It is commonplace today to see one central interdisciplinary communications administration overseeing multiple agencies or multiple jurisdictions over a territory — statewide, county-wide or city-wide. In fact, the real beauty of such a setup is the ability to share the costs of a multi-million dollar communications infrastructure, to not have to duplicate IT staff and know-how, and to have the ability to realize economies of scale with regards to procurement of associated software and hardware.
A crucial part of the overall communications technology has to do with the sharing and transmission of mobile data — text messaging, dispatch, NCIC queries, mug shots, vehicle location tracking, mapping, field reporting, image sharing, intranet and Internet connectivity and even video streaming.
Agencies sharing the mobile data communications infrastructure, whether they are law enforcement, fire, EMS, corrections or public works, are subject to various legal and regulatory security compliance rules with regard to their wireless access to data.
The most prominent example of security compliance rules is the FBI's CJIS (Criminal Justice Information Services) Security Policy, the latest iteration from December 2008. The policy applies to any agency that requires access to the FBI's criminal justice information database, whether at the international, federal, state or local level, and provides the minimum level of information technology (IT) security requirements determined acceptable for the transmission, processing and storage of criminal justice data.
In order to be compliant, agencies must put into place the following security mechanisms:
- VPN — VPN software, preferably a mobile VPN, is installed to secure any communication to and from a non-secure location;
- Encryption — All data must be sent over the air encrypted; the FBI mandates the usage of FIPS 140–2 compliant encryption, at a minimum level of 128 bits, either AES or 3DES;
- User authentication — Validates mobile users attempting to log onto the network;
- Advanced (strong) authentication — An additional two-factor security methodology also working toward validating user identity; biometrics or token keys are tools commonly used by law enforcement.
In addition to these general requirements, agencies must ensure that CJIS-related data is sent on a separate VLAN from the one sent for other agencies. Similarly, administrators without the credentials to access CJIS information should not be able to manage these areas.
Multiple groups, diverse needs
Where things get complicated is when you consider that other types of agencies sharing the common system are potentially subject to other rules. Consider that the fire or EMS departments are subject to Health Insurance Portability & Accountability Act (HIPAA) regulations, having stipulations vis-à-vis the transmission of individually identified health information over public networks.
The IT administrator of a multi-agency or multi-jurisdictional communications center therefore has the challenge of customizing security and access policies toward multiple groups of end-users based on operational as well as regulatory rules. Moreover, security rights should be customized on the system administrator side, ensuring that the IT staff managing the fire department without CJIS credentials will only be able to manage the users and device for which they are responsible, meaning the users and devices related to the fire department and not the ones linked to CJIS like the police department.
Consider the variables involved:
- Multiple Applications — Different agencies need to have access to job-specific applications. Moreover, some types of users should not be granted access to certain tools (clearance issues);
- Communication Technologies — Should the applications used by the different agencies be more or less multimedia rich, or bandwidth hungry, they may therefore require rules in order to be matched to the most appropriate wireless networks (or combination of wireless networks) in order to avoid overloading the communications system;
- Security Levels — These can range anywhere from basic user authentication, two-factor biometric user authentication, device certification, and encryption ranging from 128 bits to 256 bits.
Ultimately, the challenge lies in ease and ability of administration of group-specific policies, all while maintaining the economies of scale associated with the sharing of a communications infrastructure.
Look for the following policy management capabilities within your mobile VPN, which are key for agencies to better control and manage their mobile data environment.
High-level routing policies — IT administrators should be able to block or allow specific traffic on a precise network. Based either on an IP address, a port, an application name or more, the policy can, for example, allow the customer to minimize bandwidth-intensive application use on a low-bandwidth network such as PMR, minimize data traffic on a costly network such as satellite, or minimize usage of mission-critical applications on networks shared with the public, such as cellular.
Group Policy Management — IT administrators are able to create groups of users or devices that they want to manage the same way, thus saving time and effort. They can enforce policies related to security, airtime cost, application accessibility and productivity as required. For example, as mentioned before the CJIS group can be ensured to comply with biometric authentication requirements when accessing critical data. At the same time, the fire group will be able to use a simple authentication mechanism to avoid unnecessary investment in biometric two-factor authentication devices that fire users do not need;
User-Specific Rules — For certain circumstances there should be an option to override group-based policies with rules and permissions applying to individual users. Agencies might want to apply rules for specific individuals, such as a chief of police or IT staff. User-specific rules are useful for IT administrators to test out new policies without impacting production groups, or to test out new units or new networks.
Whenever an agency wishes to work with mobile data, it is essential to comply with the minimum security standards applicable, like FBI CJIS for law enforcement. This may include deployment of a mobile VPN, encryption and user/device authentication. However, different groups have different needs. When deploying your mobile VPN, ensure that there are policy management capabilities on the IT administration side. The ultimate goal is to offer the multiple agencies and jurisdictions who are sharing the communications infrastructure flexibility in how they operate their mobile data environment, based on their unique operational needs.
Editor's note: Additional information on the FBI CJIS Security Policy can be found at www.fbi.gov/hq/cjisd/cjis.htm.
A frequent speaker at trade events, Patrick Tabourin is the director of marketing and product management at Radio IP Software. He can be contacted at email@example.com.