理解和应用安全概念-1.保密性

Security management concepts and principles are inherent elements in a security policy and solution deployment. They define the basic parameters needed for a secure environment. They also define the goals and objectives that both policy designers and system implementers must achieve to create a secure solution.

安全管理概念和原则是安全政策和解决方案部署中的固有要素。安全管理概念定义了一个安全环境所需的基本参数。并定义了策略设计者和系统实施者必须实现的目标和目的，以创建一个安全的解决方案。

Confidentiality, integrity, and availability (CIA) (i.e., the CIA Triad)are typically viewed as the primary goals and objectives of a security infrastructure.

保密性、完整性和可用性（即CIA三要素）通常被认为是安全基础设施的主要目标和目的。

Security controls are typically evaluated on how well they address these three core information security tenets. Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles. 

安全控制措施通常是根据它们如何解决这三个核心信息安全原则来评估的。脆弱性和风险的评估也是基于它们对CIA三原则中的一个或多个原则所构成的威胁。       

The first principle of the CIA Triad is confidentiality. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data. Confidentiality protections prevent disclosure while protecting authorized access. 

三原则的第一个原则是保密性。保密性是指用于确保保护数据、对象或资源的机密性的措施的概念。保密性保护的目标是防止或尽量减少对数据的未授权访问。保密性保护在保护授权访问的同时，也防止披露。

Violations of confidentiality are not limited to directed intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are the result of human error, oversight, or ineptitude. Confidentiality violations can result from the actions of an end user or a system administrator. They can also occur because of an oversight in a security policy or a misconfigured security control. 

违反保密性的行为并不限于有目地的故意攻击。许多未经授权披露敏感或机密信息的情况是人为错误、疏忽或无能的结果。违反保密性的行为可能是由终端用户或系统管理员的行为造成的，也可能因为安全政策的疏忽或安全控制的错误配置而发生。

Numerous countermeasures can help ensure confidentiality against possible threats. These include encryption, network traffic padding, strict access control,rigorous authentication procedures, data classification, and extensive personnel training. 

众多的对策可以帮助确保保密性，防止可能的威胁。这些措施包括加密、网络流量填充、严格的访问控制、严格的认证程序、数据分类、以及广泛的人员培训。

Concepts, conditions, and aspects of confidentiality include the following: 

• SensitivitySensitivity refers to the quality of information, which could cause harm or damage if disclosed. 

• DiscretionDiscretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.

• CriticalityThe level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. 

• ConcealmentConcealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence,or secrecy. 

• SecrecySecrecy is the act of keeping something a secret or preventing the disclosure of information.

• PrivacyPrivacy refers to keeping information confidential that is personallyidentifiable or that might cause harm, embarrassment, or disgrace to someone ifrevealed. 

• SeclusionSeclusion involves storing something in an out-of-the-way location, likely with strict access controls. 

• IsolationIsolation is the act of keeping something separated from others. 

保密性的概念、条件和层面包括以下内容：

• 敏感度是指信息的质量,如果披露可能会造成伤害或损害。

• 自由裁量权是一种决定行为，经营者可以影响或控制披露，以尽量减少伤害或损害。

• 关键性 信息对任务的关键程度是衡量其关键性的标准。关键性水平越高，就越需要保持信息的机密性。

• 隐蔽是指隐藏或防止披露的行为。通常情况下，隐蔽被视为一种掩饰、混淆或转移注意力的手段。与隐蔽有关的一个概念是通过隐蔽获得安全，这是试图通过隐藏、沉默或保密获得保护的概念。

• 秘密是指对某事保密或防止信息披露的行为。

• 隐私是指对可识别个人身份的信息或一旦泄露可能对某人造成伤害、尴尬或耻辱的信息进行保密。

• Seclusion （不会翻译）是指将某样东西存放在一个不显眼的地方，可能有严格的访问控制。

• Isolation隔离是将某物与他人分开的行为。

Organizations should evaluate the nuances of confidentiality they wish to enforce. Tools and technology that implement one form of confidentiality might not support or allow other forms. 

组织应评估他们希望执行的保密性的细微差别。实施一种形式的保密性的工具和技术可能不支持或不允许其他形式。

小结

机密性指为保障数据、客体或资源保密状态而采取的措施。

• 机密性：为了限制未授权主体访问数据、客体或资源而提供的高级别保证。不能确保机密性，就会发生未授权泄露。

• 破坏机密性的因素：

• 故意攻击如：抓包网络流量窃取密码文件、社会工程学、端口扫描、肩窥、窃听、嗅探、特权升级等

• 错误、疏忽或者不称职造成的未经授权的敏感或机密信息泄露。如：为正确实现的加密传输、传输数据前未对远程系统充分进行身份验证、访问恶意代码打开的后门、文件遗留在打印机上、终端显示敏感数据时不锁屏离开。

• 维护机密性的措施：

• 加密静止数据（整个磁盘、数据库加密）

• 加密传输中的数据（IPSec、TLS、PPTP、SSH）

• 访问控制（物理的和技术的）

• 隐写术

• 数据分类

• 人员培训

原文始发于微信公众号（网络安全等保测评）：理解和应用安全概念-1.保密性