Over the past several years, the law enforcement community has struggled with questions concerning the use of cloud computing technologies for the handling of criminal justice information. This has been due in large part to ambiguity in the security policy of the FBI's Criminal Justice Information Service (CJIS) Division, which regulates the IT security of law enforcement agencies with access to FBI criminal databases.
See Also: Rethinking Endpoint Security
The FBI has taken a significant step forward by clarifying that cloud services are permissible, while also making clear that traditional commercial cloud service models cannot be implemented in the CJIS environment.
The FBI has taken a significant step forward by clarifying that cloud services are permissible.
Under the new policy, cloud services may be used to process criminal justice information, but the service provider must disable many of its metadata analytical functions. In other words, commercial cloud service providers will be required to contractually guarantee that any data mining or ad-related features have been disabled when they provide cloud-based services to law enforcement agencies. This new FBI policy is a pragmatic and forward-looking approach that minimizes technological requirements and affords flexibility to individual law enforcement organizations.
The new policy echoes principles recently developed by the International Association of Chiefs of Police and correctly sets the balance between data security, convenience and efficiency. The policy acknowledges the potential benefits and security challenges presented by the technology, while providing law enforcement agencies with resources that can help them deploy a CJIS compliant cloud.
The policy is a welcome effort to define acceptable outcomes rather than mandate specific cloud computing technologies. The guiding cybersecurity principles offered by the police chief association also are embraced by the new policy, most notably in the metadata provision, which is the only directive component of the policy.
Scrutinizing the New Policy
According to the new policy, "The metadata derived from [criminal justice information] shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any e-mail or data files for the purpose of building analytics, data mining, advertising or improving the services provided." Read literally, this might prohibit even clearly appropriate security-oriented metadata analysis, but we are certain this is not what was intended. Such a reading would not be consistent with the FBI's constructive, operational approach.
Other elements of the police chief association's cybersecurity principles also are reflected in the cybersecurity whitepaper included in the CJIS policy. This paper offers law enforcement a list of CJIS compliance areas that need to be addressed as part of a cloud deployment and recommendations to address security and data privacy issues. One particularly helpful recommendation permits law enforcement agencies to choose how they address cloud-provider insider risk, either through background checks or at-rest encryption. In short, the FBI has provided a working checklist for CJIS cloud deployment, just the sort of practical "go-by" that local law enforcement has been waiting for.
The CJIS security policy originally was developed in the late 1990s, without cloud computing in mind. Uncertainty about earlier policy made many local law enforcement agencies reluctant to transition to cloud technologies that they feared were incompatible with CJIS rules. The city of Los Angeles went so far as to cancel the Los Angeles Police Department's cloud computing plans on the grounds that CJIS rules were incompatible with cloud computing.
With its latest update to the CJIS security policy, the FBI has resolved this conflict. It has authorized the adoption of cloud computing within the law enforcement community and provided law enforcement with resources to deploy a CJIS compliant system. These resources will provide law enforcement leaders with a greater understanding of cloud computing's security challenges and give them access to a wider variety of cloud resources, including National Institute of Standards and Technology best practices. This policy should allow for wider adoption of cloud computing technologies among law enforcement agencies and allow them to benefit from the increased efficiency and cost savings that the technology has brought to the private sector and other corners of government.
By revising the CJIS security policy, the FBI has taken a large step forward in fostering wider adoption of cloud computing in the law enforcement community. The policy wisely echoes the guiding principles offered by the police chief association and prohibits the commercial use of metadata from criminal justice information for activities such as data-mining and advertising. The broader adoption of cloud computing within the law enforcement community offers an opportunity for many agencies to reduce IT costs amid declining budgets.
While the path forward for adopting cloud technologies is clearer, the FBI must continue to provide the law enforcement community with clear guidance on the issue and regularly update its policies as the technology evolves. In the meantime, law enforcement agencies across the country should take a close look at the new policies as they consider and implement cloud computing technologies.Alan Wehler is an associate at The Chertoff Group, a global security advisory firm. Paul Rosenzweig, a Chertoff senior adviser, is former deputy assistant secretary for policy at the Department of Homeland Security. Wehler and Rosenzweig contribute to SafeGov.org, a forum of IT experts who address cloud computing security for the federal government.