Data Column Masking and Dynamic Data Masking

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

Column masking and dynamic data masking let data systems expose useful query results while hiding sensitive values from unauthorized identities.

## Core Explanation

Data agents need to know not only which table can be queried, but which columns are masked or restricted for the active identity. A query result can look incomplete because a masking policy worked correctly.

The same policy must be considered downstream. If masked or policy-tagged data is copied into a semantic layer, BI extract, or RAG index, the agent should verify that the derived artifact retains the same access intent.

## Source-Mapped Facts

- Snowflake documentation describes masking policies as schema-level objects used to protect sensitive data in columns. ([source](https://docs.snowflake.com/en/user-guide/security-column-intro))
- BigQuery documentation describes column-level access control as using policy tags to restrict access to columns. ([source](https://docs.cloud.google.com/bigquery/docs/column-level-security-intro))
- SQL Server documentation describes dynamic data masking as limiting sensitive data exposure by masking it to nonprivileged users. ([source](https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver17))

## Further Reading

- [Snowflake Column-Level Security](https://docs.snowflake.com/en/user-guide/security-column-intro)
- [BigQuery Column-Level Security](https://docs.cloud.google.com/bigquery/docs/column-level-security-intro)
- [SQL Server Dynamic Data Masking](https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver17)