Share

Top 5 Stories

News

Encryption is key for local police to comply with FBI cloud security rules

05 April 2012

Local law enforcement will need to make sure their data is encrypted in order to comply with the FBI’s Criminal Justice Information Services (CJIS) security rules for use of cloud computing, says Todd Thiemann, senior director of product marketing at encryption provider Vormetric.

In December of last year, the Los Angeles City Council voted to cancel a plan to move the Los Angeles Police Department onto Google’s cloud-based email system. The council decision was based on staff analysis, which concluded that Google’s cloud technology could not meet the FBI’s CJIS security rules.

The Los Angeles City chief technology officer, Randi Levin, told Government Technology that the “real issue here is the fact that the policies related to a lot of different areas in the government are not matching the technologies that are coming out. That is the core issue: The criminal justice requirements were never written with cloud computing in mind.”

In February, the FBI reaffirmed its rule that all cloud products sold to US law enforcement agencies must comply with the CJIS security rules. "The FBI remains committed to using technology in its information-sharing processes, but not at the sacrifice of the security of the information with which it has been entrusted", Stephen Fischer Jr., an FBI spokesman, told Computerworld.

Vormetric's Thiemann observed that whether cloud vendors and law enforcement are able to comply with the FBI security rules depends on what type of cloud service is being provided. For law enforcement, it is important to employ encryption to secure and control the data no matter what type of cloud service is being used, he told Infosecurity.

“For example, as state and local law enforcement look to use a SaaS [software-as-a-service] application to handle sensitive law enforcement data, they are going to need to look at the terms of service to ensure the data is encrypted and controlled”, Thiemann said. “That might mean underpinning what they are doing in their application with encryption to secure the data and control access to the data”, he added.

“For platform-as-a-service [PaaS], law enforcement is going to have to look at the terms of service and make sure that data is adequately protected. For both SaaS and PaaS, that would be in the terms of service”, he said.

For infrastructure-as-a-service [IaaS] in which law enforcement constructs an application, they will need to deploy encryption along with that application. “Previously, it might have been in the data center and you might have used storage-level encryption. You can’t use storage-level encryption in the cloud because you don’t own that infrastructure; you are using someone else infrastructure”, he said.

“If you encrypt data at the individual file or database level, you can control access to that data. So you do it at the storage level or the file level. The file level would give more control over the environment and allow you to control access to that data”, Thiemann explained.
 

This article is featured in:
Application Security  •  Cloud Computing  •  Compliance and Policy  •  Encryption  •  Internet and Network Security  •  Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×