Is the cloud safe enough to lock up law enforcement data?
The use of cloud computing in some form is inevitable in police technology. But like many professions, law enforcement executives have particular concerns about using cloud technology, ranging from the risk that unauthorized persons could steal sensitive information to concerns about the costs of technology migration.
A report, “Mitigating Risks in the Application of Cloud Computing in Law Enforcement," aims to help law enforcement officials weigh the pros and cons of moving to cloud computing. Written by Paul Wormeli, executive director emeritus of the Integrated Justice Information Systems Institute, and presented by the IBM Center for The Business of Government, the report offers recommendations on how law enforcement organizations can successfully move to cloud infrastructures.
Wormeli found that the major worries of the law enforcement community about moving to the cloud included cloud reliability and availability, performance requirements, costs of migration, and the recovery of data.
In a survey, most law enforcement officials said they were especially concerned about whether cloud computing was appropriate for mission-critical applications such as computer-aided dispatch, records management, criminal justice information and intelligence systems. And of all these areas, unauthorized access to sensitive information is the community’s biggest concern, according to the survey.
Against this backdrop, Wormeli argues commercial cloud providers have made significant strides in protecting data from being hacked or stolen. He cited an 2010 Aberdeen Group study that states that, “compared to premise Web security solutions, users of cloud-based solutions had 58 percent fewer malware incidents over the last 12 months ... and 45 percent fewer incidents of data loss or data exposure.”
Moreover, cloud providers have adopted data encryption technology, redundant data storage, two-factor authentication and federated identity and privilege management specifications, the report notes. Cloud providers are also well aware of the need to offer high availability services, the report states, and do so by building-in redundancy for data centers normally used for these services.
The reliability and availability of cloud-based computer-aided dispatch (CAD) systems, used for emergency communications, are a special concern for law enforcement, according to the report. “CAD being unavailable has perhaps the most serious consequences of any IT failure in law enforcement,” it says.
The use of multiple cloud services and non-proprietary data recovery methods will help agencies deal with these and other risks associated with the remote storage of data in installations that may be damaged or no longer accessible, according to the report.
The continuity of sound IT management policies will also be essential for using cloud, survey respondents noted. In particular, compliance with FBI Criminal Justice Information Services rules for managing law enforcement systems is a critical requirement that managers want to see carried over to cloud-based services, according to the report.
Cloud computing will evolve to be a useful way of providing IT services to law enforcement, according to the report, but the move could be complicated and challenging. Therefore, any agency interested in taking advantage of cloud computing should consider the following recommendations:
- Determine if the existing software provider is or will be offering a true cloud computing option. This should minimize the cost of conversion including data migration.
- Investigate other agencies’ interests in forming a community cloud that could provide services to a number of other agencies of all sizes.
- Agencies directly negotiating with a cloud service provider should study and prepare their own requirements for service-level agreements. SLAs should define the objectives as well as the measures of performance and the penalties associated with a failure to meet the defined requirements.
- Test candidate cloud providers to determine that guaranteed availability and performance levels are being met before and after implementation of the service. Availability can be estimated, but the best way to determine availability is by references from other users.
- Ensure that, for mission-critical applications such as CAD and RMS, the cloud provider is certified to meet FBI CJIS Security Policy 5.0 requirements.
- Acknowledge that moving to the cloud is challenging and difficult. Agencies should use enterprise architects and engineers to design and orchestrate the move to new technology.