Cryptography and PKISecurity principlesBeginner18 min read

What Is Confidentiality? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Confidentiality is about protecting data from being seen or accessed by anyone who shouldn't have it. It ensures that only the right people, applications, or devices can view or use sensitive information. Think of it as a digital lock on your private information, keeping it safe from prying eyes.

Commonly Confused With

ConfidentialityvsIntegrity

Confidentiality is about secrecy; integrity is about preventing unauthorized modification. Example: If a hacker changes your bank balance, integrity is violated. If a hacker reads your bank balance, confidentiality is violated.

You write a note and lock it in a safe (confidentiality). But if someone opens the safe and changes the note, integrity is lost. The note was still confidential if no one read it, but it's no longer trustworthy.

ConfidentialityvsAvailability

Availability ensures that data and systems are accessible when needed. Confidentiality does not guarantee availability. For example, a file might be encrypted (confidential) but the key could be lost, making the file unavailable.

You have a secret recipe locked in a vault. That is confidentiality. But if the vault door gets stuck closed and you can't open it, you lose availability – you can't access the recipe.

ConfidentialityvsAuthentication

Authentication verifies who someone is. Confidentiality is about what they can see. You can authenticate a user (prove they are Bob) but still not give them access to certain data (confidentiality).

A passport proves you are you (authentication). But even with the passport, you may not be allowed into a government building with top-secret documents (confidentiality).

ConfidentialityvsNon-repudiation

Non-repudiation prevents someone from denying they did something (like signing a document). Confidentiality prevents someone from seeing something. They are different goals.

Signing a check (non-repudiation) does not hide the amount (confidentiality). You can seal the check in an envelope to hide it.

Must Know for Exams

Confidentiality is a core concept in both CompTIA Security+ and ISC2 CC exams. These exams expect you to know how confidentiality is achieved, the threats to it, and the countermeasures.

For Security+ (SY0-601 / SY0-701), confidentiality is tested under domain 1.0 (Attacks, Threats, and Vulnerabilities) and domain 2.0 (Architecture and Design). You will encounter questions about encryption (symmetric vs. asymmetric), access controls (RBAC, DAC, MAC), and data masking. Scenario-based questions often describe a breach where an unauthorized user reads sensitive data; you must identify the missing confidentiality control (e.g., lack of encryption, weak permissions).

For ISC2 CC (Certified in Cybersecurity), confidentiality is a pillar of the CIA triad. Questions focus on the principles and controls: why encryption is used, what confidentiality means in different contexts (data at rest vs. in transit), and how to select appropriate safeguarding measures. You may also see questions about policies like least privilege and need-to-know.

In both exams, watch for questions that mix confidentiality with integrity or availability. For example, a question might ask: Which security principle is violated if an attacker reads a file? (Answer: confidentiality). Another might ask: What is the best control to protect data in transit? (Answer: encryption using TLS).

Also, be prepared for questions about symmetric vs. asymmetric encryption. Symmetric encryption (e.g., AES) is faster and used for bulk data confidentiality, while asymmetric (e.g., RSA) is used for key exchange.

In the Security+ PBQ (Performance-Based Question), you may need to configure a VPN or set file permissions to ensure confidentiality. In the multiple-choice sections, read carefully: if the scenario mentions someone viewing data they shouldn't, the answer is almost certainly related to confidentiality.

For ISC2 CC, the exam is more conceptual and less technical, but you still need to know the difference between encryption, hashing (integrity), and digital signatures (non-repudiation).

Simple Meaning

Imagine you have a secret diary. You keep it in a locked box, and only you have the key. If anyone else tries to open the box, the lock stops them. Confidentiality works the same way in the digital world. It is the practice of ensuring that information is not disclosed to unauthorized individuals, entities, or processes.

For example, when you send a private message to a friend, you don't want anyone else to read it. Confidentiality makes sure that message is scrambled (encrypted) so even if someone intercepts it, they can't understand it. Only your friend has the special key to unscramble it.

