Confidentiality in Information Security

Confidentiality is the first pillar of the CIA Triad. It ensures that only authorized users, entities, or processes are granted access to sensitive information and resources.

---

1. Goal of Confidentiality

The primary goal is to prevent unauthorized disclosure of information. This includes preventing exposure due to hacking, accidental leaks, eavesdropping, or physical loss.

• Example:
  • Preventing the leakage of Personally Identifiable Information (PII) or proprietary customer databases.
  • Ensuring that communications transmitted over a network cannot be read by an unauthorized third party.

2. Key Technologies and Measures for Confidentiality

Confidentiality measures are generally categorized into data protection and access limitation.

① Data Protection: Encryption

Encryption is the most robust way to ensure confidentiality, as it renders the data unusable even if it is stolen.

• Data at Rest Encryption: Encrypting files stored on hard drives, databases, or cloud storage. (e.g., using the AES algorithm).
• Data in Transit Encryption: Encrypting data as it travels over a network. (e.g., HTTPS using SSL/TLS protocol).

② Access Control

Validating the identity of the user (subject) accessing the information and limiting their permissions.

• Authentication: The process of verifying who a user claims to be.
  • Examples: Passwords, Biometrics, OTP (One-Time Passwords).
• Authorization: The process of defining what an authenticated user is allowed to do.
  • Examples: RBAC (Role-Based Access Control), where only administrators are granted data deletion rights.

③ Physical and Procedural Protection

• Physical Security: Controlling access to server rooms, using surveillance.
• Data Disposal: Ensuring that old or unused media are securely wiped or physically destroyed to prevent data recovery.