Head (and data) in the cloud

Aug. 11, 2011

Most police executives should by now be familiar with the concept of “the cloud” – using the Internet to store and access information, including email, files, images and video, and so on. The question for them, however, is: should police use the cloud to store data?

The main concern is that the shared infrastructure built to contain sensitive law enforcement data may no longer be under the agency's physical control. Shudders of fear go down the spine of any sensible records management official who thinks he or she no longer controls the data or the computers it's stored on. But cloud computing is not a new concept, even for law enforcement. For years, and particularly over the last decade, law enforcement agencies have successfully built and shared systems to share information between both internal divisions and multiple agencies. Notable examples include:

  • Computer Aided Dispatch (CAD) and Records Management Systems (RMS) were around long before the cloud was dreamed up.
  • Information sharing tools like COPLINK and Datamaxx solutions connect law enforcement agencies in regional, state or even multi-state collaborations.
  • Storage systems like the VeriPic and TASER's Evidence.com enable agencies to store quantities of digital video and audio that would quickly take up space in most traditional storage configurations.
  • National, regional, state and local initiatives to share information among agencies have long been popular, from the Integrated Automated Fingerprint Identification System (IAFIS) to local sharing like the Alaska Law Enforcement Information Sharing System (ALEISS).

Cost savings for businesses and police

Currently, companies worldwide are looking to the cloud's potential to reduce the cost of doing business in the global environment. The costs of building an information technology (IT) infrastructure, maintaining its security along with software licenses, and training employees on new systems have increased substantially over the past decade. Meanwhile, the cost of high-speed Internet access has decreased, even as speeds (and thus, bandwidth, or the Internet's capacity to handle large amounts of data) and reliability have increased.

At the same time, evidence is increasing that cloud use can actually help save money.

Last year, an Enterprise Management Association (EMA) survey showed that 60 percent of 159 surveyed organizations had saved IT capital costs by using the cloud. One-quarter had additionally experienced reduced operational expenditures, including, staff, maintenance, power and rental costs. (On average, the savings worked out to about 22 percent in operational costs and 26 percent in capital costs.)

The survey noted other benefits, too. These included freeing up strategic resources (49 percent), enabling disaster recovery/business continuity planning (46 percent), and increased flexibility and agility (46 percent). 

Law enforcement executives are having the same issue. Dwindling discretionary funds, both budgeted and from grants, don’t allow for large scale IT projects anymore. Cost of maintaining the current infrastructures will continue to go up as legacy systems need repair and upkeep. Smaller departments with little budget for IT improvements have very little room for change or improvement. So is the cloud a real option for law enforcement?

Using the cloud

Cloud computing comes in various forms. The National Institute of Standards and Technology (NIST), in their 2010 report on cloud computing, defined three service models: software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS).

Infrastructure as a Service (IaaS) allows the service provider to provide the storage, networking, processing, and other resources. The organization can use cloud-based platform and software, or install either or both locally. In a law enforcement context, the International Justice & Public Safety Network (NLETS, formerly the National Law Enforcement Telecommunications System), the backbone for all justice information sharing, is an example of IaaS.

Platform as a Service (PaaS) stores information in a structured manner, and creates the ability for IT managers to upload and use applications with which to access that information. The PaaS provider must support the application's programming language for it to run properly (which is why Internet Explorer for Windows will not work on the Mac platform). Law enforcement example: the National Crime Information Center (NCIC) along with the more than 90 other information transactions available via the NLETS infrastructure.

Software as a Service (SaaS): Perhaps the best known of all the cloud services because of its broad consumer applicability, SaaS is commonly known to include web-based email (Gmail, Hotmail), online document creation and sharing services (Google Docs, Zoho), some blogging services (WordPress.com, Blogger), and so forth. Most importantly, however, SaaS means that IT managers do not physically install or maintain the software on any part of their systems, either on the end-user (client) side or on the server side. At most, the manager maintains end users' application configurations. SaaS offers the least control over how end users work in the cloud.

