Free Essay

Confidentiality

In:

Submitted By rentascf
Words 1197
Pages 5
Confidentiality, Integrity, Authentication, and Nonrepudiation.
Carlos F Rentas
Strayer University
CIS 333
November 17, 2012
Prof. Jonathan C. Thrall

Working as an Information Security Officer, our firm was task for a client who is small software company currently using a Microsoft Server 2008 Active Directory domain and is administered by a limited number of over-tasked network administrators. The rest of the client’s staff is mostly software developers and a small number of administrative personnel. The client has decided that it would be in their best interest to use a public key infrastructure (PKI) to provide a framework that facilitates confidentiality, integrity, authentication, and nonrepudiation.

Fundamentals of PKI. Public Key Infrastructure is a security architecture created to provide a high level of confidence for exchanging information over the internet that has become more and more insecure lately. The term can be very confusing, because it is used to mean several different things; for instance PKI may mean the technologies, techniques, and methods that used together provide a secure infrastructure. Additionally PKI may mean the use of a public key and private key pair for authentication mainly as well as “proof of content”. This uses a mathematical technique known as public key cryptography which uses a pair of related cryptographic keys to verify the identity of the sender (signing), and ensuring privacy (encryption). PKI have been developed to support secure information exchange over insecure networks like the Internet, in which features like these cannot be readily provided, and can, however, be used easily for information exchanged over private networks, (including corporate internal networks). PKI can also be used to deliver cryptographic keys between servers and users in a secure manner, and also facilitate other cryptographically delivered security services. It uses a pair of mathematically related cryptographic keys. When one key is used to encrypt information, then only the related key can decrypt the same. If only one of the keys is known, then the other key becomes extremely difficult to calculate, resulting in the following: * A public key. This is something made public, freely distributed and it can be seen by all users. * A corresponding (and unique) private key. This is kept secret and not shared among users.
A private key enables a user to prove, without any doubt, who they claim to be.

Positive and negative characteristics of a Public and In-house CA. Some of the expected advantages of a PKI infrastructure comes as; * Ensuring the quality of information electronically sent and received * Ensuring the authenticity of the source and destination of the information, * Provided the source of time is known, the assurance of the time and timing of the information * Ensuring information’s privacy * Information’s authenticity that may be introduced as evidence in court In a network that’s used to issue and manage security credentials and public keys for the encryption of messages, a CA is the authority. In a public key infrastructure, a CA verifies with a RA checks with (registration authority) (RA) and checks the information provided by whoever request a digital certificate. The CA issues a certificate once the RA verifies the requestor’s information. Depending on the public key infrastructure implementation, the certificate includes the owner’s name, the owner's public key, expiration date of the certificate, and any other public key owner information such as; * Cryptography In a Public Key system, communication is asymmetric, the sender and receiver do not need a common key to send encrypted messages. The sender needs however to know the receiver's public key so the message can be sent. However for that communication to stay private, the receiver needs to keep the sender's private key confidential. * Trust Due to its asymmetric encryption, communication in a PKI infrastructure should be secure. When an individual or companies make false representations or assume false identity is when problems arise, allowing confidential data to fall into unauthorized hands. * Certificate Authority In a website holding public keys, these are trusted third parties who verify identities. These contain names, addresses, phone numbers and other information subject to be verified in order to determine if the entity is legitimate. Some of these certificates issued provide an additional encryption known as Secure Socket Layer (SSL) making communication secure.

