How can we improve Azure Cosmos DB?

Data masking feature in Azure Cosmosdb

Request you to please add data masking feature to Azure CosmodDB to protect sensitive data like always encryption feature in SQL Server which allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine ( SQL Database or SQL Server). As a result, Always Encrypted provides a separation between those who own the data (and can view it) and those who manage the data (but should have no access)

Ref : https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-2017

4 votes
Vote
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
You have left! (?) (thinking…)
Siva shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Hi Siva, thank you for your suggestion.

There are a couple of aspects to your ask which I will address separately.

We are planning on providing some additional capabilities to RBAC support in Cosmos DB that will separate Database Operators who can provision resources and rotate keys, versus an application which can access data but cannot provision resources or rotate keys. This is partially what you are asking for so want to bring this up.

With regards to data masking and encryption…

Today we support encryption of all data both in transit and at rest. This encryption is Microsoft-managed . At some point we will enable user managed keys but this is currently not on our roadmap.

However users are fully able to implement client-side encryption and encrypt the data before it is sent by the client. This is fully possible today.

The ability to offer this as a feature of our client SDK’s is not currently on our roadmap.

Thank you for your suggestion.

0 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base