Fostering the Cloud in Law Enforcement

Fostering the Cloud in Law Enforcement

FBI Offers Pragmatic, Forward-Looking Approach for Cloud Use

By Alan Wehler and Paul Rosenzweig, October 2, 2013.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Alan Wehler and Paul Rosenzweig

Over the past several years, the law enforcement community has struggled with questions concerning the use of cloud computing technologies for the handling of criminal justice information. This has been due in large part to ambiguity in the security policy of the FBI's Criminal Justice Information Service (CJIS) Division, which regulates the IT security of law enforcement agencies with access to FBI criminal databases.

The FBI has taken a significant step forward by clarifying that cloud services are permissible, while also making clear that traditional commercial cloud service models cannot be implemented in the CJIS environment.

 The FBI has taken a significant step forward by clarifying that cloud services are permissible. 

Under the new policy, cloud services may be used to process criminal justice information, but the service provider must disable many of its metadata analytical functions. In other words, commercial cloud service providers will be required to contractually guarantee that any data mining or ad-related features have been disabled when they provide cloud-based services to law enforcement agencies. This new FBI policy is a pragmatic and forward-looking approach that minimizes technological requirements and affords flexibility to individual law enforcement organizations.

The new policy echoes principles recently developed by the International Association of Chiefs of Police and correctly sets the balance between data security, convenience and efficiency. The policy acknowledges the potential benefits and security challenges presented by the technology, while providing law enforcement agencies with resources that can help them deploy a CJIS compliant cloud.

The policy is a welcome effort to define acceptable outcomes rather than mandate specific cloud computing technologies. The guiding cybersecurity principles offered by the police chief association also are embraced by the new policy, most notably in the metadata provision, which is the only directive component of the policy.

Scrutinizing the New Policy

According to the new policy, "The metadata derived from [criminal justice information] shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any e-mail or data files for the purpose of building analytics, data mining, advertising or improving the services provided." Read literally, this might prohibit even clearly appropriate security-oriented metadata analysis, but we are certain this is not what was intended. Such a reading would not be consistent with the FBI's constructive, operational approach.

Other elements of the police chief association's cybersecurity principles also are reflected in the cybersecurity whitepaper included in the CJIS policy. This paper offers law enforcement a list of CJIS compliance areas that need to be addressed as part of a cloud deployment and recommendations to address security and data privacy issues. One particularly helpful recommendation permits law enforcement agencies to choose how they address cloud-provider insider risk, either through background checks or at-rest encryption. In short, the FBI has provided a working checklist for CJIS cloud deployment, just the sort of practical "go-by" that local law enforcement has been waiting for.

The CJIS security policy originally was developed in the late 1990s, without cloud computing in mind. Uncertainty about earlier policy made many local law enforcement agencies reluctant to transition to cloud technologies that they feared were incompatible with CJIS rules. The city of Los Angeles went so far as to cancel the Los Angeles Police Department's cloud computing plans on the grounds that CJIS rules were incompatible with cloud computing.

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE How Should U.S. Respond to Sony Breach?

Seeking a measured response to an attack on a non-critical infrastructure company requires...

Latest Tweets and Mentions

ARTICLE How Should U.S. Respond to Sony Breach?

Seeking a measured response to an attack on a non-critical infrastructure company requires...