Recommendation for either a Public CA or an In-house CA. Security has become a priority for companies over the last few years, and many administrators that have probably never thought twice about digital certificates are now finding themselves in situations that may require issuing different types of certificates. When selecting a CA (certificate authority), one of the first things that administrators will notice is cost. Depending on the type of certificate needed will determine its cost which may vary, however a single certificate could be very expensive. On the other hand, having their own certificate authority gives a company the capability of issuing as many certificates as needed for free making it a more attractive option at first, especially if a large number of certificates are to be used at any given time. Some companies have decided to run the Certificate Authority related services on an existing Windows 2008 server, and this “piggybacking” may save the client some money, as long as a large number of certificates are not being run. What’s the reason for this? Because although a Certificate Authority is a set of services under Windows Server 2008, it’s also a certificate like no other server in your entire network. To begin with, it has security requirements that are completely unique. When doing so a company is basing their organization’s data security on one or more digital certificates. If any of those certificates are compromised, their overall security is also compromised, as well as their resources. As long as saving some money do not hurt productivity, it may not be an issue in this case. If the client is considering running their own CA, then it should be run on a dedicated server. Why? Although a Certificate Authority run under Windows Server 2008 as part of their services, it’s one that requires unique security measures and requirements as mentioned above. For instance; if a hacker ever access the client’s certificate server and steal a copy of it, they could set up their own server and convincingly spoof (alter or duplicate) the client’s server’s identity. A hacker could also decipher the SSL (secure socket layers) encryption in an effort to steal customer’s credit card numbers. Additionally if certificate server ever has a hard disk failure and a current back up is not available, the client’s operations could experience some serious problems. Deploying of the clients own in house certificate authority would require extra care when it comes to protecting, securing, and back up. If their consideration is to pursue a certificate authority deployment then it will require to be treated the way that a super power would treat their nuclear warheads; protect it at all costs.

References

An Introduction to PKI (2011). Retrieved from http://www.articsoft.com/public_key_infrastructure.htm

Public Key Authority vs. Certificate Authority (2011). Retrieved from http://www.ehow.com/facts_75820_public-authority-vs-certificate-authority.html

Public & Private Key Encryption Explained (2012). Retrieved from http://www.ehow.com/about_5521788_public-private-key-encryption-explained.html

Similar Documents

Free Essay

Confidentiality

...Confidentiality Procedure Purpose of Policy Little Dreams Nursery is committed to keeping information about children, parents and carers and staff as confidential as possible. At Little Dreams Nursery we respect every parent and child's rights to confidentiality; with this in mind would all parents please be aware of the following points. Who is Responsible It is the responsibility of all members of staff to ensure that all confidential information including personal records for children, parents and staff remains confidential and within the confines of the setting. The information stored in the nursery files about the children is available only to Setting staff and the individual child's parents. This information is stored securely. Please see the Data Protection and Information Sharing Policies for further details. Parents and carers should feel that they can talk to a member of setting staff in complete confidence, if you would like this please speak to the member of staff of your choice, this information will not be shared unless it is in the best interests of the child, if the information is shared parents should feel secure that only setting staff will be privy to this information. Parents will be asked for their permission if the information is to be shared out-with the setting. Any information given to us about parents or children at the nursery will be treated with the utmost respect and will remain confidential to all except for nursery staff. (Please note: staff will...

Words: 607 - Pages: 3

Premium Essay

Confidentiality

...CONFIDENTIALITY AGREEMENT This CONFIDENTIALITY AGREEMENT ("Agreement") is made on the 21st May of 2012. BETWEEN STA PHARMA LIMITED, hereinafter referred to as ‘The Company’ (which expression shall unless excluded by or repugnant to the context mean and include its successors-in-interest, legal representatives, executors, administrators and assignees) of the FIRST PART. AND INVESTMENTS LIMITED, hereinafter referred to as ‘FINANCIAL CONSULTANT’ (which expression shall unless excluded by or repugnant to the context mean and include their heirs, successors-in-interest, legal representatives, executors, administrators and assignees) of the SECOND PART. WHEREAS Nuvista Pharma Limited is engaged in the business of pharamaceutical manufacturing & distribution and LankaBangla Investments Limited is in the business of Merchant Banking as defined in the Merchant Banker and Portfolio Manager Rules, 1996; AND WHEREAS the second part is working for an undisclosed company which is willing to acquire the first part. In course of performing the acquisition, both The Company and second part may get or need access to and/or may need to disclose certain confidential and/or proprietary information regarding each other business plans, financial and operational services, processes, formula, data, know how, software systems, products and product development works; AND WHEREAS the both parties desire to protect such confidential and/or proprietary rights and desires to prevent...

