The first step to protect the confidentiality of intellectual property and other sensitive business information is to identify where such information resides and who has access to it. This sounds easy, but undertaking a thorough inventory of every digital and paper store of information is both time-consuming and costly because it involves examining more than just the contents of the organization’s financial systems.

Encryption (to be discussed later in this chapter) is an extremely important and effective tool to protect confidentiality. It is the only way to protect information in transit over the Internet. It is also a necessary part of defense-in-depth to protect information stored on websites or in a public cloud.

Information rights management (IRM) software provides an additional layer of protection to sensitive information that is stored in digital format, offering the capability not only to limit access to specific files or documents but also to specify the actions (read, copy, print, download to USB devices, etc.) that individuals who are granted access to that resource can perform.

Training is arguably the most important control for protecting confidentiality. Employees need to know what information they can share with outsiders and what information needs to be protected.

Longer keys provide stronger encryption by reducing the number of repeating blocks in the ciphertext. This makes it harder to spot patterns in the ciphertext that reflect patterns in the original plaintext.

The nature of the algorithm used to combine the key and the
plaintext is important. A strong algorithm is difficult, if not impossible, to break by using brute-force guessing techniques. Secrecy is not necessary for strength.

The management of cryptographic keys is often the most vulnerable aspect of encryption systems. No matter how long the keys are, or how strong an encryption algorithm is, if the keys have been stolen, the encryption can be easily broken. Therefore, cryptographic keys must be stored securely and protected with strong access controls.

Symmetric encryption systems use the same key both to encrypt and to decrypt. AES is an example of a symmetric encryption system. It is commonly included in most operating systems. Asymmetric encryption systems use two keys. One key, called the public key, is widely distributed and available to everyone; the other, called the private key, is kept secret and known only to the owner of that pair of keys.

Hashing is a process that takes plaintext of any length and creates a short code called a hash.

Creating a digital signature is a two-step process. The document creator first generates a hash of the document (or file) and then encrypts that hash using his or her private key.

Just as passports and drivers licenses are issued by a
trusted independent party (the government) and employ mechanisms such as holograms and watermarks to prove that they are genuine, digital certificates are issued by an organization called a certificate authority and contain the certificate authority’s digital signature to prove that they are genuine.

This system for issuing pairs of public and private keys and corresponding digital certificates is called a public key infrastructure (PKI). The entire PKI system hinges on trusting the certificate authorities that issue the keys and certificates.

A digital certificate is an electronic document that contains an entity’s public key and certifies the identity of the owner of that particular public key.

To protect confidentiality and privacy, information must be encrypted not only within a system, but also when it is in transit over the Internet. encrypting information while it traverses the Internet creates a virtual private network (VPN), so named because it provides the functionality of a privately owned secure network without the associated costs of leased telephone lines, satellites, and other communication equipment.