ANÁLISE DE SEGURANÇA NA CONTRATAÇÃO DE SERVIÇOS EM NUVEM: Comparativo Estados Unidos e Brasil

Marcio de Carli

doi:10.31510/infa.v17i2.855

Authors

Marcio de Carli Pontifícia Universidade Católica de Minas Gerais – Belo Horizonte – MG – Brasil https://orcid.org/0000-0002-1868-1372

DOI:

https://doi.org/10.31510/infa.v17i2.855

Keywords:

Information Security, Cloud Computing, Risk Management

Abstract

This work aims to describe and evaluate current information security assessment practices in the adoption of cloud computing services. It discusses the effort employed in carrying out these practices and lists the necessary improvements to increase efficiency in the execution of the security assessment process risks and implementation of controls in Brazil. The article reviews two government approaches used in risk management for the adoption of cloud computing services: The Federal Risk and Authorization Management Program or FedRAMP and the Brazilian government's processes for risk management in information security. The regulatory framework of each country is the base for both processes. Finally, the study lists actions such as the maintenance of predefined sets of controls, the reuse of the analyzes carried out to qualify the systems, the categorization of information regarding secrecy in large blocks as ways to improve this evaluation process in Brazil. The ways of carrying out this evaluation directly impact the design of solutions, the development of services, and the contracting models.

Downloads

Download data is not yet available.

Metrics

Metrics Loading ...

Author Biography

Marcio de Carli, Pontifícia Universidade Católica de Minas Gerais – Belo Horizonte – MG – Brasil

Graduated in Computer Science from the State University of Campinas (2009) and graduated in Food Engineering from the State University of Campinas (2001). Specialist in business management and strategy at FUNCAMP 2005. Worked as a technologist at the Institute of Aeronautics and Space - IAE from 2010 to 2014. Since 2014, he has been a Tax Analyst at the Information Technology Coordination of RFB in the area of Information Security. Experience in the area of Computer Science / Information Technology / Information Security. Currently studying Specialization in Information Security at IESB in Brasília and Specialization in Data Science and Big Data at PUC Minas.

References

ASSOCIAÇÃO BRASILEIRA DE NORMAS TÉCNICAS. ABNT NBR ISO 31000:2018: Gestão de riscos - Diretrizes. Rio de Janeiro, 2018. 17 p.

______. ISO/IEC 27005:2018: Tecnologia da informação — Técnicas de segurança — Gestão de riscos de segurança da informação. Rio de Janeiro, 2019. 66 p.

BRASIL. GSI/PR. Norma Complementar 04/IN01/DSIC/GSI/PR. Brasília, DF, 15 fev. 2013. Disponível em: <http://dsic.planalto.gov.br/legislacao/nc_04_grsic.pdf>. Acesso em: 23

nov. 2018.

______. Norma complementar 14/IN01/DSIC/GSI/PR. Brasília, DF, 19 mar. 2018. Disponível em: <http://dsic.planalto.gov.br/arquivos/documentos-pdf/NC_14_R01.pdf>. Acesso em: 25 jul. 2018.

______. Norma complementar 20/IN01/DSIC/GSI/PR. Brasília, DF, 15 dez. 2014. Disponível em: <http://dsic.planalto.gov.br/legislacao/copy_of_NC20_Revisao01.pdf>. Acesso em: 23

nov. 2018.

BRASIL. MINISTÉRIO DA ECONOMIA. Instrução normativa no 1, de 10 de

janeiro de 2019. Diário Oficial da União, Brasília, DF, 10 jan. 2019.

Disponível em: <https://www.comprasgovernamentais.gov.br/index.php/legislacao/

instrucoes-normativas/1068-in-1-de-2019>. Acesso em: 18 fev. 2020.

______. Pregão eletrônico no 29/2018. Brasília, DF, 2018. Disponível em: <http://www.planejamento.gov.br/acesso-a-informacao/licitacoes-e-contratos/licitacoes/pregao/2018/pregao-eletronico-no-29-2018>. Acesso em: 18 fev 2020.

GSA. FedRAMP: The federal risk and authorization management program. 2019. Disponível em: <https://www.fedramp.gov/>. Acesso em: 05 dez. 2019.

HART M., MANADHATA P., JOHNSON R. (2011) Text Classification for Data Loss Prevention. In: Fischer-Hübner S., Hopper N. (eds) Privacy Enhancing Technologies. PETS 2011. Lecture Notes in Computer Science, vol 6794. Springer, Berlin, Heidelberg. DOI: https://doi.org/10.1007/978-3-642-22263-4_2.

MAKHLOUF, R. Cloudy transaction costs: a dive into cloud computing economics. J Cloud Comp 9, 1 (2020). DOI: https://doi.org/10.1186/s13677-019-0149-4.

OPARA-MARTINS, J., SAHANDI, R. & TIAN, F. Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. J Cloud Comp 5, 4 (2016). DOI: https://doi.org/10.1186/s13677-016-0054-z.

TCU. Acórdão no 1.739/2015. Brasília, DF, 15 jul. 2015. Disponível em: <http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/Acord/20150720/AC_1739_24_15_P.doc>. Acesso em: 25 jul. 2018.

U.S DEPARTMENT OF COMMERCE. FIPS 200. 2006. Disponível em:

<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf>. Acesso em: 05 dez. 2019.

______. FIPS 199. 2004. Disponível em:

<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf>. Acesso em: 05 dez. 2019.

______. FISMA Implementation Project: Risk management framework (rmf) overview. 2019. Disponível em: <https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview>. Acesso em: 05 dez. 2019.

______. NIST-SP 500-291 v2. 2013. Disponível em: <https://www.nist.gov/system/files/documents/itl/cloud/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf>. Acesso em: 01 dez. 2020.

______. NIST SP 800-37 rev.2. 2018. Disponível em: <https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final>. Acesso em: 18 fev. 2020.

______. NIST SP 800-53 rev.4. 2015. Disponível em:<https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final>. Acesso em: 05 dez.

U.S. FISMA. 2002. Disponível em: <https://csrc.nist.gov/CSRC/media/Projects/Risk-Management/documents/FISMA-final.pdf>. Acesso em: 05 dez. 2019.

U.S. FISMA. 2014. Disponível em: <https://www.congress.gov/bill/113th-congress/senate-bill/2521>. Acesso em: 19 fev. 2020.

VASCONCELOS, F. V. et al. A segurança jurídica da computação em nuvem: Responsabilidade jurídica na proteção de dados digitais por parte dos provedores de

aplicação de internet. 2017.

VIMERCATI, S. C.; FORESTI, S. Quasi-identifier. In: Encyclopedia of Cryptography and Security. Boston, MA: Springer US, 2011. p. 1010–1011. ISBN 978-1-4419-5906-5. DOI: https://doi.org/10.1007/978-1-4419-5906-5_763.