Words: 776 - Pages: 4

Free Essay

Confidentiality in the Classroom

...Confidentiality in the Classroom RD Grand Canyon University: EDU 536 December 21, 2011 U.S. Education – Current and Future Trends Confidentiality is a hot topic – in the classroom, in business and in everyday life. Guarding personal information prior to the onslaught of identity theft was important but not to the extent that it is today. In today’s classroom protecting confidential information is a 3-fold process – protecting the student’s records, protecting personally identifiable information from the student’s record and allowing parent’s access to their child’s information. There are federal and state laws that govern confidentiality and how schools can and cannot utilize that information as outlined under the Family Educational Rights and Privacy Act (FERPA). FERPA, a federal law, applies to educational agencies or institutions that receive federal funds and protects the privacy of student educational records and assures parents the right to access those records. FERPA also allows authorized educational personnel the right to access and review student records without prior parental consent and in situations where conduct “poses a significant risk to the safety or well-being of a student, other students, or other members of the school community” allows the district to release information from a discipline record without consent to employees who have a legitimate educational interest in a student’s behavior. In Confidentiality issues: parental rights each...

Words: 1254 - Pages: 6

Free Essay

Confidentiality at Work

...Confidentiality at Work Confidentiality plays a vital role in an effective work place. The Human Resource department in an organisation must protect their employee information very confidentially. However each person in an organisation has a duty to follow all the confidentiality procedures. Every workplace should have controls to access their data and information. Keeping all information confidential helps every company’s success and to face the modern world competition. Now I am going to discover the definition of the confidentiality. Wikipedia, encylopedia states confidentiality as follows, “Confidentiality has been defined by the International organisation for standardization (ISO) as ensuring that information is accessible only to those authorized to have access” The organisation is legally responsible to collect, manage, use and disclose personal information and to comply with legislative requirements, for instance Data Protection Act 1988, Common Law rules and the organisation’s rules of Ethical Conduct. According to Data Protection Act 1988, any personal data collected in the course of business activities will be treated in accordance with that Act. In an organisation, human resource department holds the information of the employees. The importance of confidentiality procedures which should be followed by a human resource manager will be evaluated. When dealing with some of the areas, for instance, Personnel Records/Files, Credit and Financial Information...

Words: 886 - Pages: 4

Premium Essay

Confidentiality In Health Care

...Confidentiality in medicine in one definition is the ethical principle or legal right that a physician or other health professional will keep all information relating to a patient private, unless the patient gives consent for disclosure. Patients routinely share personal information with health care providers. If the confidentiality of this information were not protected, trust in the physician-patient relationship would be lessened. Patients would be less likely to share sensitive information, which could negatively impact their care. Creating a trusting environment by respecting patient privacy encourages the patient to seek care and to be as honest as possible during the health care visit (Bord, et al.). Confidentiality assures that private information will not be...

Words: 1682 - Pages: 7

Free Essay

Confidentiality After Tarasoft

...Confidentiality after Tarasoft PSY / 305 June 30, 2014 Garen Weitman In life a person learns to keep secrets at a very young age. As a person grows up and becomes an adult we choose paths that require us to keep secrets from other individuals, when we do this it no longer is known as a secret it is called keeping things confidential. Merriam-Webster defines confidential as a secret or private, showing that you are saying something that is secret or private, and trusted with a secret or private information. (Merriam-webster, n.d.)A psychologist has a tremendous responsibility in keeping this confidential, it is what allows a client to be truthful and not worry about others knowing their secrets. However some secrets are not always meant to remain a secret, for example when it involves the endangerment of a person’s life. The story of Prosenjit Poddar and Tatiana Tarasoff is a perfect example. Prosenjit Poddar was being seen by a therapist by the name of Dr. Moore. One day Mr. Poddar informed his therapist he wanted to kill a woman upon her arrival from her vacation. Taking Poddar’s threat seriously Dr. Moore contacted his supervisor as well as the campus police. The police detained, questioned and then released him, determining that Prosenjit Poddar was rational and promised not to harm the woman. The woman later to be known as Tatiana Tarasoff returned from her vacation two month later, Poddar murdered her. Tarasoff family later sued Dr. Moore, Dr. Moore’s supervisor,...

Words: 825 - Pages: 4

Free Essay

Attorney-Client Confidentiality

...Attorney-Client Confidentiality Melissa Eichelberger CJS 220 December 14, 2011 With attorney-client confidentiality we think of this as a conversation between a client and their attorney. This conversation allows the client to talk to their attorney and let him or her know any and all information that would help their attorney to determine a legal defense for their client. Any information that the client tells their attorney is a privilege and cannot be used against them in court. So by this happening the client will feel comfortable telling their attorney everything about the case so that there is no information that might come up as a surprise during the trial or court case that would surprise their attorney and maybe hurt the client at the same time. This is important part of the justice system because the client has an attorney that they can confide in and that they can trust that will have their best interest in mind, and anything that the client tells their attorney cannot be used against them in court and will be kept confidential. One concern about the client-attorney confidentiality could be where the attorney doesn’t keep good records in source and some information would leak out with information about the client. When there is out sourcing that means that there is a chance that information that is privileged could get out to the wrong people and could possibly hurt the client’s case. This is called Metadata which means the transferring of any and all information...

