Confidentiality

Confidentiality is a part of the information security triad of "Confidentiality, Integrity and Availability." Information possesses confidentiality when it is accessible only to those who are authorized to access it. Conversely, information lacks confidentiality to the extent that it is available or disclosed to unauthorized persons or processes. Confidentiality is imposed by setting rules to define who has access to certain types of information and who does not. These rules are called "access control" policies.

For example, in an organization, a manager typically may have a sufficiently high level of rights to access certain confidential data, while other employees of the same organization may not have access. An individual trying to access such information without appropriate authorization is subject to the consequences of breaching the security policies of that organization.

Data can be made confidential and secure by encrypting it, so that only authorized users are able to decrypt it. For example, one way of ensuring confidentiality of the information stored on a PC is to set a password so that only the PC's owner can access a user account. Similarly, but at a finer-grained level, confidentiality can be ensured at the file level by setting a password for an individual file.

Confidentiality is at risk while data are in transit. Eavesdropper may sniff the data and retrieve sensitive information. Disclosure of sensitive data can result in loss or damage, such as identity theft, lawsuits, loss of business or regulatory fines. Therefore, data should be protected while in transit. This can be done by ensuring that the communication is made over a secure channel.