Example: Choose to scale the services offered according to your agency’s natural rhythms. If you know that only so much bandwidth will be required for the patrol officers working the graveyard shift, but that much more will be needed to run your department’s daytime operations, you can measure services accordingly.
The cloud at work
NIST finally defined four primary deployment models: private, community, public, and a hybrid of the three. The three services are delivered across these four models.
A “private” cloud or a cloud-type infrastructure is strictly agency-controlled and used. Notably, most of the companies in the EMA survey used private cloud infrastructures. These can be on- or off-site and managed either by the agency or by a third party. In October last year the U.S. Army announced it would move all its separate e-mail systems to a single Defense Information Systems Agency-hosted enterprise system.
A “community” cloud is shared and operated by several agencies with “shared concerns.” Like private clouds, it may be hosted on- or off-site and be managed by the agencies or a third party. In a police context, a task force that is a consortium of law enforcement agencies and businesses may work together to build a database of crimes and criminals that are specific to its region. They may share the information with outside agencies, of course, but their main concern is with what’s going on in their communities, and how they can help investigators in those jurisdictions. The “public” cloud is the focus of most concern because it is services or storage space shared by the users and accessed through the Internet. The organization using public cloud space buys or leases service from the private entity that owns the infrastructure.
Because not all data used by a law enforcement agency is subject to Criminal Justice Information System (CJIS) security requirements, or 28 CFR Part 23 governing Intelligence Information Collection, the public cloud is not as off-limits as a commander might think. Some public IaaS may allow IT managers to install additional security, while public SaaS may be used for less critical data creation and storage.
Many agencies have been exploring the use of cellular networks for data transmission. Given the proper enabling of security requirements, non-law-enforcement-controlled systems can be effective. Still, public trust should not be traded for cost savings. Research public cloud offerings carefully before transferring any operation.
The “hybrid” encompasses two or more of the previous models. The public, private or community clouds involved in a hybrid remain distinct, but connected by technology that enables information portability.
Example: a regional task force may enter into an agreement with a metropolitan agency to share information. The task force’s community cloud would be connected with the metro agency’s private cloud in order to make that happen.
Compliance & security
Utilizing the cloud does not come without potential security risks — as with any system that connects digital devices. Security considerations don’t go away just because the data is not stored locally, though the risk is not necessarily greater either. To that end, several things besides the potential cost savings need to be evaluated and addressed prior to any movement towards a cloud-based option.
Law enforcement administrators must consider and create policy for implementation, use and security. What if an officer wants to write her report from home using a personal mobile device? What if a detective at a lunch meeting wants to use the restaurant’s Wi-Fi hotspot on his work laptop?
An immediate security concern for law enforcement will be the use of “apps” on officers’ department-issued smart phones. Employees eager to implement easier solutions for online access may install non-secure apps to access personal or other online resources, without recognizing larger security concerns.
This is not unlike employees installing software on their department laptops or desktop computers. Recent reports have shown that malware is targeting smart phones to a greater extent. This alone can be a potential avenue of breach for an agency, as well an officers’ personal social networking accounts.