Words: 281 - Pages: 2

Premium Essay

Doctor Patient Confidentiality

...The doctor-patient relationship is an important connection. Doctor-patient confidentiality is based on the notion that a person shouldn’t be worried about seeking medical treatment for fear that his or her condition will be disclosed to others. There are some patient problems that doctor should keep in secret and not tell the third person about the problems. There is an example, if a teenager tell a doctor “I am really depressed and I’ve been thinking of killing myself”(“Teenage confidentiality: A young person’s right to privacy”).The doctor can’t tell the information, because the doctor has got this kid the proper help. The teenager’s concerns about confidentiality can be a major barrier to obtaining health care. The contraception teens have a right to confidentiality when it comes to contraception. Also, it is mutually understood that any information the young patient shares with the physician remains in strict confidence unless in the doctor’s judgment. The teen is exhibiting problems or behavior that can be interpreted as dangerous, if the doctor’s duty to inform the parents. The doctor have a duty to warn individuals who are threatened by their patients with bodily harm. Severe mental health issues, severe emotions and mental health problems. The doctor suspects that these issues may stem from major problems within the home. Those are the problems the doctor should keep in secret and the keep patient’s proper. There are some doctor problems that what doctor thinks...

Words: 1077 - Pages: 5

Premium Essay

Confidentiality In Clinical Research

...Confidentiality is a client’s right to privacy. Most of the time, this right of privacy means that the clinical psychologist cannot discuss a client’s sessions with anyone else, give a client’s personal information to anyone else, or let anyone else know that a client receives the services of the of the clinical psychologist. Because clients trust their clinical psychologists with all of their information, they can develop confidence in the clinical psychologist’s abilities. While most clients do not have to have their confidentiality broken, there are exceptions to the rule. As Stricker et al. (2003) states, “when a client is suicidal and unwilling to make an agreement to protect him- or herself, the psychologist may need to reveal confidential information (such as the...

Words: 418 - Pages: 2

Premium Essay

Client Confidentiality Research Paper

...Reflection Confidentiality is a continuing process that begins from day one within a counseling relationship. It is both a legal and ethical obligation. Essentially, it is a promise to our clients that unless legally bound to disclose, any information pertaining to the counseling relationship between us we will hold in the deepest of confidence. In reviewing the ethics codes on client confidentiality, it is clear to see that they all agree on one thing. It is important for us to do so for the welfare of clients. Considering the legalities, the ethical duty, as well as the importance of doing what we can to develop trust with the client, is cornerstone to the helping relationship. Without trust, clients can be less likely to open up, and...

Words: 352 - Pages: 2

Premium Essay

Client Confidentiality Ethical Standards

...Hello, Prof and Classmates! A client confidentiality is the most important ethical standards for Human Service Professional to follow. “The ethical standard, providing the client with the right for all disclosures in counseling to be kept private” (Kanel 44). Confidentiality helps builds trust between you and the client. We agree as professional to maintain the information safe unless someone is putting themselves or threatening to harm others children and elderly abuse. Trust is something hard to gain, especially with a client. I believe that once you breach that trust depending on the situation, the client may not come back to see you. As professional we remember that this part of our job and should not be hesitation to report. I had a...