In a company, confidentiality protects things like employee payroll data, customer credit card numbers, and trade secrets. If confidentiality fails, that information could be leaked, leading to identity theft, financial loss, or damage to reputation.

So, confidentiality is like a promise that your secrets will stay secret. It is one of the three core goals of information security, often called the CIA triad (Confidentiality, Integrity, Availability). Without confidentiality, you cannot trust that your private information remains private.

Full Technical Definition

In IT and cybersecurity, confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. Achieving confidentiality requires a combination of technical controls, policies, and procedures. The primary mechanisms used are encryption, access control, and data masking.

Encryption transforms readable data (plaintext) into an unreadable format (ciphertext) using an algorithm and a key. Only those with the correct decryption key can revert it to plaintext. Common encryption standards include AES (Advanced Encryption Standard) for symmetric encryption and RSA or ECC for asymmetric encryption. In transit, protocols like TLS (Transport Layer Security) enforce confidentiality for web traffic, while IPsec (Internet Protocol Security) does the same for network packets. At rest, technologies like BitLocker (on Windows) or FileVault (on macOS) encrypt entire drives.

Access control ensures that only authenticated and authorized users can view or interact with data. This is implemented through systems like Role-Based Access Control (RBAC), where permissions are assigned based on job roles, and Mandatory Access Control (MAC), which uses security labels. Authentication factors (something you know, have, or are) are verified before granting access. Multifactor authentication (MFA) is a widely adopted control to strengthen confidentiality.

Data masking hides sensitive data by replacing it with fictitious but realistic data. For example, a credit card number might be shown as XXXX-XXXX-XXXX-1234 in a customer service application. This ensures confidentiality even when the data is displayed to staff who do not need the full number.

Steganography is another technique, where data is hidden within other data (e.g., hiding a message inside an image), but it is less common in mainstream IT.

In network security, confidentiality is enforced through virtual private networks (VPNs) that encrypt all traffic between a client and a server. Firewalls and network segmentation also contribute by preventing unauthorized traffic from reaching sensitive systems.

On the policy side, organizations enforce least privilege, meaning users get only the minimum access needed to do their jobs. Data classification labels (e.g., Public, Internal, Confidential, Secret) help apply appropriate controls. Audit logs and monitoring systems detect breaches or attempted violations of confidentiality.

Exam-accurate note: Confidentiality is distinct from integrity (data not tampered) and availability (data accessible when needed). Many cryptosystems protect confidentiality, but they do not automatically guarantee integrity or availability.

Real-Life Example

Think about sending a postcard versus a sealed letter. A postcard is open for anyone to read, the mail carrier, a nosy neighbor, anyone who handles it. That has no confidentiality. A sealed letter, however, is placed inside an envelope and closed. Only the intended recipient can open it.

In the digital world, sending an email without encryption is like sending a postcard. Anyone who intercepts it (like an internet service provider, a hacker, or an employee at a data center) can read the contents. To achieve confidentiality, you put that email inside an encrypted tunnel, like a tamper-proof envelope.

Another analogy: a bank vault. Inside, you have your money and private documents. The vault door is locked, and only the bank manager (authorized user) has the combination. Even if someone breaks into the bank lobby, they cannot get into the vault. In IT, that vault is a database, and the lock is encryption plus access controls. The bank manager is the authentication system.

So, when you log into your online banking, your browser and the bank's server establish a secure connection (HTTPS). That is like a secure, armored truck that transports your password and account details from your computer to the bank, ensuring no one on the road can look inside.

Why This Term Matters

Confidentiality is a foundational requirement for any organization that handles sensitive data. Without it, businesses face legal penalties, financial losses, and irreparable reputational damage. For example, healthcare providers must protect patient records under HIPAA; loss of confidentiality can result in fines up to millions of dollars.

In practical IT, confidentiality controls prevent data breaches. A breach of confidential customer data, like Social Security numbers or credit card details, can lead to identity theft, fraud, and class-action lawsuits. Companies like Equifax and Marriott have suffered massive breaches, costing them billions and eroding customer trust.