Currently, most of the software used to access NCIC and other NLETS-based transactions is locally installed, although some companies have made the foray into the law enforcement SaaS realm. TASER's Evidence.com is one example.

Cloud computing characteristics

NIST also broke down cloud computing's benefits into five characteristics:

1) On-demand self service. Storage, bandwidth and other capabilities are available on an as-needed basis – without the IT manager needing to work directly with each service provider. In law enforcement terms, this would allow a commander to access increased capacity for expansion, or for specific temporary projects, without having to purchase additional physical infrastructure.

2) Broad network access. This allows the commander to provide services over the Internet to users, through a variety of different devices. These might include report writing, project management, case management and records management, any of which can be performed from an in-cruiser laptop, mobile phone or police department desktop computer.

The point is to allow officers to access services wherever and whenever it is convenient for them, in a way that maintains their ability to respond to calls for service.

3) Resource pooling. Perhaps the most familiar concept to law enforcement agencies (yet not widely adopted in the business world), this simply means that organizations – agencies, governments or pool money, people and other resources to build IT infrastructure and support.

A number of examples exist in regional pockets around the United States. Just as more people live further from their jobs and commute to work, more criminals travel greater distances – in search of broader markets (as in the drug trade) and also to evade law enforcement. This increases the likelihood that they'll have contact with multiple law enforcement agencies.

In an effort to keep track of what criminals are doing and also to keep their officers safe, police departments in a given region form groups governed by memoranda of understanding (MOUs). These MOUs frequently involve how the agencies will share data – field contact forms, incident reports, and so on.

Of course, this only works if all the agencies' databases and infrastructures are interoperable. Numerous instances exist of police departments' proprietary systems failing to communicate. In other cases, however, cloud services successfully link dozens of agencies sharing information on criminals and specific crimes like identity theft and graffiti.

4) Rapid elasticity. This can be significant for an agency. The ability to scale requirements up or down has never been an inexpensive proposition, especially if needed quickly. Cloud computing allows for quick service expansion or reduction without high overhead.

When might such an expansion or reduction be needed? Large-scale events, such as a regional sporting event (from the Olympics all the way down to Motorcycle Week), a massive manhunt, or a disaster.

Rapid elasticity also has important implications for continuity. In a huge natural disaster, locally stored servers and the machines used to access them could be knocked out by flooding or high winds. Off-site cloud infrastructure, however, could help to prevent this.

5) Measured service. This alone can be a great means to control expenses. Commanders can purchase only the services their agencies need (or can afford) and limit the amount of time and access to a given processing rate, storage capacity, active user accounts, or time limit. This metered concept could effectively help to repair deficits.

Example: Choose to scale the services offered according to your agency's natural rhythms. For instance, if you know that only so much bandwidth will be required for the patrol officers working the graveyard shift, but that much more will be needed to run your department's daytime operations, you can measure services accordingly.

Cloud computing at work

NIST finally defined four primary deployment models: private, community, and public, and a hybrid of the three. The three services are delivered across these four models.

A “private” cloud or a cloud-type infrastructure is strictly agency-controlled and used. Notably, most of the companies in the EMA survey used private cloud infrastructures. A private cloud can be on- or off-site and managed either by the agency or by a third party. For example, in October last year the U.S. Army announced that it would be moving all its separate email systems to a single Defense Information Systems Agency-hosted enterprise system.

A “community” cloud is shared and operated by several agencies with “shared concerns.” Like private clouds, it may be hosted on- or off-site and be managed by the agencies or a third party. In a police context, a task force that is a consortium of law enforcement agencies and businesses may work together to build a database of crimes and criminals that are specific to its region. They may share the information with outside agencies, of course, but their main concern is with what's going on in their communities, and how they can help investigators in those jurisdictions. The “public” cloud is the focus of most concern because it is services or storage space shared by the users and accessed through the Internet. The organization using public cloud space buys or leases service from the private entity that owns the infrastructure.