Words: 436 - Pages: 2

Premium Essay

Importance of Confidentiality in Group Counseling

...Importance of Confidentiality in a Group and Ensuring Confidentiality Within and Outside of a Group Format Christina M. Bell Camden County College The purpose of this paper is to explain the importance of confidentiality in group counseling. Additionally this paper will discuss how a counselor can ensure confidentiality within and outside of a group format. Importance of Confidentiality in a Group Confidentiality in group counseling is mandatory as it is both an ethical and a legal issue. Federal law (Title 42, Part 2 or 42 C.F.R., Part 2, Confidentiality of Alcohol and Drug Abuse Patient Records) guarantees strict confidentiality of information about all people receiving substance abuse prevention and/or treatment services. Clients should be fully informed regarding issues of confidentiality and group leaders should do all they can to build respect for confidentiality and anonymity within groups. Confidentiality in group therapy is important because it protects the clients, counselor, and the agency. It protects the client’s personal and professional reputation. It also protects the counselor and any organization that counselor may be affiliated with. Confidentiality is an essential part of the ground rules for group therapy; these rules should be firmly established within the group. Unfortunately, there is no absolute guarantee of privacy when sharing with others. Individuals who attend group sessions can feel more vulnerable in regards to confidentiality. They are met...

Words: 1067 - Pages: 5

Premium Essay

Confidentiality, Privileges, Mandated Reporting and Duty to Warn

...CONFIDENTIALITY, PRIVILEGES, MANDATED REPORTING AND DUTY TO WARN Name of Student Institutional affiliation Abstract In this paper, I will be focusing on a brief summary of a therapy video that delves into counseling. Actors in this video are looking at real life cases involving high court ruling on issues such as confidentiality, privilege, reporting and the duty to warn. I will also look at my own findings in statures and laws as far as North Carolina is concerned. Additionally, I will give a summary of each. Finally, I will discuss my reflection and how I can put these into action in my counseling career. The presentation of this video is quite interesting. It gives room for actors to look deeper into real cases and get a deeper grasp in the areas of confidentiality, privilege, reporting and duty to warn. It also gives a more vivid picture of how the above mentioned things, though looking similar, are quite different in a myriad of ways. The very first case to be looked into was of a young boy who was taken to hospital by his foster parents. His conditions were not good at all for he had bruises on his spine and another bruise slightly below his eye. The nurse happened to questioned her about the same. She said it was as a result of being jostled in seat in the car. The nurse kind of didn’t make any note of this observation. Moreover, she happened to fail to call CPS to report the possible...

Words: 1443 - Pages: 6

Free Essay

Confidentiality

...Explain informed consent and confidentiality to the client. Informed consent involves the counselor explaining the benefits and risks of counseling as well as its alternatives. It also allows the counselor permission to record counseling sessions in writing, and via video and auditory means. In an educational institution setting, informed consent allows students to observe counseling sessions. Once these issues are explained to the potential client, the client is asked to sign legal documents that state the client understands and agrees to the services to be provided and their potential dangers. When counseling minors, informed consent must come from a parent. While explaining the pros and cons of counseling to the parent, the counselor must also explain the necessity of confidentiality in the therapeutic relationship with a minor. A confidentiality form is presented during the discussion of confidentiality. In adhering to counseling ethics, the counselor must explain that confidentiality is a promise not to discuss matters that are shared by the client with a third party unless under pre-determined exceptions. The exceptions to confidentiality include reporting information the client reveals to the counselor that suggests he or she is a danger to him or herself or others. For example: If a client talks about killing himself and identifies that he has a plan and the means to execute that plan, it is the counselor's ethical responsibility to inform appropriate...

Words: 350 - Pages: 2

Premium Essay

Confidentiality

...The Importance of Confidentiality Within the healthcare sector there is an ethical code known as a ‘Care Value Base’ (CVB). The CVB helps to govern healthcare workers, and provides guidance as to how to act in particular situations. Its purpose is to eliminate discrimination and poor healthcare, while protecting the rights of the service user. One important ‘right’ to be upheld within healthcare, is a person’s right to confidentiality. Confidentiality requires withholding information, personal or otherwise, and not sharing it with anyone without consent. Patient confidentiality is particularly important within a healthcare environment as it is essential to maintain trust. “That is so they can have trust and confidence in the people who are giving them the service. A patient should be certain that, whatever their issues are, they won’t be shared with anybody else unnecessarily. That’s a basic right of every patient.” (The Nursing Times, n.d.) When ‘rights’ are upheld the service user is able to trust their doctor or nurse, and have the confidence to divulge their personal information and concerns. This means the service providers are then able to deliver the highest quality of care, because the service user feels safe and comfortable communicating. However as suggested above by the Nursing Times, sometimes it is necessary to break confidentiality. This occurs when to do otherwise would endanger others, or be a serious breach of criminal law. The CVB plays an important...

Words: 830 - Pages: 4