For IT professionals, maintaining confidentiality is part of daily operations. You must configure file permissions so that only HR can view salary data. You must encrypt laptops in case they are lost or stolen. You must enforce MFA on all administrative accounts.

Confidentiality also supports other security goals. For instance, if an attacker cannot read encrypted data (confidentiality), they cannot modify it without detection (integrity). Also, if data is published without authorization (breach of confidentiality), the organization loses control over its availability (e.g., ransomware might use stolen data as leverage).

confidentiality is not optional. It is a legal, ethical, and business necessity. Every IT certification candidate must understand how to implement and verify confidentiality using the appropriate tools and protocols.

How It Appears in Exam Questions

Confidentiality questions appear in several patterns across exams:

1. Definition Questions: Which of the following best describes confidentiality? Options usually include phrases like preventing unauthorized disclosure, ensuring data is accurate, or keeping data available. The correct answer focuses on secrecy.

2. Scenario Questions: A company discovers that an employee's laptop was stolen. The drive was encrypted. What is the likely impact? The correct answer: confidentiality of data on the laptop is preserved because the encryption makes it unreadable to the thief. Without encryption, the data would be exposed, violating confidentiality.

3. Protocol/Tool Questions: Which protocol is used to provide confidentiality for web traffic? Answer: TLS (or SSL). Another example: Which tool can ensure confidentiality of data at rest? Options: BitLocker, EFS, or LUKS.

4. Comparative Questions: What is the difference between confidentiality and integrity? A common trap: hashing vs. encryption. Hashing does not protect confidentiality (it protects integrity), while encryption does.

5. Attack-Focused Questions: An attacker performs a man-in-the-middle attack and reads the contents of an encrypted session. The session was using TLS, but the attacker installed a rogue CA certificate. Which security principle is violated? Answer: Confidentiality (the attacker read the data).

6. Control Selection: You are asked to choose a control that enforces confidentiality. Options: access control lists, digital signatures, RAID, or backup procedures. Correct: access control lists (ACLs).

7. Multifactor and Authentication: Which factor provides the strongest confidentiality protection? Answer: Something you have (token) combined with something you know (password) – MFA.

8. Policy Questions: Which principle ensures that users have only the information necessary to perform their jobs? Answer: Least privilege (supports confidentiality).

9. Data Classification: Which data classification level requires the highest confidentiality controls? Answer: Secret or Confidential (depending on the classification scheme).

10. Encryption Key Types: Which key is used to decrypt data? Answer: Private key in asymmetric encryption.

Be alert for questions that present a scenario and ask what control was missing or what went wrong. If the scenario involves unauthorized viewing or reading, the missing control is related to confidentiality.

Practise Confidentiality Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A hospital uses an electronic health records (EHR) system. Dr. Smith needs to access the medical history of Patient Jones to treat her. To preserve confidentiality, the system requires Dr. Smith to log in with a smart card (something she has) and a PIN (something she knows). The data is transmitted over a secure encrypted connection (HTTPS).

One day, a hacker exploits a vulnerability in the hospital's network and intercepts the encrypted traffic. However, because the data is encrypted with TLS, the hacker only sees gibberish. The hacker then tries to break the encryption but fails because the key is 256-bit AES, considered computationally infeasible to crack.

Later, the hacker gains access to a nurse's login credentials. The nurse has permission to view basic patient demographics but not mental health notes. The hacker (posing as the nurse) tries to read the mental health notes for Patient Jones, but the system denies access because the nurse's role does not have permission.

In this scenario, confidentiality was preserved by: (1) strong authentication (smart card + PIN), (2) encryption in transit (TLS), and (3) role-based access control (RBAC) that limited what the nurse could see. If any of these controls had failed, confidentiality would have been breached.

For the exam, you might be asked: What set of controls is the hospital using to protect confidentiality? Or, if the hacker had decrypted the traffic, which control failed? The answer would be encryption strength or key management.

Common Mistakes

Confusing confidentiality with integrity

Integrity is about data not being altered, not about secrecy. A file can be encrypted (confidential) and still be modified (integrity lost).

