The Security Evangelist, Lesson II: Confidentiality

Today I’m going to be talking about confidentiality and how to protect it.

Confidentiality is all about restricting access to information; ensuring that only those who are entitled to see certain data can get access to it. In plain English, it’s about keeping secrets.

As an individual, you make sure your personal data remains confidential by keeping it secret and not sharing information with those you do not know and trust. This protects your data. The easiest example related to this is your credit card; I am completely sure that you do not give it away to anybody, that you keep it safely in your wallet or purse, and you would never give your PIN to anybody.

In a business, you have multiple types of confidential data: personal data, like your employee records; confidential data, like your business plans; and customer data, including account information. While all of them are important, there are different levels of confidentiality depending on how critical the data is.

The importance of the data can be determined by the impact that a confidentiality breach would have on the business overall. Damage can come in the shape of reputational damage, direct loss of business, legal liability and, in some cases, financial damage in the shape of fines or trading restrictions.

Unauthorized access can come in many ways. Some of the most typical ones are: 

- Internal:

  • People move jobs and they are not removed from relevant groups
  • Misconfiguration allows access to restricted resources
  • Sharing of credentials allows access to restricted data

- External:

  • Attackers use vulnerabilities to attack the system and gain access
  • Misconfiguration exposes confidential data
  • Human error causes confidential data to be exposed

There are two main ways to ensure data remains confidential: 1) restricting access to the data and 2) auditing all access. It is not enough to set and enforce rules preventing people from accessing data, you also have to continuously review those rules and monitor for unauthorized access.

A safe assumption to make is that you lose control of data once it leaves your system. Your only option is to remove any confidential data before it leaves your system in order to protect it. With email, for example, Workshare provides Workshare Protect, which scans outgoing documents to remove any hidden metadata that may leak confidential information inadvertently or maliciously. 

How do you ensure the confidentiality of your data?

Before anything else, you have to understand what data you control; what type of data it is and how you process it. This means going through every system your company manages, whether directly or through third parties, and understanding what it does and the level of access required for the normal functioning of the business.

Then you have to establish policies and controls around the handling of the data. This will ensure people understand how to manage data, critical or not, and what to do when something goes wrong. It also provides monitoring and metrics that enable you to assess events as they happen.

Finally, you must set up policies and processes to deal with data breaches. This is often an afterthought, but it is critical. In the event of a major breach, you do not want to be working out what to do, everything should be established in advance, including communications, reporting and crisis management. The criticality of this last step cannot be understated.

A good response can make the difference between containing a data breach and a company “going under” due to legal and financial penalties. For companies operating in the European Union, the new General Data Protection Regulation, coming into force in 2018, states that all breaches involving personal data must be reported immediately and that failure to do so may incur a fine of up to 4% of global revenue. In order to report, you need to know what is happening, and getting the processes and tools in place to manage this will take time and resources.

Once policies and controls are in place, it then becomes a matter of regularly reviewing them and taking any learnings from events and the way they are handled, no matter whether you are always successful or not.

It is often said that security is not a project, it is a process that needs continuous refinement. A system that is completely secure today may not be the same in the future as new technologies and vulnerabilities are discovered.