In the Enterprise IT world, it can sometimes seem like the whole world is moving to the cloud. Indeed, a recent survey of IT professionals found that among organizations with over 500 employees, 84 percent planned to move workloads to some form of cloud solution in the next few years.
The benefits of moving to the cloud are clear. Cloud solutions can save on infrastructure costs and improve scalability and reliability in ways that on-site physical resources simply cannot match. And yet, the cloud adoption rate among public safety organizations is significantly lower than among the enterprise IT market as a whole.
Due to the sensitivity of the data managed by such organizations, and the mission-critical nature of the tasks they perform, reluctance to migrate to the cloud is understandable. However, as the rest of the world moves in that direction, it is becoming increasingly untenable for public safety to maintain their operations as purely on-premise IT shops. Public safety IT managers and executives need to develop a cloud strategy soon if they have not already done so. Before making the transition, here are some key questions that decision makers need to answer.
What Is the Cloud?
First, make sure you understand what “the cloud” actually means. The most relevant options to consider for public safety organizations are:
- Cloud infrastructure-as-a-service (IaaS) In this model, instead of owning and managing your own physical servers and data center, you rent time on virtual servers owned and managed by someone else. You are responsible for managing the software and applications running on those servers. Microsoft Azure and Amazon Web Services are the biggest players in this market.
- Cloud-based Software-as-a-Service (SaaS) In this category, applications that normally would be managed by your own IT staff and run on servers you own, are instead managed and run on servers owned and managed by another organization. These run the gamut from cloud-based Records Management Systems, to investigative search and data sharing solutions. Many of providers in this space are in turn utilizing IaaS providers to host their applications.
Public safety organizations can achieve the most benefit from the SaaS model. In the traditional software model, your IT department is responsible for installing software, applying patches, allocating sufficient hardware resources, procuring third-party database software necessary to support the application, managing security and firewalls, managing data backup and restoration, and many other tasks. Costs and risks are often not known at the outset and can grow in unpredictable ways. In the SaaS model, the SaaS vendor manages all of those tasks at a fixed, known cost that allows IT managers and executives a clearer budget picture, and reduces risks.
Maintaining Compliance in the Cloud
In the United States, public safety organizations are subject to some unique compliance requirements. In particular, the FBI Criminal Justice Information Services (CJIS) Security Policy ultimately governs how those organizations are allowed to handle certain sensitive types of information. Unfortunately, unlike FedRAMP or other similar compliance standards, there is no nationwide, uniform certification system for CJIS compliance. Instead, each state government manages CJIS compliance semi-independently. This has resulted in a hodge-podge of similar-but-different rules that are used across the country.
Any public safety organization is subject to audit for CJIS compliance by their State CJIS Systems Agency (CSA). During an audit, the CSA will look for compliance issues relating to personnel training and background investigations, physical security, and logical and electronic security, among other areas. Furthermore, if the organization is utilizing any solutions that process sensitive information off-site (including SaaS and IaaS solutions), the providers are also subject to audit. In the event of an audit failure of a provider, the organization could be ordered to stop using that provider, or to implement potentially expensive mitigations to address compliance issues that were found in the audit.
In order to minimize audit risk and maintain the security of sensitive information, be sure at a minimum to ask any potential SaaS or IaaS provider about the following areas:
- CJIS Audit Ask the provider if they have been audited by the CSA in your state or any other state within the last two years and, if so, ask them to provide the audit report.
- FBI CJIS Security Addendum The FBI CJIS Security Policy includes an “Addendum” document that must be included un-altered in contracts that any state or local government agency signs with providers who may have access to sensitive information. The Addendum requires the provider to certify that they understand the CJIS Security Policy and are a compliant with it. Ask your provider if they signed the FBI CJIS Security Addendum with any other agencies, and if not, are they willing and able to do so?
- Personnel Any of the provider’s employees who have access to unencrypted sensitive information, including access to systems that store or process it, must undergo a criminal background investigation by the CSA, and must also undergo CJIS training provided by the CSA, before they can have access to such information. It is not sufficient for the provider to conduct their own investigations, or to use a private background investigation company. Ask your provider which employees have such access, and to provide documentation that they have undergone the required background checks and training. Some state CSAs such as Colorado provide a state-wide service for managing vendors on behalf of local government agencies.
- Physical Security The provider must maintain sufficient physical protection of all hardware infrastructure hosting unencrypted sensitive information. This includes not allowing unescorted access to such facilities by any personnel who have not had the required background investigation and training completed. Ask your provider how they manage physical security.
- Encryption Encryption of data at rest and in transit has become fairly standard these days, but the CJIS policy takes it a step further. Any sensitive information in transit outside of a physically secure location must use hardware and/or software encryption modules that have been validated to meet the Federal Information Processing Standard (FIPS) 140-2. This validation can only be granted by the National Institute of Standards of Technology (NIST), which maintains the certificates for every validated module on their website. The validation process is long and expensive, and many products on the market today do not meet the standard. Ask your provider if they can produce the NIST certificates for all of the encryption modules they use to encrypt data in transit.
- Logging and Auditing A specific set of events must be logged and the logs must be kept for at least a year. Furthermore, the logs must be audited at least on a weekly basis to scan for unusual, suspicious, or unauthorized activity. Ask your provider what they log, how long they keep the logs, and if the logs can be provided to customers in the event of an incident.
While this is not a comprehensive list of the questions that must be answered to prepare for CJIS compliance, it’s a good start on what will likely be some of the most important and challenging issues for any SaaS or IaaS provider. If you can’t get satisfactory answers from a prospective provider, it is probably time to look elsewhere.
About the Author
Nick Coult is Senior Vice President for Law Enforcement and Public Safety at Numerica Corporation. Nick is one of the creators of Lumen, a platform for law enforcement search, analysis, and data sharing. Nick previously served as a Program Director for integrated air and missile defense at Numerica. Prior to joining the company in 2008, Nick spent ten years working with leading mathematicians, scientists, and engineers on innovative, unique solutions and products for problems in seismic exploration, space physics, data compression, and image processing. He has a Ph.D. in Applied Mathematics from the University of Colorado, and an M.B.A. from the Massachusetts Institute of Technology. Follow on Twitter at @Lumen_Numerica.