In the cyber domain, four years is a lifetime. In that time, Moore’s law tells us that computing power will double and then double again. And in the same time frame, cloud solutions for the storage of confidential government data have gone from a novelty (of suspect provenance) to a commonplace.
The story of that transformation – seen most clearly in the changing perspective on the FBI’s Criminal Justice Information System (CJIS) – is the story about the successful integration of law and policy and effective advocacy by the International Association of Chiefs of Police (IACP). And therein hangs a tale.
In the early 1990s, the FBI began operating the CJIS – a network of data sharing arrangements that link almost all of the 18,000 police departments across the nation. But the information that the police share is highly sensitive and confidential. They have custody of vast amounts of personal, private information, and they are subject to intense external scrutiny. That means that the police must always be able audit exactly who has accessed their data, when, how, and for what purpose.
As a consequence, the FBI also developed a security policy that established guidelines for the creation, transmission, and storage of criminal justice information. Any police department that wanted access to shared data (which is pretty much everyone these days) had to conform to the minimum security standards set by the FBI.
And then along came the cloud. Little more than four years ago, police officials around the country began to think of the utility of cloud computing. Moving operations to the cloud has a number of advantages in efficiency and cost that, in these budget-constrained times, are of great value.
But the usefulness of cloud computing was stymied by the security requirements of the CJIS Security Policy. To take but one example, in 2009, the city of Los Angeles wanted to migrate to a cloud-based structure for all of the city’s services. The Los Angeles Police Department balked because the cloud system chosen did not meet the FBI's strict security and privacy requirements.
The critical problem was one of access by the employees of the cloud service provider. The FBI’s security requirement mandates that all of the people who have access to the CJIS must pass a criminal history background check. But many large cloud providers have support staff who live and work overseas and who would not, or could not, be screened. With those limitations, cloud-based storage and sharing of confidential criminal justice information was virtually impossible.
But four years is, as we’ve noted, a cyber-lifetime. In 2009, enterprise cloud providers didn’t understand the CJIS requirements. And the FBI didn’t really understand the cloud. Today, much has changed.
The FBI has now taken a significant step forward – issuing a new policy that says that cloud services are permissible for the storage of criminal justice information, while at the same time making it clear that traditional commercial cloud service models cannot be fully implemented in the CJIS environment.
Under the new CJIS Security Policy, for example, cloud services may be used to process criminal justice information, but the service provider must agree to disable many of its metadata analytical functions. The new policy echoes principles recently developed by the IACP and sets a new balance between data security, convenience and efficiency. The new policy acknowledges the potential benefits and security challenges presented by cloud services, and provides law enforcement agencies with resources that can help them successfully deploy a CJIS-compliant cloud system.
Meanwhile, some cloud vendors have restructured their operations to more directly conform to CJIS requirements. As a result, today, CJIS policy allows for cloud computing solutions, albeit with some difficulty.
The future for CJIS cloud solutions is even brighter than the present. One particularly helpful recommendation in the new CJIS Security Policy permits law enforcement agencies to choose how they address cloud-provider insider risk – either through security background checks or at-rest encryption.
This means that the FBI will accept a cloud architecture that strongly encrypts data not just in transit but at rest and that gives the customer – the police department – sole, exclusive control over the cryptologic keys needed to unscramble the data at their points of access. With strong encryption there really is no reason why a law enforcement agency could not permit its data to be intermingled with public data; to be stored physically anywhere on the planet; or to be managed by personnel whose identities are entirely unknown to the law enforcement agency.
A number of innovative startups have begun to develop functionality that encrypt internal organizational email before it is sent to the cloud. The encryption may, for example, limit the functionality of cloud applications like searches. But the future of alternate ways of protecting confidential data is bright – and in following that path, the law enforcement community will be mirroring pro-encryption developments in the private sector.
Of course there is more to be done (there always is). One ready improvement would be to permit cross-jurisdiction certification, so that a compliance and adjudication agreement with California was acceptable in Oregon as well. We might even consider a model agreement vetted and approved by CJIS as an acceptable federal standard.
But even with more to do, we can see the progress thus far as a real success story – from uncertainty to acceptance; from misunderstanding to comprehension; and from insecurity to secure cloud storage and communication. The development of a new CJIS policy should be commended.
Paul Rosenzweig previously served as Deputy Assistant Secretary for Policy at the U.S. Department of Homeland Security. He is currently a Senior Advisor to The Chertoff Group, a global security advisory firm which advises clients on information security including cloud computing.