Head (and data) in the cloud

Most police executives should by now be familiar with the concept of “the cloud.” That is, using the Internet to store and access information, including e-mail, files, images and video, and so on. The question for them, however, is: Should police use the cloud to store data?

The main concern is that the shared infrastructure built to contain sensitive data may no longer be under the agency’s physical control. Shudders of fear go down the spine of any sensible records management official who thinks he or she no longer controls the data or the computers it’s stored on. But cloud computing is not a new concept, even for law enforcement.

For years, and particularly over the last decade, law enforcement agencies have successfully built systems to share information between both internal divisions and multiple agencies. Notable examples include: Computer Aided Dispatch (CAD) and Records Management Systems (RMS). These were around long before the cloud was dreamed up. Information sharing tools like COPLINK and Datamaxx solutions connect law enforcement agencies in regional, state or even multi-state collaborations.

Storage systems like VeriPic and TASER’s Evidence.com let agencies store quantities of digital video and audio that would quickly take up space in most traditional storage configurations.

National, regional, state and local initiatives to share information among agencies have long been popular, from the Integrated Automated Fingerprint Identification System (IAFIS) to local sharing like the Alaska Law Enforcement Information Sharing System (ALEISS).

Cost-saving opportunities

Companies worldwide are looking to the cloud’s potential to reduce the cost of doing business in the global environment. The costs of building an information technology (IT) infrastructure, maintaining its security along with software licenses, and training employees on new systems have increased substantially over the past decade. Meanwhile, the cost of high-speed Internet access has decreased, even as speeds (and thus, bandwidth, or the Internet’s capacity to handle large amounts of data) and reliability have increased.

At the same time, evidence shows that cloud use can actually help save money. Last year, an Enterprise Management Association (EMA) survey showed that 60 percent of 159 surveyed organizations had saved IT capital costs by using the cloud. One-quarter had additionally experienced reduced operational expenditures, including staff, maintenance, power and rental costs. (On average, the savings worked out to about 22 percent in operational costs and 26 percent in capital costs.)

The survey noted other benefits, too. These included freeing up strategic resources (49 percent), enabling disaster recovery/business continuity planning (46 percent), and increased flexibility and agility (46 percent).

The story’s the same for law enforcement. Dwindling discretionary funds, both budgeted and from grants, don’t allow for large scale IT projects anymore. The cost of maintaining the current infrastructures will continue to go up as legacy systems need repair and upkeep. Smaller departments with little budget for IT improvements have very little room for change or improvement. So is the cloud a real option for law enforcement?

Using the cloud

The National Institute of Standards and Technology (NIST), in its 2010 report on cloud computing, defined three service models: software as a service, platform as a service, and infrastructure as a service.

Infrastructure as a Service (IaaS) allows service providers to provide the storage, networking, processing and other resources. The organization can use cloud-based platform and software, or install either or both locally. In a law enforcement context, the International Justice & Public Safety Network (NLETS, formerly the National Law Enforcement Telecommunications System), the backbone of all justice information sharing, is an example of IaaS.

Platform as a Service (PaaS) stores information in a structured manner, and creates the ability for IT managers to upload and use applications with which to access that information. The PaaS provider must support the application’s programming language for it to run properly (which is why Internet Explorer for Windows will not work on the Mac platform). Law enforcement example: the National Crime Information Center (NCIC) along with the more than 90 other information transactions available via the NLETS infrastructure.

Software as a Service (SaaS): Perhaps the best known of all cloud services because of its broad consumer applicability, SaaS is commonly known to include Web-based e-mail (Gmail, Hotmail), online document creation and sharing services (Google Docs, Zoho), some blogging services (WordPress.com, Blogger), and so forth. Most importantly, SaaS means that IT managers do not physically install or maintain software on any part of their systems, either on the end-user (client) side or the server side. At most, the manager maintains end users’ application configurations. SaaS offers the least control over how end users work in the cloud.

Currently, most of the software used to access NCIC and other NLETS-based transactions is locally installed, although some companies have made the foray into the law enforcement SaaS realm. TASER’s Evidence.com is one example.

Cloud characteristics

NIST also broke down cloud computing’s benefits into five characteristics:

1) On-demand self service. Storage, bandwidth and other capabilities are available on an as-needed basis, without the IT manager needing to work directly with each service provider. In law enforcement terms, this would allow a commander to access increased capacity for expansion, or for specific temporary projects, without having to purchase additional physical infrastructure.

2) Broad network access. The commander could provide services over the Internet to users, through a variety of different devices. These might include report writing, project management, case management and records management, any of which can be performed from an in-cruiser laptop, mobile phone or police department desktop computer. The point is to allow officers to access services wherever and whenever it is convenient for them, in a way that maintains their ability to respond to calls for service.

3) Resource pooling. Perhaps the most familiar concept to law enforcement agencies (yet not widely adopted in the business world), this simply means that organizations pool money, people and other resources to build IT infrastructure and support.

A number of examples exist in regional pockets around the country. Just as more people live further from their jobs and commute to work, more criminals travel greater distances in search of broader markets (as in the drug trade) and also to evade law enforcement. This increases the likelihood that they’ll have contact with multiple law enforcement agencies.