Remember: confidentiality = secrecy, integrity = trustworthiness/accuracy. Use encryption for confidentiality, hashing for integrity.

Thinking hashing provides confidentiality

Hashing is a one-way function that produces a fixed-size digest. It cannot be reversed to reveal the original data, but it does not prevent a third party from seeing the original data before hashing. Hashing only verifies integrity, not secrecy.

Use encryption (e.g., AES) for confidentiality. Hashing is for checking if data changed.

Believing SSL/TLS alone guarantees complete confidentiality

TLS protects data in transit, but if the server is compromised, the data at rest on the server may be exposed. Also, if the client is infected with malware, the data can be read before encryption.

Confidentiality requires defense in depth: encrypt at rest, in transit, and control access with strong authentication.

Assuming obfuscation (like Base64) equals encryption

Base64 is encoding, not encryption. Anyone can decode Base64 easily. It does not provide real confidentiality.

Only use approved encryption algorithms (AES, RSA, etc.) and never rely on custom encoding for security.

Confusing confidentiality with availability

Availability means data is accessible when needed, not secret. A denial-of-service attack harms availability but not confidentiality.

Each CIA pillar is distinct. Confidentiality keeps data secret; availability keeps it reachable.

Exam Trap — Don't Get Fooled

{"trap":"In a scenario, an attacker uses a packet sniffer to capture data from a network that uses WPA2 encryption. The captured data appears to be readable because the attacker knows the Wi-Fi password. The question asks: Which security principle is violated?

Many learners choose 'availability' or 'integrity', but the correct answer is 'confidentiality' because the data was exposed to an unauthorized person.","why_learners_choose_it":"Learners may think that since the data wasn't modified, integrity is fine, or that since the network was working, availability is fine. They forget that confidentiality is about preventing unauthorized read access."

,"how_to_avoid_it":"Always ask yourself: did someone who shouldn't see the data see it? If yes, it is a confidentiality violation, regardless of whether anything else happened."

Step-by-Step Breakdown

1

Identify the sensitive data

First, determine which information needs to be kept confidential. This could be passwords, financial records, personal identifiable information (PII), or trade secrets. Data classification (e.g., public, internal, confidential) is used here.

2

Encrypt the data at rest

Apply encryption to the data when stored on a disk, database, or backup. Use full-disk encryption (e.g., BitLocker) or file-level encryption (e.g., EFS). This ensures that if the storage device is stolen, the data is still unreadable.

3

Encrypt data in transit

Use protocols like TLS or IPsec to encrypt data while it travels across networks. This prevents eavesdroppers (e.g., on public Wi-Fi) from capturing and reading the data. It also protects against man-in-the-middle attacks.

4

Implement access controls

Define who can access what data using RBAC, DAC, or MAC. Enforce least privilege so users and processes have only the minimum permissions needed. Use authentication (MFA) to verify identity before granting access.

5

Monitor and audit access

Log all attempts to view or modify confidential data. Regularly review logs to detect unauthorized access attempts. Alerts should trigger on unusual patterns, such as a user trying to access files outside their role.

6

Apply data masking or tokenization

For display purposes, mask sensitive data (e.g., show only last four digits of SSN) or use tokens that replace sensitive data with non-sensitive equivalents. This reduces exposure risk in development, testing, or customer service.

7

Use secure key management

Protect the encryption keys themselves. Store keys in a hardware security module (HSM) or a key management service. Rotate keys periodically and revoke compromised keys immediately.

Practical Mini-Lesson

In practice, achieving confidentiality requires a layered approach. Let's start with a typical web application. When a user logs in, their password must never appear in plaintext in logs or databases. The password is hashed and salted – but note: hashing does not give confidentiality; it only helps integrity when stored. For actual confidentiality of the password during transmission, we use HTTPS (TLS). The browser and server negotiate a session key, and all data is encrypted.

Now, consider an organization that uses cloud storage. If they upload a confidential file to a cloud provider, they should encrypt it client-side before uploading. That way, even if the cloud provider is breached, the attacker only sees ciphertext. This is often called 'zero-knowledge encryption.' Services like Cryptomator or Boxcryptor do this.

