no access - on-premises database administrators, cloud database operators, or other high-privileged unauthorized users. As a result, Always Encrypted enables customers to confidently store their sensitive data in the cloud, and to reduce the likelihood of data theft by malicious insiders.
Interesting note here describing the purpose of Always Encrypted on the secure enclaves page. https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16
Always Encrypted protects the confidentiality of sensitive data from malware and high-privileged unauthorized users: Database Administrators (DBAs), computer admins, cloud admins, or anyone else who has legitimate access to server instances, hardware, etc., but shouldn't have access to some or all of the actual data.
Should be E - db_onwer can't read dynamically masked columns by default if UNMASK permission is not granted. Moreover, "Always encrypted" is related with Application to SQL relationship, here the requirement is more for direct viewing (presumably by SQL query).
From Compliance view, C is better because DDM can't help us comply 100% with HIPAA, in a few cases, we must need to use Always Encrypted option to ensure that our sensitive data is encrypted to priv users.
To secure the MedicalHistory data in the ClaimsDetail table and meet the Contoso developer requirements, you should recommend implementing Dynamic Data Masking (DDM).
Dynamic Data Masking (DDM) allows you to limit sensitive data exposure by masking parts of the data from specific users or roles. In this case, you can configure DDM to mask the MedicalHistory column for Contoso developers, ensuring they cannot view the sensitive data.
So, the correct recommendation is Option E: Dynamic Data Masking (DDM).
C looks correct, think it's focused on the privilege level here.
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver16
"This provides a separation between those who own the data and can view it, and those who manage the data but should have no access - on-premises database administrators, cloud database operators, or other high-privileged unauthorized users. As a result, Always Encrypted enables customers to confidently store their sensitive data in the cloud, and to reduce the likelihood of data theft by malicious insiders."
C is the answer.
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver16
Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national/regional identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database, Azure SQL Managed Instance, and SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine. This provides a separation between those who own the data and can view it, and those who manage the data but should have no access - on-premises database administrators, cloud database operators, or other high-privileged unauthorized users. As a result, Always Encrypted enables customers to confidently store their sensitive data in the cloud, and to reduce the likelihood of data theft by malicious insiders.
Please look at the comments made by D3D1997 as below.
"i got it today in the exam. The wording is different:
"he Contoso developers must be prevented from viewing the data in a column named MedicalHistory ONLY". And there is no reference to the db_owner role in the case study tabs I had, so be careful, because in that case Dynamic Data Masking would be a better option"
In the exam, I would specifically look for this sentence: "The ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database." If I find it in the case study, I would choose C, and if not, I would go with E
If you want it hidden from administrators... Always Encrypted is where you need to focus.
Dynamic Data masking makes it simply at the presentation layer. Correct E
A-No, it's a column not a row
B- TDE encrypts the database files, not the db tables when queried
D- Do not play a role here
E- db_owner can bypass Dynamic Data Masking, and even lower privileged users could. MS itself says: "t's important to note that unprivileged users with ad-hoc query permissions can apply techniques to gain access to the actual data." in https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking
i got it today in the exam. The wording is different:
"he Contoso developers must be prevented from viewing the data in a column named MedicalHistory ONLY". And there is no reference to the db_owner role in the case study tabs I had, so be careful, because in that case Dynamic Data Masking would be a better option
I will go with dynamic data masking for this one ...Always encrypted works too but this is a very specific use case for developers and it is worth to honor a capability mapped to that
Answer : C
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver16
Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database, Azure SQL Managed Instance, and SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine. This provides a separation between those who own the data and can view it, and those who manage the data but should have no access - on-premises database administrators, cloud database operators, or other high-privileged unauthorized users. As a result, Always Encrypted enables customers to confidently store their sensitive data in the cloud, and to reduce the likelihood of data theft by malicious insiders.
This section is not available anymore. Please use the main Exam Page.SC-100 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
PlumpyTumbler
Highly Voted 2 years, 1 month agoSuperMax
2 years, 1 month agodoregos
2 years, 1 month agomakkelijkzat
1 year, 5 months agoConanBarb
1 year, 1 month agoJacquesvz
1 year, 9 months agoGurulee
1 year, 6 months agoRamye
9 months, 2 weeks agoMithu94
5 months, 2 weeks agoMithu94
5 months, 2 weeks agoMallonoX_111
Highly Voted 2 years, 1 month agoMallonoX_111
1 year, 11 months agodc2k79
1 year, 10 months agopangchn
2 years, 1 month agoAKS2504
1 year, 10 months agoJakeCallham
2 years agoAWSPro24
Most Recent 3 months, 1 week agoD0yle
4 months agoKdosec
10 months, 2 weeks agoConanBarb
1 year, 1 month agoslobav
1 year, 1 month agosherifhamed
1 year, 1 month agoPrettyFlyWifi
1 year, 5 months agozellck
1 year, 5 months agoGurulee
1 year, 7 months agomakkelijkzat
1 year, 5 months agoAzureJobsTillRetire
1 year, 8 months agoAzureJobsTillRetire
1 year, 8 months agoAzureJobsTillRetire
1 year, 7 months agoAzureJobsTillRetire
1 year, 7 months agoSofiaLorean
1 year, 8 months agoMo22
1 year, 8 months agoD3D1997
1 year, 8 months agoD3D1997
1 year, 8 months agoGod2029
1 year, 8 months agoTJ001
1 year, 10 months agoTJ001
1 year, 10 months agoAKS2504
1 year, 10 months ago