In an effort to keep track of what criminals are doing and also to keep their officers safe, police departments in a given region form groups governed by memoranda of understanding (MOUs). These MOUs frequently involve how the agencies will share data like field contact forms, incident reports, and so on.

Of course, this only works if all the agencies’ databases and infrastructures are interoperable. Many police departments’ proprietary systems fail to communicate. In other cases, cloud services successfully link dozens of agencies sharing information on criminals, and specific crimes like identity theft and graffiti.

4) Rapid elasticity. This can be significant for an agency. The ability to scale requirements up or down has never been an inexpensive proposition, especially if needed quickly. Cloud computing allows for quick service expansion or reduction without high overhead.

When might an agency need such an expansion or reduction? Examples might be large-scale events (from the Olympics all the way down to Motorcycle Week), massive manhunts, or disasters.

Rapid elasticity also has important implications for continuity. In a huge natural disaster, locally stored servers and the machines used to access them could be knocked out by flooding or high winds. Off-site cloud infrastructure, however, could help to prevent this.

5) Measured service. This alone can be a great means to control expenses. Commanders can purchase only the services their agencies need (or can afford) and limit the amount of time and access to a given processing rate, storage capacity, active user accounts, or time limit. This metered concept could effectively help to repair deficits.

Example: Choose to scale the services offered according to your agency’s natural rhythms. If you know that only so much bandwidth will be required for the patrol officers working the graveyard shift, but that much more will be needed to run your department’s daytime operations, you can measure services accordingly.

The cloud at work

NIST finally defined four primary deployment models: private, community, public, and a hybrid of the three. The three services are delivered across these four models.

A “private” cloud or a cloud-type infrastructure is strictly agency-controlled and used. Notably, most of the companies in the EMA survey used private cloud infrastructures. These can be on- or off-site and managed either by the agency or by a third party. In October last year the U.S. Army announced it would move all its separate e-mail systems to a single Defense Information Systems Agency-hosted enterprise system.

A “community” cloud is shared and operated by several agencies with “shared concerns.” Like private clouds, it may be hosted on- or off-site and be managed by the agencies or a third party. In a police context, a task force that is a consortium of law enforcement agencies and businesses may work together to build a database of crimes and criminals that are specific to its region. They may share the information with outside agencies, of course, but their main concern is with what’s going on in their communities, and how they can help investigators in those jurisdictions. The “public” cloud is the focus of most concern because it is services or storage space shared by the users and accessed through the Internet. The organization using public cloud space buys or leases service from the private entity that owns the infrastructure.

Because not all data used by a law enforcement agency is subject to Criminal Justice Information System (CJIS) security requirements, or 28 CFR Part 23 governing Intelligence Information Collection, the public cloud is not as off-limits as a commander might think. Some public IaaS may allow IT managers to install additional security, while public SaaS may be used for less critical data creation and storage.

Many agencies have been exploring the use of cellular networks for data transmission. Given the proper enabling of security requirements, non-law-enforcement-controlled systems can be effective. Still, public trust should not be traded for cost savings. Research public cloud offerings carefully before transferring any operation.

The “hybrid” encompasses two or more of the previous models. The public, private or community clouds involved in a hybrid remain distinct, but connected by technology that enables information portability.

Example: a regional task force may enter into an agreement with a metropolitan agency to share information. The task force’s community cloud would be connected with the metro agency’s private cloud in order to make that happen.

Compliance & security

Utilizing the cloud does not come without potential security risks — as with any system that connects digital devices. Security considerations don’t go away just because the data is not stored locally, though the risk is not necessarily greater either. To that end, several things besides the potential cost savings need to be evaluated and addressed prior to any movement towards a cloud-based option.

Law enforcement administrators must consider and create policy for implementation, use and security. What if an officer wants to write her report from home using a personal mobile device? What if a detective at a lunch meeting wants to use the restaurant’s Wi-Fi hotspot on his work laptop?

An immediate security concern for law enforcement will be the use of “apps” on officers’ department-issued smart phones. Employees eager to implement easier solutions for online access may install non-secure apps to access personal or other online resources, without recognizing larger security concerns.

This is not unlike employees installing software on their department laptops or desktop computers. Recent reports have shown that malware is targeting smart phones to a greater extent. This alone can be a potential avenue of breach for an agency, as well an officers’ personal social networking accounts.

Evaluating this type of threat is just one step administrators must take. Policy, while an important next step, is not the last. Administrators must also plan to train employees, in terms that are easy to understand, about threats and how to prevent compromise. Cloud use for law enforcement data storage and access can save money, improve productivity and interagency information sharing, and make IT operations easier and more efficient. But it is not without risks and challenges. Agencies need to look at it from many angles.

Making the transition may actually be easier than administrators anticipate, as cloud use has been an integral part of law enforcement for many years. Decide what you want to put on the cloud, how it will improve your operations and the risks. Then, develop the appropriate olicies, training and procedures for use. That way your data will be in the cloud, but your head will stay firmly grounded in reality.