For databases, sensitive columns like email or phone numbers can be encrypted using Transparent Data Encryption (TDE) in SQL Server or column-level encryption in PostgreSQL. But encryption comes with a performance cost: every query that touches encrypted data must decrypt it, which can slow down operations. Therefore, professionals must balance confidentiality with performance.

What can go wrong? If encryption keys are stored alongside the data, confidentiality fails – it is like locking the safe and leaving the key on top of it. If a user shares their password, any confidentiality control based on that password is defeated. If an attacker steals a session cookie, they can impersonate the user and read confidential data without authentication again. This is why we rotate keys, use short-lived session tokens, and educate users.

Configuration context: In Windows, to enforce confidentiality via EFS (Encrypting File System), you right-click a file, select Properties -> Advanced -> Encrypt contents. In Linux, you can use `gpg -c filename` to encrypt a file with a passphrase. For network traffic, a sysadmin might configure a VPN on a router using IKEv2 with AES256.

Professionals must also understand that confidentiality is not absolute. For instance, metadata (like email subject lines, message sizes, timestamps) may leak information even if the content is encrypted. Side-channel attacks (like timing attacks) can extract keys. So, real-world confidentiality demands constant vigilance and updates.

Memory Tip

CIA Triad: 'C' for Confidentiality, 'C' as in 'Censor' (keep secret).

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

What is the difference between confidentiality and privacy?

Confidentiality is about restricting access to data by authorized users. Privacy is a broader concept that includes confidentiality but also involves the rights of individuals to control their personal information. In IT, confidentiality is a technical control; privacy is often a legal and policy requirement.

Can encryption guarantee confidentiality?

Encryption greatly improves confidentiality, but it is not absolute. If an attacker steals the decryption key, they can read the data. Also, encryption protects data only if properly implemented (e.g., correct algorithm, key length, key management). Weak encryption or implementation bugs can break confidentiality.

Does confidentiality apply to data in use?

Data in use (e.g., when being processed by a CPU) is the hardest to protect. Technologies like Intel SGX (Software Guard Extensions) create encrypted enclaves in memory. Most traditional confidentiality controls focus on data at rest and in transit.

What is a common confidentiality attack?

Eavesdropping, such as packet sniffing on unencrypted networks, is a classic confidentiality attack. Other examples include shoulder surfing, social engineering, and database breaches. The attacker's goal is to read the data without authorization.

Is confidentiality the same as non-repudiation?

No. Non-repudiation ensures that a party cannot deny having performed an action, like sending a message. Confidentiality ensures that a message remains secret. They are separate security objectives.

How does VPN provide confidentiality?

A VPN creates an encrypted tunnel between your device and the VPN server. All traffic passing through the tunnel is encrypted, so even if an attacker intercepts the packets, they cannot read them. This protects the confidentiality of data in transit.

What is the role of access control in confidentiality?

Access control determines who is allowed to view or interact with data. Without access control, encryption alone is insufficient because authorized users spontaneously gain access. Effective access control ensures that only authenticated and permitted subjects can decrypt or view data.

Summary

Confidentiality is the security principle that ensures data is not disclosed to unauthorized individuals or systems. It is the 'C' in the CIA triad and is achieved through a combination of encryption, access controls, data masking, and secure key management. In practice, IT professionals implement confidentiality by encrypting data at rest (e.g., full-disk encryption) and in transit (e.g., TLS), enforcing least privilege through RBAC, and using strong authentication like MFA.

For exams like Security+ and ISC2 CC, you must recognize confidentiality scenarios and differentiate them from integrity and availability. Expect questions on encryption types, access control mechanisms, and attack identification. A common trap is confusing hashing (integrity) with encryption (confidentiality).

Ultimately, confidentiality is a non-negotiable requirement for protecting sensitive information in any organization. Without it, data breaches become inevitable, leading to severe legal and financial consequences. Mastering confidentiality is fundamental to a career in cybersecurity and essential for passing your certification exams.