In December of last year, the Los Angeles City Council voted to cancel a plan to move the Los Angeles Police Department onto Google’s cloud-based email system. The council decision was based on staff analysis, which concluded that Google’s cloud technology could not meet the FBI’s CJIS security rules.
The Los Angeles City chief technology officer, Randi Levin, told Government Technology that the “real issue here is the fact that the policies related to a lot of different areas in the government are not matching the technologies that are coming out. That is the core issue: The criminal justice requirements were never written with cloud computing in mind.”
In February, the FBI reaffirmed its rule that all cloud products sold to US law enforcement agencies must comply with the CJIS security rules. "The FBI remains committed to using technology in its information-sharing processes, but not at the sacrifice of the security of the information with which it has been entrusted", Stephen Fischer Jr., an FBI spokesman, told Computerworld.
Vormetric's Thiemann observed that whether cloud vendors and law enforcement are able to comply with the FBI security rules depends on what type of cloud service is being provided. For law enforcement, it is important to employ encryption to secure and control the data no matter what type of cloud service is being used, he told Infosecurity.
“For example, as state and local law enforcement look to use a SaaS [software-as-a-service] application to handle sensitive law enforcement data, they are going to need to look at the terms of service to ensure the data is encrypted and controlled”, Thiemann said. “That might mean underpinning what they are doing in their application with encryption to secure the data and control access to the data”, he added.
“For platform-as-a-service [PaaS], law enforcement is going to have to look at the terms of service and make sure that data is adequately protected. For both SaaS and PaaS, that would be in the terms of service”, he said.
For infrastructure-as-a-service [IaaS] in which law enforcement constructs an application, they will need to deploy encryption along with that application. “Previously, it might have been in the data center and you might have used storage-level encryption. You can’t use storage-level encryption in the cloud because you don’t own that infrastructure; you are using someone else infrastructure”, he said.
“If you encrypt data at the individual file or database level, you can control access to that data. So you do it at the storage level or the file level. The file level would give more control over the environment and allow you to control access to that data”, Thiemann explained.