In the Cloud
Written by Frank Barret   

The cloud is everywhere, or so it seems. Just a few years ago, you may have been aware of the cloud in a general way, but it’s unlikely your agency resources incorporated the cloud. Fast forward to 2017: It’s likely that your agency is considering a transition to the cloud for data storage, access to services, and security. The idea of leveraging cloud infrastructure to house a forensic evidence management solution is no longer a distant futuristic possibility, but a reality.

The benefits of cloud computing in a law enforcement environment are easy to understand. Centralized servers reduce the physical space an agency must dedicate to its IT resources, and centrally managed services reduce the number of IT professionals an agency must employ. In fact, investment in a cloud solution can be considered an investment in expertise, as the hardware and software comprising the cloud are maintained by the cloud vendor.

Agility is a benefit of vendor maintenance. Cloud vendors upgrade services and technology as available, rather than following an entrenched schedule for updates and upgrades. This is possible because the logical structure of the cloud is very flexible and can quickly be expanded or modified as required. In terms of the user experience, forensic experts are no longer limited to accessing the evidence management solution from a specific workstation.

Despite the obvious benefits, agencies considering the transition to a cloud solution are cautious about security. Concerns about losing sensitive data such as forensic evidence or case information are amplified by the perceived loss of control over cloud operations: agencies are no longer personally acquainted with the IT professionals managing the environment and may not be privy to details of IT operations. There are other concerns regarding cloud solutions as well, and this article will address them.

At a higher level, the solution to these legitimate concerns is twofold:

• The cloud vendor must provide transparency in its policies and processes.

• The cloud customer must shift its focus away from managing the means of the cloud service delivery to monitoring results and holding the vendor accountable for meeting the Service Level Agreement.

In a cloud environment, data is constantly in motion, traveling to the user on demand, and returning to the cloud to be stored. A typical cloud vendor may serve thousands of customers and millions of users. With so much activity, and so many simultaneous points of access, how can one agency’s data remain inaccessible to unauthorized users? Answering this question was and continues to be a primary objective in the development of the cloud.

These are some examples of the security concerns that cloud developers have overcome since the early 2000s:

Data Protection: Segregation, Encryption, and Redundancy

The most important asset to secure was and is customer data. The challenge before cloud vendors was to ensure that customer data was always available to the customer, but protected from unauthorized access and hardware failure. To that end, cloud vendors implemented data segregation to make sure each customer’s data was stored in a distinct “vault” that could only be accessed by its owner. In addition, cloud vendors implemented encryption for data in transit to make sure no one could eavesdrop on data activity, and encryption for data at rest, to make sure that even if anyone were to steal the data, they wouldn’t be able to read it. Finally, to make sure that the data was always available, even in case of hardware failures, cloud vendors began using storage redundancy at a local level as well as a geographical level. Redundancy at a local level means that there are multiple copies of the data on different hardware locations within the same data center. Geographical redundancy means that multiple copies of the data are stored in different data centers, hundreds of miles apart, to minimize the possibility of multiple copies being lost in a natural disaster or terrorist strike.

Resource Isolation

Another security concern was that cloud vendors needed to make sure that although several customers were sharing the same hardware, each one of them had to be guaranteed a specific service level, regardless of the resource load used by other customers. This was achieved through resource isolation, which was perfected thanks to improvements in software hypervisors and hardware components with resource isolation hard-wired into their chipset. Resource isolation, combined with the massive scale of major cloud vendors, allows vendors to guarantee specific service levels to their customers regardless of the resources required by other customers.

Attractive Attack Target

As cloud technology developed, there was a perception that large cloud vendors such as Microsoft® Azure Government or Amazon Web Services were attractive targets to hackers because of their scope, and that an agency with a small state system would not be attractive to hackers. This was a grave misconception for several reasons:

• Smaller networks have been attacked in the past, and the IT security adage that “you either have been attacked, or you don’t know it yet” is, unfortunately, still true. The most attractive targets are those who do not think they are attractive and have lowered their guard as a result.

• Neither Azure nor Amazon Web Services should be perceived as a single container that, once breached, would expose everything it contains to a hypothetical intruder. If an analogy had to be drawn, it would be that the cloud is an immense vault that contains millions of other vaults, each with its own key and access code. Furthermore, each of these vaults belongs to a cloud customer and contains confidential documents. The documents in the vault are not written in a recognizable language. Instead, the documents contain cryptic text encoded with keys that only the owner of the data possesses.

• The scale of security measures that major cloud vendors are putting in place far exceeds the scale that any single agency can put in place. This covers IT security personnel, physical security, access control, auditing and accountability, identification and authentication, disaster recovery, intrusion prevention, intrusion detection, and incident response.

