SECURITY ANALYSIS WHEN HIRING CLOUD SERVICES
Comparison United States and Brazil
DOI:
https://doi.org/10.31510/infa.v17i2.855Keywords:
Information Security, Cloud Computing, Risk ManagementAbstract
This work aims to describe and evaluate current information security assessment practices in the adoption of cloud computing services. It discusses the effort employed in carrying out these practices and lists the necessary improvements to increase efficiency in the execution of the security assessment process risks and implementation of controls in Brazil. The article reviews two government approaches used in risk management for the adoption of cloud computing services: The Federal Risk and Authorization Management Program or FedRAMP and the Brazilian government's processes for risk management in information security. The regulatory framework of each country is the base for both processes. Finally, the study lists actions such as the maintenance of predefined sets of controls, the reuse of the analyzes carried out to qualify the systems, the categorization of information regarding secrecy in large blocks as ways to improve this evaluation process in Brazil. The ways of carrying out this evaluation directly impact the design of solutions, the development of services, and the contracting models.
Downloads
Metrics
References
ASSOCIAÇÃO BRASILEIRA DE NORMAS TÉCNICAS. ABNT NBR ISO 31000:2018: Gestão de riscos - Diretrizes. Rio de Janeiro, 2018. 17 p.
______. ISO/IEC 27005:2018: Tecnologia da informação — Técnicas de segurança — Gestão de riscos de segurança da informação. Rio de Janeiro, 2019. 66 p.
BRASIL. GSI/PR. Norma Complementar 04/IN01/DSIC/GSI/PR. Brasília, DF, 15 fev. 2013. Disponível em: <http://dsic.planalto.gov.br/legislacao/nc_04_grsic.pdf>. Acesso em: 23
nov. 2018.
______. Norma complementar 14/IN01/DSIC/GSI/PR. Brasília, DF, 19 mar. 2018. Disponível em: <http://dsic.planalto.gov.br/arquivos/documentos-pdf/NC_14_R01.pdf>. Acesso em: 25 jul. 2018.
______. Norma complementar 20/IN01/DSIC/GSI/PR. Brasília, DF, 15 dez. 2014. Disponível em: <http://dsic.planalto.gov.br/legislacao/copy_of_NC20_Revisao01.pdf>. Acesso em: 23
nov. 2018.
BRASIL. MINISTÉRIO DA ECONOMIA. Instrução normativa no 1, de 10 de
janeiro de 2019. Diário Oficial da União, Brasília, DF, 10 jan. 2019.
Disponível em: <https://www.comprasgovernamentais.gov.br/index.php/legislacao/
instrucoes-normativas/1068-in-1-de-2019>. Acesso em: 18 fev. 2020.
______. Pregão eletrônico no 29/2018. Brasília, DF, 2018. Disponível em: <http://www.planejamento.gov.br/acesso-a-informacao/licitacoes-e-contratos/licitacoes/pregao/2018/pregao-eletronico-no-29-2018>. Acesso em: 18 fev 2020.
GSA. FedRAMP: The federal risk and authorization management program. 2019. Disponível em: <https://www.fedramp.gov/>. Acesso em: 05 dez. 2019.
HART M., MANADHATA P., JOHNSON R. (2011) Text Classification for Data Loss Prevention. In: Fischer-Hübner S., Hopper N. (eds) Privacy Enhancing Technologies. PETS 2011. Lecture Notes in Computer Science, vol 6794. Springer, Berlin, Heidelberg. DOI: https://doi.org/10.1007/978-3-642-22263-4_2.
MAKHLOUF, R. Cloudy transaction costs: a dive into cloud computing economics. J Cloud Comp 9, 1 (2020). DOI: https://doi.org/10.1186/s13677-019-0149-4.
OPARA-MARTINS, J., SAHANDI, R. & TIAN, F. Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. J Cloud Comp 5, 4 (2016). DOI: https://doi.org/10.1186/s13677-016-0054-z.
TCU. Acórdão no 1.739/2015. Brasília, DF, 15 jul. 2015. Disponível em: <http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/Acord/20150720/AC_1739_24_15_P.doc>. Acesso em: 25 jul. 2018.
U.S DEPARTMENT OF COMMERCE. FIPS 200. 2006. Disponível em:
<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf>. Acesso em: 05 dez. 2019.
______. FIPS 199. 2004. Disponível em:
<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf>. Acesso em: 05 dez. 2019.
______. FISMA Implementation Project: Risk management framework (rmf) overview. 2019. Disponível em: <https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview>. Acesso em: 05 dez. 2019.
______. NIST-SP 500-291 v2. 2013. Disponível em: <https://www.nist.gov/system/files/documents/itl/cloud/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf>. Acesso em: 01 dez. 2020.
______. NIST SP 800-37 rev.2. 2018. Disponível em: <https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final>. Acesso em: 18 fev. 2020.
______. NIST SP 800-53 rev.4. 2015. Disponível em:<https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final>. Acesso em: 05 dez.
U.S. FISMA. 2002. Disponível em: <https://csrc.nist.gov/CSRC/media/Projects/Risk-Management/documents/FISMA-final.pdf>. Acesso em: 05 dez. 2019.
U.S. FISMA. 2014. Disponível em: <https://www.congress.gov/bill/113th-congress/senate-bill/2521>. Acesso em: 19 fev. 2020.
VASCONCELOS, F. V. et al. A segurança jurídica da computação em nuvem: Responsabilidade jurídica na proteção de dados digitais por parte dos provedores de
aplicação de internet. 2017.
VIMERCATI, S. C.; FORESTI, S. Quasi-identifier. In: Encyclopedia of Cryptography and Security. Boston, MA: Springer US, 2011. p. 1010–1011. ISBN 978-1-4419-5906-5. DOI: https://doi.org/10.1007/978-1-4419-5906-5_763.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2021 Revista Interface Tecnológica
This work is licensed under a Creative Commons Attribution 4.0 International License.
Os direitos autorais dos artigos publicados pertencem à revista Interface Tecnológica e seguem o padrão Creative Commons (CC BY 4.0), que permite o remixe, adaptação e criação de obras derivadas do original, mesmo para fins comerciais. As novas obras devem conter menção ao(s) autor(es) nos créditos.
- Abstract 588
- PDF (Português (Brasil)) 508