Information Security Concepts: Confidentiality

To understand Confidentiality, we must understand the concept of privacy. Further, we must have an understanding of what information should be protected, and how to define "authorized" and intended access. At the core, Confidentiality comprises the idea that specific information should not be accessible by those that are not supposed to see it.

All sorts of business and personal information is created, stored, and exchanged. Information could be details of everyday business operations, sales information, marketing, bills and invoices, or many other things. For most of these types of information, there is not an overreaching expectation of extreme privacy or secrecy. It might not be ideal if how much a business spends on electricity became public knowledge, but in reality that bit of information isn't a mission critical secret. Conversely, for any business performing high-volume transactions with customer credit card information as payment, the customers card information is extremely important to protect.

So, how do we decide what information should be confidential? We need to consider several factors. First, what's the relative value of the information? What is the risk if it is exposed? Have you or your business been entrusted with the information, with the understanding that it won't be shared with any other party?

We might categorize information in the following way: Completely Private ("Eyes Only"), Private / High Value, Internal, Preferred, and Public.

Public information is easy to understand. You almost certainly want customers to know that you're going to be selling the XYZ widget for $99 starting next Monday. Preferred information might involve a business partner knowing your Research and Development budget for next year--not something you want everyone to know, but some people should know it. You may not want your competition to know that you've signed a contract that will allow you to outsource production of those XYZ widgets for a 25% reduction in cost. That information might be Internal, or High Value depending upon your business or market. Completely Private information would include things like trade secrets, user passwords, and the like.

You say: "Clemmer, the theory makes sense, but how do we make it work in practice?" How do we protect information that we know should be kept confidential? In Information Technology we use the following elements: Authentication, Authorization, and Access Control.

Authentication should come first: Is the person or agent who they claim to be? In the physical world we might check a picture ID, or have them present a card and enter a PIN. Comupter systems at minimum should ask for a user ID and password.

Authorization comes next: What is this agent's role? Are they a member of a group or department that has access to the information in question? Roles can be things like Accounting, Engineering, Customer, Business Manager, and so forth.

Access Control involves what the agent can or can't do, based on their role. Can they (and should they be able to) read, write, change, add, or delete information?

As we can see, there are implications and concerns with Confidentiality that reach every aspect of modern business. Knowing what information you have, what its value is, and what the risks are if it is not kept confidential are the key concepts. These apply whether the information is electronic, printed, or even verbally exchanged. Employee and customer education, along with clarity in communications are key. Something as simple as a "Company Confidential" stamp on a printed document can make a big difference.

Next we will examine the concept of information Integrity, focusing on what that really means in modern business and why it is important.