Confidentiality prevents the unauthorized disclosure of data. In other words, authorized personnel can access the data, but unauthorized personnel cannot access the data. You can ensure confidentiality using several different methods discussed in the following sections.
Encryption scrambles data to make it unreadable by unauthorized personnel. Authorized personnel can decrypt the data to access it, but encryption techniques make it extremely difficult for unauthorized personnel to access encrypted data.
As an example, imagine you need to transmit Personally Identifiable Information (PII), such as medical information or credit card data via email. You wouldn’t want any unauthorized personnel to access this data, but once you click Send, you’re no longer in control of the data. However, if you encrypt the email before you send it, you protect the confidentiality of the data.
Identification, authentication, and authorization combined provide access controls and help ensure that only authorized personnel can access data. Imagine that you want to grant Maggie access to some data, but you don’t want Homer to be able to access the same data. You use access controls to grant and restrict access. The following bullets introduce key elements of access controls:
- Identification. Users claim an identity with a unique username. For example, both Maggie and Homer have separate user accounts identified with unique usernames. When Maggie uses her account, she is claiming the identity of her account.
- Authentication. Users prove their identity with authentication, such as with a password. For example, Maggie knows her password, but no one else should know it. When she logs on to her account with her username and password, she is claiming the identity of her account and proving her identity with the password.
- Authorization. Next, you can grant or restrict access to resources using an authorization method, such as For example, you can grant Maggie’s account full access to some files and folders. Similarly, you can ensure that Homer doesn’t have any permissions to access the data.
Steganography and Obfuscation
A third method you can use for confidentiality is steganography. Steganography is the practice of hiding data within data. It obscures the data and can be used to support obfuscation.
Obfuscation methods attempt to make something unclear or difficult to understand. Within the context of information technology (IT) security, it’s called security by obscurity or security through obscurity. It’s worth noting that most security experts reject security through obscurity as a reliable method of maintaining security.
Many people refer to steganography as hiding data in plain sight. For example, you can embed a hidden message in an image by modifying certain bits within the file. If other people look at the file, they won’t notice anything. However, if other people know what to look for, they will be able to retrieve the message.
As a simpler example, you can add a text file to an image file without the use of any special tools other than WinRAR and the Windows command line.
See also Encryption.