InfoSec Notes
Deep dive into the confidentiality principle of the CIA Triad, exploring encryption methods, access controls, data classification, and practical implementations to protect sensitive information from unauthorized disclosure.
Understanding Confidentiality
Confidentiality is the principle that ensures information is accessible only to those authorized to view it. It is the first pillar of the CIA Triad and addresses the fundamental question: "Who should be able to see this data?"
A breach of confidentiality occurs whenever sensitive data is disclosed to unauthorized parties — whether through hacking, social engineering, accidental exposure, or insider threats.
Why Confidentiality Matters
Organizations handle various types of sensitive data that require confidentiality protections:
| Data Type | Examples | Regulatory Requirement |
|---|---|---|
| Personal Identifiable Information (PII) | Names, SSNs, addresses | GDPR, CCPA |
| Protected Health Information (PHI) | Medical records, diagnoses | HIPAA |
| Financial Data | Credit card numbers, bank accounts | PCI-DSS |
| Intellectual Property | Trade secrets, source code | Trade secret law |
| Classified Government Data | Military plans, intelligence | Executive orders |
Mechanisms for Ensuring Confidentiality
1. Encryption
Encryption is the primary technical control for confidentiality. It transforms readable data (plaintext) into an unreadable format (ciphertext) using mathematical algorithms.
Types of encryption for confidentiality:
| | Data at Rest | | |
| | Data in Transit | | |
| | Data in Use | | |
Python example — encrypting sensitive data:
2. Access Control
Access control mechanisms determine who can access specific resources:
Access Control Hierarchy
========================
Identity → Authentication → Authorization → Access
| | | |
v v v v
"Who are "Prove it" "What can "Granted/
you?" you do?" Denied"
Methods
- RBAC: Role-Based Access Control
- ABAC: Attribute-Based Access Control
- MAC: Mandatory Access Control
- DAC: Discretionary Access Control
3. Data Classification
Organizations classify data to apply appropriate confidentiality controls:
| Classification | Description | Controls |
|---|---|---|
| Public | No confidentiality requirement | Basic access logging |
| Internal | Business use only | Authentication required |
| Confidential | Limited audience | Encryption + Need-to-know |
| Restricted | Highest sensitivity | Strong encryption + MFA + DLP |
4. Data Loss Prevention (DLP)
DLP systems monitor and prevent unauthorized data transfers:
Real-World Confidentiality Breaches
Case Study: Capital One Breach (2019)
What happened: A former AWS employee exploited a misconfigured Web Application Firewall to access Capital One's cloud storage, exposing data of 106 million customers.
Confidentiality failures:
- Server-Side Request Forgery (SSRF) vulnerability
- Overly permissive IAM role on WAF
- Sensitive data not encrypted with customer-managed keys
- Lack of monitoring for unusual data access patterns
Lessons learned:
- Apply least-privilege IAM policies
- Encrypt data with customer-managed keys (not just AWS-managed)
- Monitor for SSRF and metadata service access
- Implement proper network segmentation
Confidentiality in Network Communications
Confidentiality vs Privacy
| Aspect | Confidentiality | Privacy |
|---|---|---|
| Focus | Protecting data from unauthorized access | Individual's right to control their data |
| Who decides | Data owner/custodian | Data subject (individual) |
| Scope | All sensitive data | Personal data only |
| Regulation | Security standards | Privacy laws (GDPR, CCPA) |
| Measure | Access controls, encryption | Consent, data minimization |
Interview Questions
- What is the difference between confidentiality and privacy?
- Confidentiality is about protecting data from unauthorized access (a security objective), while privacy is about individuals' rights to control how their personal information is collected, used, and shared (a rights-based concept).
- How would you ensure confidentiality of data in a multi-tenant cloud environment?
- Use customer-managed encryption keys, implement strict IAM policies, network isolation through VPCs, data classification, DLP systems, and ensure proper tenant separation at the infrastructure level.
- Name three technical controls and three administrative controls for confidentiality.
- Technical: Encryption, access control lists, DLP systems. Administrative: Data classification policy, security awareness training, background checks for employees handling sensitive data.
- What is the relationship between data classification and confidentiality?
- Data classification determines the required level of confidentiality protection. Higher classification means stricter controls — more encryption, tighter access, more monitoring, and greater consequences for unauthorized disclosure.
- How does encryption at rest differ from encryption in transit in protecting confidentiality?
- Encryption at rest protects stored data from unauthorized access (stolen drives, database breaches). Encryption in transit protects data moving across networks from eavesdropping (man-in-the-middle attacks). Both are needed for comprehensive confidentiality.
Summary
Confidentiality is the foundation upon which trust is built in information systems. Without assurance that sensitive data remains protected from unauthorized eyes, organizations cannot function in the modern digital economy. Implementing confidentiality requires a layered approach combining encryption, access controls, data classification, monitoring, and employee awareness.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Confidentiality in Information Security.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, fundamentals, confidentiality, confidentiality in information security
Related Information Security Topics