Government agencies at all levels are examining how to use cloud services as a means of upgrading their systems while maximizing value. Moving to cloud can allow agencies to condense sprawling IT systems, offer more mobility options and manage legacy systems. However, along with all of this convenience comes a significant security headache. Many agencies are still working through how to handle cloud security and nowhere is this more important than law enforcement. CivSource spoke with Jeff Gould, CEO & Director of Research, Peerstone Research, about how enforcement agencies are managing cloud security.
Standards for information security and storage are rapidly coming out of a variety of governing bodies as federal agencies adopt a, “cloud first,” strategy. Typically moves like this at the federal level can provide a roadmap for state governments as they look at moving on to similar systems and law enforcement is no different.
Local law enforcement agencies store sensitive information on several inter-jurisdictional systems that are designed to help them understand key information including criminal histories, information about criminal groups and geospatial data. Each of these systems have strict security requirements designed to ensure that access to information but also the information itself is done in a secure manner. When an individual agency moves to cloud, those requirements must still be maintained.
According to Gould, this is where failures can occur. Agencies and contractors must be involved in rigorous due diligence to ensure that any cloud services migration meets security requirements. The Los Angeles Police Department and Google Apps For Government are an example of how a failure to do due diligence can result in a high profile fiasco.
As CivSource reported earlier this year, Computer Sciences Corp. and Google were awarded a five-year, $7.2 million contract with the city to construct a cloud-based email system for all municipal workers but significant deployment delays due to security concerns resulted in thousands of dollars in reimbursements and Google picking up the tab to keep police on a more secure email platform. Gould notes in a recent SafeGov.org article, Los Angeles officials ran into trouble meeting the requirements for secure access to the national Criminal Justice Information System database (CJIS). The CJIS requirements govern both direct access to CJIS and the secondary dissemination of CJIS-derived information. This can include email, and they also include outside IT contractors who provide services to law enforcement agencies. Los Angeles claims that Google met these requirements initially, but the set up failed on examination.
According to Gould, “The FBI demands 128-bit or better encryption of CJIS-derived information. So-called “at rest” (i.e. storage-based) encryption does not seem to be a standard feature of Google Apps, but the city says Google has met this requirement. LAPD’s existing on premises email server, Novell GroupWise, also meets the FBI’s encryption standard, as do comparable systems such as IBM Lotus Notes and Microsoft Exchange.”
The problem Gould explains is not that the requirements are unclear, but that both cities and contractors need to step back and examine what is actually required. “CJIS requirements are very specific, what you have here is a failure of due diligence. Google Apps For Government clearly does not meet the standard. And there are other law enforcement agencies that are in the same boat with this now. City and state agencies need to look at both the service provider but also the systems integrator to make sure the requirements are met before the contract goes forward.”
Encryption isn’t the only issue, CJIS requires that IT contractor personnel pass criminal background checks and sign the FBI Security Addendum. For contractors like Google, with global personnel, this requirement may not be something they can currently meet without some labor restructuring – a key factor that should be understood during the bid process.
“Large parts of this could have been avoided if both the service providers and the agency understand all of the requirements. The key question for the other law enforcement agencies currently working with Google will be if they step back and find a way to meet the requirements or if they have to work with another provider,” Gould said.
The situation points to broader issues surrounding cloud service providers. Gould notes that beyond due diligence, the providers themselves need to offer a variety of options to avoid situations like this. Unlike commercial cloud offerings, public sector agencies face a unique set of requirements designed to ensure the privacy of citizens and the functions of government. Contractors need to take care to provide solutions that meet these challenges.