Best Solution for Securing Customer Data in Azure Synapse Analytics

Correct Answer: C.

Here there is a lot of critical data and personal information involved.

Dynamic data masking is the best solution for this.

Consider the case of credit card numbers; using DDM, we can actually hide the numbers in that particular column.

For example, if the credit card number is 1234 5678 then the displayed value will be like XXXX XX78

Similarly, we can use masking for other data in other columns where PII is present.The maintenance team with limited permissions will only see the covered data and thus, the data is safe from exploitation.

Option A incorrect: Transparent data encryption is a method used by Azure in its relational database services for encrypting data at rest.

This will not be the best solution here.

Option B is incorrect: Azure defender is mainly used to mitigate potential DB vulnerabilities and detect anomalous activities.

Option C is correct: DDM can hide the data columns as required.

Option D is incorrect: Assigning Azure security manager role will grant them access to security features configuration, including the ability to enable or disable DDM.

This is exactly the opposite of what is required here.

To know more about DDM, please refer to the doc below:

The online payment gateway provider needs to ensure that all the sensitive data, including credit card details and PIIs, are securely kept, and that the maintenance team doesn't have access to the customer's info. As the product is backed by a dedicated SQL pool in Azure Synapse Analytics, the following options can be considered:

A. Implement Transparent data encryption: Transparent data encryption (TDE) is a feature that encrypts data at rest and decrypts it when it's read by an authorized user. TDE ensures that data remains encrypted even when it's backed up or moved to another location. TDE is a good option to secure data, but it doesn't prevent authorized users from viewing sensitive data. The maintenance team members who have authorized access to the database can still view the customer's information.

B. Use Azure Defender for SQL: Azure Defender for SQL is a cloud security solution that provides advanced threat protection for SQL databases. It uses machine learning algorithms to identify potential threats and provides recommendations to prevent them. Azure Defender for SQL can detect potential SQL injection attacks, brute-force attacks, and other security threats. However, it does not address the issue of preventing authorized users from accessing sensitive data.

C. Use Dynamic data masking (DDM): Dynamic data masking (DDM) is a feature that hides sensitive data in the result sets of queries over designated database fields while the data in the database remains unchanged. With DDM, authorized users can see the masked data, but they can't see the original data. DDM is a good option to prevent unauthorized access to sensitive data, but it doesn't address the issue of preventing authorized users from accessing the data. The maintenance team members who have authorized access to the database can still view the customer's information.

D. Assign only SQL security manager role to maintenance team members: Assigning only the SQL security manager role to the maintenance team members can prevent them from viewing the customer's information. The SQL security manager role is a predefined role in SQL database that grants permissions to manage SQL security-related activities, such as creating logins, creating users, and assigning permissions. By assigning only the SQL security manager role, the maintenance team members won't be able to view the sensitive data as they don't have access to the customer's information.

In conclusion, option D, "Assign only SQL security manager role to maintenance team members," is the best solution for the online payment gateway provider to prevent the maintenance team from viewing the customer's info.