Chances are, you’ve heard of the cloud. Every day, more businesses and more consumers are using software-as-a-service providers such as Amazon Web Services, Office 365, Dropbox, and others to provide on-demand software services at any scale. The scalability and reliability are the major reasons why this move is happening. Simply put, cloud vendors can realize economies of scale that an individual business or institution would be hard-pressed to match. And they have the skills and knowledge necessary to implement best-in-class security measures.
Law enforcement poses a special challenge for cloud services. Criminal history records, personally identifying information, and related information must be carefully controlled and used only for legally authorized purposes. The FBI CJIS Security Policy lays out what we consider the ‘gold standard’ of how such information should be treated. It includes the following measures:
- Physical security. Such information must be stored in a physically secure location to which only authorized personnel have access.
- Logical security. Authentication, encryption, and software access controls must be implemented according to standards set by the FBI.
- Logging and auditing. Security-related events must be securely logged and stored for auditing.
While the CJIS policy does allow for cloud computing, most vendors fail to meet the standards (for example, Google lost out on LA County’s business because Gmail isn’t CJIS compliant, while Microsoft Office 365 is). When talking with a cloud vendor, be sure to ask about the CJIS policy.