Confidentiality prevents the unauthorized disclosure of data. In other words, authorized personnel can access the data, but unauthorized personnel cannot access the data. You can ensure confidentiality using several different methods discussed in the following sections.
Encryption scrambles data to make it unreadable by unauthorized personnel. Authorized personnel can decrypt the data to access it, but encryption techniques make it extremely difficult for unauthorized personnel to access encrypted data. Chapter 10 of CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide covers encryption in much more depth, including commonly used encryption algorithms like Advanced Encryption Standard (AES).
As an example, imagine you need to transmit Personally Identifiable Information (PII), such as medical information or credit card data via email. You wouldn’t want any unauthorized personnel to access this data, but once you click Send, you’re no longer in control of the data. However, if you encrypt the data before you send it, you protect the confidentiality of the data.
Identification, authentication, and authorization combined provide access controls and help ensure that only authorized personnel can access data. Imagine that you want to grant Maggie access to some data, but you don’t want Homer to be able to access the same data. You use access controls to grant and restrict access. The following bullets introduce key elements of access controls:
- Identification. Users claim an identity with a unique username. For example, both Maggie and Homer have separate user accounts identified with unique usernames. When Maggie uses her account, she is claiming the identity of her account.
- Authentication. Users prove their identity with authentication, such as with a password. For example, Maggie knows her password, but no one else should know it. When she logs on to her account with her username and password, she is claiming the identity of her account and proving her identity with the password.
- Authorization. Next, you can grant or restrict access to resources using an authorization method, such as permissions. For example, you can grant Maggie’s account full control access to files and folders, and ensure that Homer doesn’t have any permissions to access the data. Chapter 2 of CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide digs into access control models a little deeper, including how they enforce authorization settings.
A third method you can use for confidentiality is steganography. Chapter 10 of CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide covers steganography in more depth, but as an introduction, it is the practice of hiding data within data. Many people refer to it as hiding data in plain sight. For example, you can embed a hidden message in an image by modifying certain bits within the file. If other people look at the file, they won’t notice anything. However, if other people know what to look for, they will be able to retrieve the message.
As a simpler example, you can add a text file to an image file without the use of any special tools other than WinRAR and the Windows command line. If you’re interested in seeing how to do this, check out the Steganography Lab in the online exercises for this book at http://gcgapremium.com/labs/.
Confidentiality ensures that data is only viewable by authorized users. The best way to protect the confidentiality of data is by encrypting it. This includes any type of data, such as PII, data in databases, and data on mobile devices. Access controls help protect confidentiality by restricting access. Steganography helps provide confidentiality by hiding data, such as hiding text files within an image file.
Security+ Confidentiality Practice Question and Answer
Homer needs to send an email to his HR department with an attachment that includes PII. He wants to maintain the confidentiality of this attachment. Which of the following choices is the BEST choice to meet his needs?
B. Digital signature
Answer C is correct. Encryption is the best choice to provide confidentiality of any type of information, including Personally Identifiable Information (PII).
Hashing, digital signatures, and certificates all provide integrity, not confidentiality.
Confidentiality (this page)