Confidentiality requires three layers: encryption (to make data unreadable without key), access control (who can decrypt) and audit (recording who accessed). A single weak layer compromises the entire strategy.
What is confidentiality
Confidentiality is the security principle that ensures information is protected against unauthorised access and disclosure. It is one of the three pillars of the CIA Triad (Confidentiality, Integrity, Availability). In a business context, confidentiality means that sensitive data - trade secrets, customer information, financial data, intellectual property - is only accessible to people with explicit authorisation. Technically, it is implemented through encryption (data in transit and at rest), access control (authentication and authorisation), and network segmentation. A failure in confidentiality results in data theft, exposure of competitive secrets and compromised regulatory compliance.
Why it matters
For a CISO, confidentiality is as critical as business continuity. A confidentiality breach - especially of customer data or personal data - causes: (1) Legal impact (GDPR, data privacy laws, sector-specific regulations), (2) Reputational damage, (3) Loss of customer trust, (4) Competitive advantage for rivals. Unlike availability (which you can recover with backup), a confidentiality breach is permanent: the data is out. Modern regulations (NIS2 in Europe, DORA in finance, TISAX in defence) require continuous confidentiality assessments, encryption of data at rest and in transit, and access audits. Confidentiality is not a project, it is a permanent state of monitoring and control.
Key points
Encryption is necessary but not sufficient. If someone accesses encrypted data but has the key, confidentiality is lost. Access control (RBAC, ABAC) determines who has the right to the key and data.
Confidentiality applies to data in three states: at rest (stored), in transit (travelling across network) and in use (in memory while processing). Neglecting any one is sufficient for a breach.
The principle of least privilege is fundamental: each user/service accesses only the specific information needed for their role. Excess permissions are the cause of most internal breaches.
Example: confidentiality in a hospital
A hospital manages electronic health records (EHR) for thousands of patients. Initially: (1) Data is in an unencrypted database. (2) Doctors, nurses, admin staff, cleaners have the same password or similar permissions. (3) No audit of who accesses what. A disgruntled employee copies data for 10,000 patients to a USB drive, which is lost. Six months later, fake identities are opened with that data. The hospital faces lawsuits, GDPR fines and patient loss. Afterwards: (1) AES-256 encryption at rest for all EHRs. (2) Strict RBAC: doctor only sees assigned patients, nurse cannot see confidential diagnoses, admin only sees billing data. (3) Immutable audit: every EHR access is logged with who, when, from where, what they viewed. (4) Automatic alerts if someone accesses multiple patients in short time (exfiltration pattern). (5) Automatic session timeout. A new similar attempt would be detected immediately.
Common mistakes
- Confusing encryption with confidentiality. Encrypted data without access control over who has the key is not confidential. The key is as critical as the data.
- Implementing overly broad permissions for 'operational convenience'. Saying 'the marketing department accesses everything' creates dozens of leak opportunities. Least privilege, always.
- Negligence with supplier, contractor or former employee access. After dismissing someone, their access is not immediately revoked. Supplier access to production systems without audit. This causes 40% of internal breaches.
- Not regularly auditing confidentiality. Without immutable logs of who accessed what data, it is impossible to investigate a breach or detect anomalous access patterns.
Related terms
Frequently asked questions
What is the difference between confidentiality, integrity and availability?
Confidentiality = only authorised can see. Integrity = data cannot be modified by unauthorised parties. Availability = data/services are accessible when needed. A breach in any one is critical; they require distinct strategies.
Is encryption sufficient to guarantee confidentiality?
No. Encryption makes data unreadable without the key, but if someone authorised shares the key or access is too broad, confidentiality is lost. Encryption + access control + audit are necessary.
How often should I audit access to sensitive data?
Ideally continuously. Minimum monthly for critical systems. Detecting an anomalous access in 24 hours is much better than detecting it in 30 days. SIEM and automatic alerts on suspicious access patterns are essential.
What does least privilege mean for confidentiality?
Each user accesses only data specific to their role. An accountant sees transactions, not customer data. A developer sees code, not production configurations. Excess permissions cause 70% of internal breaches.