On Thursday (05/12), the Ministry of Planning, Budget and Management (MP) released a 'Best practices, guidelines and prohibitions for contracting Cloud Computing Services', which establishes that data and information must be hosted in Brazil, including backups. For the MP's Information Technology secretary, Cristiano Heckert, keeping data in the national territory is a matter of jurisdiction.
“Our expectation is that the suppliers themselves will have a full interest in safeguarding the confidentiality of information when required. If, eventually, there are problems of judicialization, it is important that this is done in the Brazilian jurisdiction”, explained Heckert.
Francisco Camargo, executive president of ABES, points out, however, that “the concept of geographic border does not apply very well to the virtual world, because, in the internet age, data, if not properly encrypted, can be accessed from any location. place in the world. Not only does the data need to be encrypted, but the programs that access this information have to be audited for latent vulnerabilities in the source code that would completely compromise the security of cloud computing.”
According to the president of ABES, the federal government needs, first of all, an Information Security policy, which even includes the signing of confidentiality agreements by everyone who accesses the data. “It is good not to forget that the human being is the weakest link in any security system. Therefore, it is necessary to foresee harsh penalties in order to prevent the disclosure of this information, establish access rules, in addition to defining the length and complexity of passwords, among other factors. If this is not done, the physical location of the cloud location is completely irrelevant”, he analyzes. For Camargo, the only reasonable explanation to be concerned about the geographic location of the cloud is in terms of Jurisdiction and applicable laws.
The MP's manual also prohibits the hiring of safe-rooms and safe rooms by bodies of the Information Technology Resource Management System (SISP) in order to reduce expenses. Heckert believes that the guidelines for contracting cloud computing services will optimize infrastructure resources, as the model is more effective.
The document recommends that agencies use the 'Hybrid Cloud' model, making it possible to contract services that do not compromise national security from private providers. If the service requires some type of protection, the acquisitions must be carried out with entities of the Federal Public Administration or be carried out directly by the agency.
To know the guidelines for IT hiring, they are available on the Electronic Government Portal (eGOVBR).
“Our expectation is that the suppliers themselves will have a full interest in safeguarding the confidentiality of information when required. If, eventually, there are problems of judicialization, it is important that this is done in the Brazilian jurisdiction”, explained Heckert.
Francisco Camargo, executive president of ABES, points out, however, that “the concept of geographic border does not apply very well to the virtual world, because, in the internet age, data, if not properly encrypted, can be accessed from any location. place in the world. Not only does the data need to be encrypted, but the programs that access this information have to be audited for latent vulnerabilities in the source code that would completely compromise the security of cloud computing.”
According to the president of ABES, the federal government needs, first of all, an Information Security policy, which even includes the signing of confidentiality agreements by everyone who accesses the data. “It is good not to forget that the human being is the weakest link in any security system. Therefore, it is necessary to foresee harsh penalties in order to prevent the disclosure of this information, establish access rules, in addition to defining the length and complexity of passwords, among other factors. If this is not done, the physical location of the cloud location is completely irrelevant”, he analyzes. For Camargo, the only reasonable explanation to be concerned about the geographic location of the cloud is in terms of Jurisdiction and applicable laws.
The MP's manual also prohibits the hiring of safe-rooms and safe rooms by bodies of the Information Technology Resource Management System (SISP) in order to reduce expenses. Heckert believes that the guidelines for contracting cloud computing services will optimize infrastructure resources, as the model is more effective.
The document recommends that agencies use the 'Hybrid Cloud' model, making it possible to contract services that do not compromise national security from private providers. If the service requires some type of protection, the acquisitions must be carried out with entities of the Federal Public Administration or be carried out directly by the agency.
To know the guidelines for IT hiring, they are available on the Electronic Government Portal (eGOVBR).
EN 
PT 
