In today's lesson, I'll talk about confidentiality. By the end of the lesson, you will understand what confidentiality is, you'll be able to discuss how confidentiality is the most sought after principle out of the three of the CIA triad. And discuss also through example, how confidentiality's applied in information security. The first slider in CIA triad, confidentiality, has documents behind it, as with integrity and availability. So we look to other sources of information to help define how we use these terms. The largest document out there and the best one that I can actually tell you, and show you how it's used in the industry, is actually a US government documentation special publication that outlines the security categorization of federal information systems, so that is FIPS 199. It breaks down the categorization of types of information. So it breaks down confidentiality, it breaks down integrity, and it breaks down availability, and helps you really understand what this actually means. It is based off of FISMA compliance which is the Federal Information Security Modernization Act, excuse me. And that helps us really define how we should be protecting information. Not only from a federal government perspective, but any industry as well. They are good practices to follow. So according to Title 44 of the US code, confidentiality is preserving authorized restrictions on information access and disclosure. Including means for protecting personal privacy and proprietary information. So, in layman's terms, this is keeping things that are meant to be secret, secret. Whatever is private needs to be private, needs to remain private. And any of the things that could come under attack, any of the objects or the assets that could become under attack, it is going to protect us from that. So this includes unauthorized access to people, unauthorized access to systems and processes as well. So confidentiality, how do we see people in a confidential sense? Do you think there are things that maybe your supervisor knows that he doesn't want you to know? What about payroll systems, or banking systems? What about processes like, how missile defense works in any country that you're watching this from right now. It includes how we protect that information. Confidentiality looks at the entirety of those assets and says, I need to protect this information and it needs to remain confidential. How does this really apply? Each time we talk about an IT service or a system and assess security, we must look at each of the three principles. So going back to FIPS 199, a loss of confidentiality is the unauthorized disclosure of information. So if we let out a secret, what happens to that? Can somebody use that against me? Or is it going to cause damage in some way? Let's look at credit card information. So to help illustrate this over the next few lessons, we're going to use some different examples. So I'm going to use healthcare in some instances, I'm going to use credit card data in other instances, because we all have that in common. No matter what country you're from, you probably have a credit card. Or you may have some kind of banking entity that you bank with. Or healthcare, you understand how the healthcare system works in your country, in your region or state. Okay? So credit cards. Credit card companies go to great lengths to protect information. What happens if somebody steals your credit card information? You don't want to be liable for that, so you want whoever is working with that credit card information, to protect that data. How do we ensure that, that data is confidential? Should it be confidential? And the answer is yes, it should be confidential. That's why the PCI council, so the Payment Card Industry council, which is a worldwide organization. And it's basically put together by many different credit card companies. They look at the entirety of how we are protecting credit card information. And says here is how everybody from the banks to the merchants need to protect credit card information. So, they say credit card information is confidential, especially that 16-digit account number, okay? What about healthcare information? Health information is another example of something that needs to be confidential or needs to remain confidential. Do you want your personal information leaked? What happens if information that, how you're being treated leaks out to your parents or your employer, for example. Could you be let go because of information that your healthcare provider has. It definitely has happened before. So we need to make sure that confidentiality remains intact. So in the US, we have HIPAA laws, which are the Health Insurance Portability and Accountability Act. And that's with two As and not two Ps. But that HIPAA helps protect health information. It says, here are the guidelines to ensure that we are not going to leak your information. So really, is confidentiality the best principle to follow? So out of the three principles, confidentiality, integrity and availability, this is the one people are most familiar with and it's the most sought after. How do we communicate across the Internet? Generally, it's through encrypted channels because we don't want somebody else spying on it. This is the basis of a lot of the way the Internet was run. What about banking information? Laws are based on it. How do we protect information from healthcare information to credit card information? We have regulations surrounding the confidentiality of that data. Every time that you go to a doctors office, you have to sign a HIPAA privacy statement, saying that you understand your rights as a patient. Also credit card information, the agreement that you have with the credit card company says that they have an obligation to protect your information, especially that 16-digit account number. And that as long as the credit card companies and the merchants are doing their job to protect that information. You are not going to be liable for the charges in case they leak the data. So industry is also designed to keep information secret. What about intellectual property? What about financial information or government secrets, student information. The list goes on and on. But you can understand how keeping information secret is of utmost importance in any industry that is out there. There are so many lawsuits going on right now. One of the biggest lawsuits out there right now is between Zenomax and Oculus, claiming intellectual property damage. Where the founder of Oculus stole information and passed it on to, well, Facebook now, and that helped them, well, I guess Zenomax, the founder of Oculus actually used to work for Zenomax, and stole the information to create the, what Facebook owns now. Another one is the Uber versus Google automation, self-driving cars. Intellectual property was also stolen there. How does that information need to remain secret so that trade secrets, how things work, are not leaked. Examples of confidentiality that we use everyday, again credit cards, website encryption, so your Coursera login that you're watching these videos on now, goes over a protocol called HTTPS. It means secure Hypertext Transfer Protocol. And the client and the server communication are completely encrypted to make sure that information remains confidential. Your login and password remain confidential. Virtual private networks or VPNs are another way that we have confidential information, or that we protect information. Virtual private networks are a great resource to use if you're traveling anywhere because it protects information from spying eyes. So if you have access to a virtual private network, use it. Encryption, such as BitLocker or FileVault. BitLocker is a Windows technology that encrypts volumes. FileVault is Mac's solution, sort of like BitLocker, and there's also all kinds of other encryption algorithms. There's file-based encryption, but encryption is basically the implementation, technical implementation of confidentiality. So why do we need this? Confidentiality protects us, protects people from intentionally or accidentally leaking the information. Only authorized individuals should have access to this data. How do we have major failures of this? So, whenever we're talking about the CIA triad and the failures that could happen because of, a lack of one of the three pillars of that triad. We have a failure. And this is where you see this in the news. So, especially confidentiality, if there's a loss of confidentiality. We see things like the Target breach that breached all credit card data. We see the Home Depot breach, we see the Heartland breach. And it keeps on going where confidentiality is lost because somebody got around the confidential system, the confidential person, the confidential process of how that information is protected.
