Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados - LGPD) Compliance

Summary

Brazil’s General Data Protection Law (LGPD) went into effect in 2020.

According to Article 1 of the law:

This Law provides for the processing of personal data, including by digital means, by a natural person or a legal entity of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.

Wherever you operate and whatever the regulation, you can rely on Thales to help manage your risk. Thales can help your organization comply with many of the requirements of LGPD.

Best Practices

Brazil’s General Data Protection Law (LGPD) requires best practice in data security for personal data and notes that personal data that has been anonymized is no longer considered to be within the scope of the law, if it cannot easily be returned to its original state by those who might obtain it.

Best practice for data security always includes:

• Encryption or tokenization of the data
• Protection and management of the keys used to encrypt the data
• Control of user access to the data
• Logging of data access events

Thales has years of experience helping organizations implement these best practices to help comply with LGDP.

Encryption and Tokenization

Thales’s CipherTrust Transparent Encryption solution protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the CipherTrust Manager.

CipherTrust Tokenization dramatically reduces the cost and effort required to comply with security policies and regulatory mandates, such as LGPD. The solution delivers capabilities for database tokenization and dynamic display security. Enterprises can efficiently address their objectives for securing and pseudonymizing sensitive assets—whether they reside in data center, big data, container, or cloud environments.

CipherTrust Application Data Protection

CipherTrust Application Data Protection delivers key management, signing, and encryption services enabling comprehensive protection of files, database fields, big data selections, or data in platform-as-a-service (PaaS) environments. The solution is FIPS 140-2 Level-1 certified, based on the PKCS#11 standard and fully documented with a range of practical, use-case based extensions to the standard.

CipherTrust Application Data Protection eliminates the time, complexity, and risk of developing and implementing an in-house encryption and key management solution with development options including a comprehensive, traditional software development kit (SDK) for a wide range of languages and operating systems as well as a collection of RESTful APIs for the broadest platform support.

Encryption Key Management

Thales’ CipherTrust Enterprise Key Management unifies and centralizes encryption key management on premises and provides secure key management for data storage solutions. Cloud Key Management products include the CipherTrust Cloud Key Manager for centralized multi-cloud key life cycle visibility and management with FIPS-140-2 secure key storage, and Cloud Bring Your Own Key.

User Access Control

The CipherTrust Data Security Platform provides state of the art user access control.

• Separation of privileged access users and sensitive user data. With the CipherTrust Data Security Platform, organizations can create a strong separation of duties between privileged administrators and data owners. CipherTrust Transparent Encryption encrypts files while leaving their metadata in the clear. In this way, IT administrators—including hypervisor, cloud, storage, and server administrators—can perform their system administration tasks, without being able to gain privileged access to the sensitive data residing on the systems they manage.
• Separation of administrative duties. Strong separation-of-duties policies can be enforced to ensure one administrator does not have complete control over data security activities, encryption keys, or administration. In addition, CipherTrust Manager supports two-factor authentication for administrative access.
• Granular privileged access controls. Thales’ solution can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and APT attacks. Granular privileged-user-access management policies can be applied by user, process, file type, time of day, and other parameters. Enforcement options can control not only permission to access clear-text data, but what file-system commands are available to a user.

Security Intelligence Logs

CipherTrust Security Intelligence produces detailed security event logs that are easy to integrate with Security Information and Event Management (SIEM) systems to produce the kind of security reports necessary for regulatory compliance.

These enterprise network security information logs produce an auditable trail of permitted and denied access attempts from users and processes, delivering unprecedented insight into file access activities. The logs can report unusual or improper data access and accelerate the detection of insider threats, hackers, and the presence of advanced persistent threats that defeat perimeter security.