Confidentially, in InfoSec, is the protection of information from unauthorized people and processes. It’s one of the three pillars of InfoSec’s CIA triad, along with integrity and availability. Ensuring confidentiality means taking adequate measures to ensure the protection of the secrecy of data objects, or resources. Note that it does not mean taking every measure to ensure secrecy, but enough measures. There are always relative cost and other considerations to factor into any approach. Adequate measures are those that strike the right balance for your system between the need for confidentiality, the competing needs for both availability and integrity, and the overall need for affordability.
Sensitivity, Criticality, and Classification
To help determine the adequacy of controls which may be needed to protect a system, data is often classified according to its type. There are two main concepts for types of data: sensitivity and criticality. The relative sensitivity and criticality of data relate directly to its confidentiality. Sensitivity refers to its relative quality, or amount of harm, its unauthorized disclosure might cause if it was disclosed to an unauthorized person. Criticality refers to how important, or mission critical, the information is to the function of the organization. Data criticality impacts not only the confidentiality controls you implement, but it also impacts the availability required for your system to be successful. The U.S. Government has three primary classification levels that indicate sensitivity: Top Secret, Secret, and Confidential. While the government is very concerned about confidentiality of Top Secret information, it may in many cases not be too concerned about how available the top secret information is. They may design their systems with much expense directed at confidentiality and integrity, but relatively less expense or concern for availability. In healthcare, however, its very important for a person’s medical diagnosis or treatment be held confidential at all times, but it also needs to be readily available to clinicians as they treat patients in real time. In private industry, simple classification levels like high, medium, and low may be used. Data sensitivity, criticality, and its subsequent classification impact the measures you may undertake, and expense you budget, to protect its confidentiality.
Authorization, Authentication, and Access
Protecting data confidentiality means both making it readily available to authorized people, and always unavailable to unauthorized people. Certain confidential information is needed by your physician to treat you successfully, but you don’t want a stranger or even a neighbor to know it. Before someone can be authorized, however, they must first be authenticated. Authentication is determining if the person is who they say they are. Authorization is determining whether they should have access to data in a certain situation. Granting access once someone is authenticated and authorized also has to consider the context and nature of the access. For example, there are certain situations whereby you might grant a passing aquaintance you recognize access into your home. But if they stop by during the middle of the night, go over the fence, into the backyard, and try to pry open a window, you probably don’t want to grant them access! In the same way, you may make certain systems, applications, and data unavailable to certain people except during normal working hours and at an approved facility.
Two goals, not one
There are two goals to aim for in protecting the confidentiality of data, not merely one. The first most people know – prevent unauthorized access. The second is a little less obvious, but no less important – minimize unauthorized access. There are so many instances of hacks, ransomware attacks, disgruntled employees, and even honest mistakes, that only having the goal of preventing unauthorized access in your data confidentiality strategy is naive and inadequate. You must consider the case where despite all your efforts, an unauthorized person gains access to confidential data. If that happens, what is your strategy to minimize the amount of data at risk? You plans need to address both goals.
Prevent and minimize with layers
When securing a house, it’s easy to understand the concept of layers of security. Most thieves will be discouraged from attempting to rob a house that has multiple, layered security controls:
- an intimidating dog or two roaming the yard,
- a full perimeter fence with a controlled-access gate,
- deadbolt door locks on exterior doors, and
- outside lights which either stay on, or turn on when motion is detected.
The more controls you implement which are apparent to the thief, the more likely he will be to consider other less secure houses instead of yours. It’s more trouble for him, and consumes more time, to overcome numerous layers to gain entry.
Now think about minimizing the harm a thief might cause if he gains entry. How can you use the same concept of layers to minimize the risk to your family, and your valuables, should a thief gain access to your house? You might consider the following:
- an alarm system which runs on battery power and sounds its siren loudly when someone breaks in,
- deadbolt door locks to interior sections of the house to further protect family and valuables, and
- a hidden safe for storing valuables.
The more layers you can afford to add to your home security system, that address both issues of prevention and minimization, the more likely you are to not only prevent a robbery, but also to minimize damage, harm, or loss should a robbery occur.
When securing confidential data in an information system, some of the concepts and goals of layered security are similar to home security. Most information systems employ a firewall to establish a secure exterior boundary to prevent intrusion from the internet for a network. It’s now recommended practice to segment your internal network subsystems where possible and affordable, by installing interior firewall devices which are perhaps a different vendor or model than the exterior. This layering idea is trying to shield various areas of your network from an intruder gaining access to another area. If the intruder penetrated because of a vulnerability from a particular vendor or device, then the next device which is a different make or model helps mitigate the extent of the damage.
Three states of data
To keep data confidential, a plan needs to account for data while it is
- in storage,
- in use, and
- in transit.
The plan needs to implement adequate controls for preventing unauthorized access, use, and disclosure for each state. Further, it should enumerate controls across three domains.
- Physical controls – buildings, fences, locks, locked cages, physically disabled or removed ports on machines, etc.
- Technical controls – operating system authentication and authorization software, firewalls, intrusion detection systems, intrusion prevention systems, virus detection software, etc.
- Administrative controls – policies and procedures you implement across the organization. For instance, keeping a current inventory of data assets and software, ensuring backups are being successfully executed on a determined schedule and are periodically tested, etc.
These three domains are used explicitly in some data security control frameworks, including the HIPAA/HITECH legislation governing protected health information. In other frameworks these domains are referenced implicitly. It’s important to keep each in mind to ensure the controls you implement are thorough and robust. These domains are interdependent. If you invest in one or two of these domains, yet ignore a third, your efforts and expense in the other two domains are at high risk of being wasted due to a simple exploit in the domain you ignored. There are a number of
Data Security Frameworks
You will want to adopt at least one data security framework as you evaluate the adequacy of your existing controls for data confidentiality. There are numerous standard security frameworks from which to choose. Here are five of the more popular ones:
- Payment Card Industry Data Security Standard (PCI DSS)
- ISO 27001 and ISO 27002 (See the entire ISO/IEC 27000 series for better context)
- CIS Critical Security Controls
- NIST Framework for Improving Critical Infrastructure Security
- Control Objectives for IT (COBIT)
These frameworks all separate controls into categories, and provide methodologies and parameters for a robust and thorough data security plan for your organization. The controls they provide are a roadmap to ensure you don’t forget an area or concept to account for that will leave your data too easily exploited. Investigate these or others and choose the framework(s) that makes the most sense for your system and industry. Becoming intimately familiar with a framework provides you both a language and organization to guide your analysis and discussion. This helps your ability to find solutions, get good advice, and adopt best practices from colleagues and experts more rapidly. Most of these frameworks also provide ample opportunities for both training and certification.
Each control in a framework which is implemented can be considered another layer of defense for protecting the confidentiality of data. You must always balance the affordability of your approach to data security with the number, feasibility, and ability of maintaining the controls. You must also recognize that as the pool of authorized individuals grows larger, and the more readily available you want confidential data to be, the more your security features, components and considerations will multiply. This will increase both complexity and cost.