Cloud and Brazilian General Data Protection Law (LGPD): 6 Configurations to help achieve Compliance.
Oct 20, 2022
The General Data Protection Law (LGPD) explicitly states that companies must adopt technical measures to protect citizens' personal data from unauthorized access, but it does not specify which actions to take. This presents a significant challenge for technology professionals, especially regarding compliance with this requirement in cloud environment configurations.
Cloud environments are highly complex and have a vast array of configuration options that can directly impact the security level of this data.
Below, we outline 6 cloud configurations that can aid your company's journey to enhance compliance with the LGPD, based on various articles from the current legislation:
WHAT DOES ARTICLE 46 SAY
Art. 46. Data processors must adopt security measures, both technical and administrative, capable of protecting personal data against unauthorized access and against accidental or unlawful destruction, loss, alteration, communication, or any form of inadequate or unlawful processing.
Best Practices for Compliance
Article 46 mentions maintaining the confidentiality of data. Therefore, recommended practices include:
Enable Data Encryption
Activate encryption for data both in transit and at rest to prevent access by malicious entities or unauthorized individuals.Establish a Secure Network Architecture
Utilize Virtual Private Clouds (VPCs) for specific purposes. A secure network architecture should address segmentation and the principle of least privilege. For instance, create and use separate VPCs for the production environment and testing environment to prevent systems in one network segment from accessing another.
WHAT DOES ARTICLE 47 SAY
Art. 47. Data processors or anyone involved in any stage of processing must ensure information security as stipulated by this Law concerning personal data, even after processing has ended.
Best Practices for Compliance
Article 47 states that all individuals with access to personal data are also obligated to ensure its security. A good starting point for this is to focus on Identity and Access Management (IAM). Major cloud providers offer various configurations related to this topic, but two important tips that apply universally are:
Avoid Using the Root Account
The root account carries the highest privilege level and grants access to all cloud resources, including personal data belonging to both administrators and your company's clients if stored in the cloud. To reduce the risk of unauthorized access, establish policies for specific users based on their needs using IAM.Be Cautious with Password Management
Require strong passwords that consist of uppercase letters, special characters, and numbers, and enforce Multi-Factor Authentication (MFA) for cloud access, especially for administrator users.
WHAT DOES ARTICLE 48 SAY
Art. 48. The data controller must notify the national authority and the data subject of a security incident that may pose a relevant risk or damage to the data subjects. § 1º The notification will be made within a reasonable timeframe, as defined by the national authority, and must mention, at minimum: (...) VI - the measures that have been or will be taken to reverse or mitigate the effects of the harm.
Best Practices for Compliance
Attention should be given to configurations that allow the company to implement a clear data recovery plan.
Ensure Backup Configurations Are Activated
Confirm that all cloud resources have backup configurations enabled to allow for data recovery in the event of an incident.Collect Audit Logs
Gather audit logs and ensure they are securely stored to demonstrate the security measures adopted.
WHAT DOES ARTICLE 50 SAY IN ITS PARAGRAPH 2
§ 2º In applying the principles outlined in clauses VII and VIII of caput of art. 6º of this Law, the controller, considering the structure, scale, and volume of its operations, as well as the sensitivity of the data processed and the likelihood and severity of harm to data subjects, may:
I - Implement a Privacy Governance Program that, at minimum:
(...) f) is integrated into its overall governance structure and establishes and applies internal and external oversight mechanisms;
(...) h) is constantly updated based on information obtained from continuous monitoring and periodic assessments;
Best Practices for Compliance
The law’s requirement for companies' governance and privacy plans to be continuously assessed impacts how organizations monitor whether the data they store and process in the cloud is secure. Continuous monitoring, if done manually, can stifle the team and create unnecessary bottlenecks. Therefore:
Automate the Continuous Monitoring of Cloud Resources
By doing so, each new deployment will notify the team if it complies with the most secure configurations. The Unxpose solution allows for this automation, and you can try it for free.