the adoption of cloud-based technologies is a growing reality in Brazil. It is a strategic move by organizations to mitigate risks and reduce costs, ensuring agility and scalability with the use of new solutions.
Companies that choose to use these technologies can identify potential theft and security controls that are needed to keep data and applications in the cloud safe. Given this, there is a need for an important compliance assessment during cloud adoption.
But before we start the discussion on this topic, it is important to understand the main most common services available in the cloud today:
SaaS: “Software as a Service” is the definition of a service provider that offers software and applications to be used directly from the Internet, without the need for a local infrastructure. Everything is done through direct access to the software managed by the provider.
SECaaS (also known as SaaS): The term “Security as a Service” is inspired by the “Software as a Service” model, and is a business format in which centrally managed security platforms allow the adoption of innovative solutions for corporate environments – without the need to maintain hardware, data, log storage, backups or constant system updates at the users’ own expense.
IaaS: “Infrastructure as a Service” is the provision of the cloud infrastructure of storage systems, networks, servers, operating systems and other resources through virtualization.
PaaS: “Platform as a Service” is the provision of a platform on which users develop and deliver applications, with the provider providing the infrastructure for this purpose.
Now that we understand the main existing services, let’s go back to the point of the need to assess the conformity of these environments, linking them not only to the level of security that we must prioritize, but also to local legislation, such as LGPD (General Data Protection Law), or, for example, GSI Normative Instruction 5, which provides for the minimum information security requirements for the use of cloud computing solutions by agencies and entities of the federal public administration (formerly Complementary Standard NC-14).
Among the main points of this need for compliance adequacy, we highlight:
It is extremely important to ensure that the controls and contracted service levels are complied with;
It is necessary to guarantee that the information storage of the cloud-based solutions has the data, metadata, information and knowledge produced being hosted in data centers present in Brazilian territory;
All backups and audits of these cloud-based solutions must be performed in Brazil, with control of the solution’s data flow and rapid notification of any existing cybersecurity incident;
It is essential to have a confidentiality agreement that prevents the cloud service provider from using, transferring and releasing data, systems, processes and information from those who contracted the service;
Store records of all access and authentication controls, as well as a constant audit of the infrastructure to ensure that unauthorized resources are not installed in the cloud.
It is also worth mentioning that the main solution providers in the market already understand this need well and understand that the advance of the adoption of this technology, in compliance with local laws and making investments in the country, guarantee not only higher levels of security and availability to users but they are also the right path for expanding cloud-based adoption in Brazil.
André Carneiro, a columnist for TecMundo, has nearly 20 years of experience in the security industry. At Sophos, he previously served as a channel account executive and sales engineer. Since September 2019, he has been the brand’s Country Manager for Brazil and, in this position, he leads Sophos’ growth strategy in Brazil, expanding the company’s reach in different markets.