As a result, many are turning to cloud solutions.
“From our point of view, it's clear cloud is the way law enforcement is moving for the next few years,” said Sanjoy Datta, information security officer for the Los Angeles Police Department. “We simply don’t have the staff we need to keep all these systems on premise. The demand for technology is growing, but the supply is not there. So the way to meet that need is to move to the cloud.”
Ted Byerly, team leader for Networking, Security and Infrastructure at the San Bernardino County, Calif., Sheriff’s Department, agreed. “Resource constraints are a real challenge for us,” he said. “And we’re always behind when it comes to technology. So when we started talking about cloud, a light came on. If I don’t have to use my internal resources to patch servers, buy servers and update servers, and if I can get unlimited storage for all this data and video and great security support to boot, that’s a huge bonus for us.”
But moving to the cloud also presents security concerns for law enforcement. Sensitive data requires the highest security levels. Last month, the International Association of Chiefs of Police, the largest organization of police leaders in the U.S., issued updated guidelines recommending that cloud storage of all criminal justice information — including video — should comply with the FBI’s Criminal Justice Information Services (CJIS) Security Policy.
CJIS outlines the security precautions that must be taken to protect sensitive information gathered by local, state and federal criminal justice and law enforcement agencies. The CJIS Security Policy contains specific requirements for wireless networking, remote access, encryption, etc.
CJIS compliance by potential vendors is therefore important to criminal justice agencies looking to move to the cloud. And so far, the only hyper-scale cloud vendor that has contractually committed to meeting CJIS requirements for all levels of government is Microsoft.
The Los Angeles Police Department recently purchased Microsoft’s Azure, and Datta said the fact that Microsoft committed to CJIS compliance — including fingerprint-based background checks, detailed audit information, access to facilities and a direct commitment to the FBI CJIS Security Addendum by personnel and the company — was a critical component of the department's decision.
“The fact that Microsoft committed to CJIS compliance and having their employees background-checked by the California Department of Justice helped give us the confidence that we could begin to leverage Azure Government for our most critical, sensitive workloads,” he said.
Other cloud vendors are currently working to meet CJIS requirements as well, but the mandatory fingerprinting and background check requirements have been a sticking point for some.
“CJIS is really a minimum set of controls to protect data — but it can be overwhelming to both law enforcement agencies and to vendors,” said Byerly. “Some vendors now meet all the CJIS requirements except for the background checks and fingerprinting aspects. Some contend that because all the data is encrypted, even if an unauthorized person accesses it, they can’t do anything with it. But we are required by law to meet that requirement, so we think the vendors should too. In an ever-increasing threat environment, where the Internet and systems are continually being targeted, we decided that all our systems should meet CJIS requirements across the enterprise.”
Of course CJIS-compliant cloud solutions won’t solve all law enforcement’s technology problems, as many other challenges exist when it comes to cloud, Datta said. For example, due to the growing volume of data and the need to diversify their technology suppliers, law enforcement agencies are likely to eventually work with several cloud providers rather than just one. Utilizing a variety of vendors, however, could mean the data they collect ends up in silos, which could put agencies at a disadvantage should a big event — such as the Boston Marathon bombing — occur.
“If a significant event occurred, we could be harvesting a massive amount of video — some body-worn, some surveillance video, some cell phone videos from the public, etc.,” said Datta. “In many cases it would be siloed. How do we go about searching for video relevant to an incident across these silos? Eventually we are going to need tools that span multiple cloud solutions so we can get the data we need and analyze it across multiple cloud platforms. We’ve been posing that challenge to our vendors, and they are looking into how to provide that, though it’s still kind of unclear at this point.”