Because not all data used by a law enforcement agency is subject to Criminal Justice Information System (CJIS) security requirements, or 28 CFR Part 23 governing Intelligence Information Collection, the public cloud is not as off-limits as a commander might think. Some public IaaS may allow IT managers to install additional security, for one thing, while public SaaS may be used for less critical data creation and storage.

Many agencies have been exploring the use of cellular networks for data transmission. Given the proper enabling of security requirements, non-law-enforcement-controlled systems can be effective. Still, public trust should not be traded for cost savings. Research public cloud offerings carefully before transferring any operation there.

The “hybrid” encompasses two or more of the previous models. The public, private or community clouds involved in a hybrid remain distinct, but connected by technology that enables information portability.

Example: a regional task force may enter into an agreement with a metropolitan agency to share information. The task force's community cloud would be connected with the metro agency's private cloud in order to make that happen.

Cloud compliance and security

Utilizing the cloud does not come without potential security risks – as with any system that connects digital devices. Security considerations don’t go away just because the data is not stored locally, though the risk is not necessarily greater either. To that end, several things besides the potential cost savings need to be evaluated and addressed prior to any movement towards a cloud based option.

Law enforcement administrators must consider and create policy for implementation, use and security. For instance, what if a patrol officer wants to complete report writing from home, using her personal mobile device? What if a detective at a lunch meeting wants to use the restaurant's wi-fi hotspot on his work laptop?

An immediate security concern for law enforcement will be the use of “apps” on officers' department-issued smart phones. Employees eager to implement easier solutions for online access may install non-secure apps to access personal or other online resources, without recognizing the larger security concern for the agency.

This is not unlike employees installing software on their department laptops or desktop computers. Recent reports have shown that malware is targeting smart phones to a greater extent. This alone can be a potential avenue of breach for an agency, as well an officers' personal social networking accounts.

Evaluating these kinds of outside and inside threats is just one step that administrators must take. Policy, while an important next step, is not the last. Administrators must also plan to train employees – in terms that are easy to understand – regularly about threats and how to prevent compromise. Cloud use for law enforcement data storage and access can save money, improve productivity and interagency information sharing, and make IT operations easier and more efficient. However, it is not without its risks and challenges, and agencies need to look at it from a variety of different angles.

Making the transition may actually be easier than administrators might anticipate, as cloud use has been an integral part of law enforcement for many years. Decide what you want to put on the cloud, how it will improve your operations and what the risks are. Then, develop the appropriate policies, training and procedures for use. That way, your data will be in the cloud – but your head will stay firmly grounded in reality.

Todd G. Shipley has more than 25 years of experience in law enforcement: from investigating financial and computer crimes to overseeing the training of high-tech crimes investigators. Currently the president and CEO of Vere Software (www.veresoftware.com), which specializes in software development for Internet investigations, Mr. Shipley has previously served as Director of Systems Security and High Tech Crime Prevention Training—and manager of the National Criminal Justice Computer Laboratory and Training Center—for SEARCH, The National Consortium for Justice Information and Statistics. Prior to joining SEARCH, Mr. Shipley served for 25 years with the Reno (Nevada) Police Department. As a Senior Detective Sergeant managing the agency's Financial and Computer Crimes Unit, he formed Nevada's first Computer Crime Investigations Unit.

Sponsored Recommendations

Build Your Real-Time Crime Center

March 19, 2024
A checklist for success

Whitepaper: A New Paradigm in Digital Investigations

July 28, 2023
Modernize your agency’s approach to get ahead of the digital evidence challenge

A New Paradigm in Digital Investigations

June 6, 2023
Modernize your agency’s approach to get ahead of the digital evidence challenge.

Listen to Real-Time Emergency 911 Calls in the Field

Feb. 8, 2023
Discover advanced technology that allows officers in the field to listen to emergency calls from their vehicles in real time and immediately identify the precise location of the...

Voice your opinion!

To join the conversation, and become an exclusive member of Officer, create an account today!