By 2016, industry had overcome the adaptive challenges with security, and law enforcement agencies were considering various implementations of cloud technology. 2016 saw the world’s first deployment of a criminal automated biometric identification system (ABIS) in a secure cloud environment for the Albuquerque Police Department. Allan Armenta, the department’s systems analyst, stated that with ABIS hosted in the cloud, more staff hours can be devoted to law enforcement projects. Kris Rubi, the department’s forensic scientist, noted, “The cloud allows for increased matching speeds and we are hitting on lower-quality prints. Having the ABIS in the cloud allows us greater case management and organization.”

Clearly, early adopters of cloud technology are benefiting from the cloud’s efficiencies. Cloud implementations can take many forms, from access to software services to full ABIS solutions housed entirely in the cloud. When selecting a cloud biometric vendor, law enforcement agencies should require that the cloud provider comply with stringent security standards for storage, transmission, monitoring, and recovery of digital information, including standards issued by the FBI’s Criminal Justice Information Services (CJIS). CJIS created a Security Policy based on guidance from the National Institute of Standards and Technology’s Security and Privacy Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53 rev 4) and the National Crime Prevention and Privacy Compact Council. The CJIS Security Policy provides both U.S. law enforcement and non-law enforcement entities with a specific set of security requirements for access to information systems and data. CJIS data includes all the data necessary for law enforcement and civil agencies to perform their objectives, including biometric, identity history, biographic, property, and case/incident history data.

An example of such a qualified platform is Microsoft Azure Government, the cloud platform designed to meet the U.S. government’s requirements for data security and continuity of operations. Azure Government provides a comprehensive Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) solution for the U.S. government community that incorporates infrastructure, network, storage, data management, and identity management, delivered through a secure and compliant hybrid cloud solution in data centers at least 800 miles apart to ensure disaster-proof continuous service delivery and no data loss. Microsoft’s solution includes major core components that address computing power, storage, networking, identity, and database functionality. Azure Government provides many security benefits, such as compliance with the CJIS Security Policy, and FedRamp High certification.

Specific vendors aside, any cloud solution should offer your agency the following characteristics:

360° security

A cloud solution for U.S. law enforcement agencies should meet CJIS standards for security, be hosted in the U.S., and employ only screened U.S. personnel at host sites. In addition, the security posture of the cloud vendor should continuously evolve and improve to meet or exceed security standards such as CJIS and FedRamp, and anticipate evolving threats on government systems.

True disaster recovery

Your cloud solution should allow you to continue normal system functions in the event of a technical or natural disaster, because system functionality and data are replicated in secure, redundant, geographically separated host sites within the continental United States. Geographical separation of the host sites is important to protect the sites from suffering the same disaster of natural or hostile origin.

High system and data availability

The high availability of the cloud solution should allow your team to continue to access, work with, and upload data when an emergency disrupts normal operations.

Regular software refreshes

The cloud vendor should provide frequent, regular refreshes and upgrades, allowing your system’s functionality to keep pace with the best and latest technology.

Unlimited scalability with capacity on demand

Your cloud solution should provide system expansion as your data and throughput expand, without the burden or expense of provisioning for and replacing hardware. You should be able to scale up operations almost instantly, when an unforeseen event requires an increase in the number of users, throughput, or capacity, and scale down when the expanded capacity is no longer needed.

The security of sensitive data has been a major focus in the development of cloud technology. Fortunately, industry, academia, and government have worked together to create security best practices and standards for the cloud that ensure that your agency’s data and capabilities are safe and secure. In addition, the consolidation of IT infrastructure and economies of scale realized through cloud technology enable cloud vendors to invest massive resources in IT security that wouldn’t be economically feasible with any other model. The end result is a security posture for cloud services, that more often than not, far exceeds the security posture of any other similar system deployed on premises in the past.

About the Author

Frank Barret is Director of Cloud Services for MorphoTrak. He is responsible for the oversight of MorphoTrak’s cloud offerings. He defines and prioritizes the cloud products, manages the implementation of cloud solutions, and maintains an open dialog with MorphoTrak customers about current and future cloud offerings. He is also tasked with outreach to the user community, and is a committed evangelist for the benefits of cloud technology. Barret is a frequent presenter at conferences and trade shows, and is co-author of the case study, On track to solving more crimes with the Microsoft cloud, with the Microsoft Azure team. In addition to leading workshops on the cloud, Barret works with international focus groups on a variety of biometric technologies, including latent efficiency and facial forensics. Barret is based in southern California. Prior to his engagement with MorphoTrak, Frank performed product and project management duties for MorphoTrak’s parent division, Safran Identity & Security.

< Prev   Next >

Crime Scene Revisited

Faces of the victims recovered from the scene of a genocide.