What is Confidentiality in Information System?
Confidentiality is one of the three core principles of the CIA triad in information security. The other two principles are integrity and availability. Confidentiality focuses on keeping information secret and protected from people who are not allowed to see it.
It means protecting sensitive data from unauthorized access, disclosure, or exposure. Sensitive data can include personal information, passwords, financial records, medical reports, and business secrets. If confidentiality is not maintained, this information can be stolen, misused, or leaked.
The main goal of confidentiality is to ensure that only authorized individuals, systems, or processes can access or view the protected information. For example, a student’s academic record should only be accessible to the student and authorized university staff, not to the public.
There are several methods used to maintain confidentiality.
- Encryption is one of the most important techniques, where data is converted into a secret code so that unauthorized users cannot understand it.
- Authentication methods, such as passwords, PINs, or biometric verification (like fingerprint or face recognition), are used to verify the identity of users.
- Access control mechanisms also help by giving different levels of permission to different users.
Confidentiality can be threatened by various risks such as hacking, phishing attacks, malware, insider misuse, or accidental data leaks. For example, if someone shares their password or clicks on a fake email link, confidential data may be exposed.
In real life, confidentiality is very important in many areas. In healthcare, patient records must be kept private. In banking, customer account information must be secure. In education, exam papers and student data must be protected.
How do we ensure confidentiality?
|
Technique
|
How it Helps
|
|
Access controls
|
Ensure only authorized users can access data (e.g., passwords, biometrics, role-based access)
|
|
Encryption
|
Converts data into unreadable form for unauthorized users; ensures data privacy during storage (at rest) and transmission (in transit)
|
|
Multi-factor authentication (MFA)
|
Adds additional layers (e.g., password + OTP) before granting access
|
|
Data masking & anonymization
|
Hides or removes sensitive data elements during processing or sharing
|
|
Network security controls
|
Firewalls, VPNs, and secure protocols (e.g., HTTPS) protect data in motion
|
|
Physical security
|
Prevent unauthorized physical access to servers, devices, documents
|
Threats to Confidentiality
Confidentiality can be broken in many ways. Some common threats are explained below:
- Hacking / Unauthorized System Access: Hacking happens when someone gains access to a system without permission. Attackers may guess passwords, exploit software weaknesses, or use malicious tools to enter systems. Once inside, they can view, copy, or steal sensitive data such as personal or financial information.
- Eavesdropping (Intercepting Data in Transit): Eavesdropping means secretly listening to or capturing data while it is being transmitted over a network. For example, if data is sent without encryption, an attacker on the same network can intercept and read it. This is common in insecure Wi-Fi networks.
- Insider Threats (Employees Misusing Access): Sometimes the threat comes from inside the organization. Employees or staff who already have access to systems may misuse their privileges. They may intentionally leak data or accidentally expose it due to negligence. Since they are trusted users, this type of threat is often harder to detect.
- Social Engineering (e.g., Phishing): Social engineering tricks people into revealing confidential information. A common example is phishing, where attackers send fake emails or messages that look real. Users may click links or provide passwords, allowing attackers to access secure systems.
- Improper Data Disposal (e.g., Discarded Hard Drives): When old devices or documents are thrown away without proper destruction, sensitive data can still be recovered. For example, discarded hard drives, USB drives, or printed documents may contain confidential information that attackers can retrieve.
These threats show that confidentiality is not only about technology but also about human behavior and proper management. Strong security measures, user awareness, and proper data handling practices are essential to protect information.
Example
Consider services like bKash or online banking systems. A user receives a fake SMS or call pretending to be from customer care. The attacker asks for OTP or PIN. If the user shares this information, the attacker can access the account and transfer money.
Best Practices for Protecting Confidentiality
Protecting confidentiality requires both technical controls and human awareness. The following best practices help keep sensitive data secure:
- Enforce Least Privilege Access: Users should only have access to the data and systems they need for their work. For example, a student should only see their own results, not other students’ data. An office clerk should not access financial or HR records unless required. Even if an account is misused, the damage will be limited.
- Regularly Update Software and Patch Vulnerabilities: Software developers often release updates to fix security weaknesses. These updates must be installed on time. Example: Operating systems, antivirus software, and web servers should always be updated. This prevents attackers from exploiting known security holes.
- Train Staff on Privacy and Phishing Awareness: Human error is one of the biggest causes of data breaches. Employees and users must be trained to recognize threats. For example, it should not click suspicious email links, should not share passwords or OTPs, should always verify unknown calls or messages. These reduce risks from social engineering attacks such as phishing.
- Encrypt Sensitive Files and Communications: Encryption converts data into a secret format so unauthorized users cannot understand it. For example, Use HTTPS websites for secure communication, encrypt files before sending via email, use secure apps for messaging. So that even if data is intercepted, it cannot be read without the decryption key.
- Monitor and Audit Access to Sensitive Data: Organizations should keep records of who accesses data and when. Regular checks should be performed. It helps detect suspicious activities early and take action quickly. Example include tracking login attempts, monitoring unusual access patterns, reviewing system logs regularly.