• Honoring The Fallen
  • Publications
  • Subscribe
  • Advertise
  • Forums
  • Contact Us
    1. Command/HQ
    2. Technology
    3. Computers & Software
    4. Databases

    IACP's Updated Cloud Computing Guidelines

    July 15, 2015
    So much rests on the provider's shoulders.

    Michael Donlan, Vice President, Microsoft’s State and Local Government, recently put up a response to IACP's updated cloud computing guidelines. Very simply, he says, "we agree." And further explains how the company's Azure solution has been CJIS-compliant from the ground up.

    One interesting thing Microsoft is doing is attempting to be very transparent about these standards. Donlan even quotes LAPD Information Security Officer Sanjoy Datta: 

    “The fact that Microsoft contractually committed to CJIS compliance by signing the FBI’s CJIS Security Addendum and having their employees background-checked by California DOJ helped give the LAPD the confidence that we could begin to leverage Azure Government for our most critical, sensitive workloads." 

    As a police department, agency, sheriff's office, etc., you already are. And getting there while mandated probably wasn't easy. Now imagine doing a background check on every employee in such a massive company. While it's their job, this had to have given the California DOJ a headache or a hundred. It's impressive. To the California DOJ, my hat off to you.

    The Guidelines

    SPOILER: IACP's guidelines don't explain what was updated; just a dozen points to be 100% clear on when shopping for, implementing, and continuing cloud storage. You can find the guidelines here.

    It must be a day for seeing things interesting, here's another. Most of the points are on the provider - and not law enforcement agencies. Sure you need to confirm and hold providers responsible - wouldn't you do that anyway? I know you hold your data dear. That value will only increase as technology helps out more. More evidence on cellphones. More video. More analytics. And, ugh, probably more reports. By my count I see nine items directed towards the provider. This may be the reason of Microsoft's transparency. (Clever.) 

    Donlan's post offers a handful of questions for agencies to ask providers. To me,  these emphasize the work load is heavy on cloud storage companies.

    Here are the "principles" (as the association calls them):

    1. Services provided by a cloud service provider must comply with the requirements of the CJIS Security Policy (current version 5.3, dated August 4, 2014), as it may be amended.
    2. All Data Storage Systems Should Meet the Highest Common Denominator of Security
    3. Data Storage Technology Can Be Disaggregated from Collection
    4. Law enforcement agencies should ensure that they retain ownership of all data. 
    5. Law enforcement agencies should ensure that the cloud service provider does not mine or otherwise process or analyze data for any purpose not explicitly authorized by the law enforcement agency.
    6. Upon request, or at regularly scheduled intervals mutually agreed, the cloud service provider should conduct, or allow the law enforcement agency to conduct audits of the cloud service provider’s performance, use, access, and compliance with the terms of any agreement.
    7. The cloud service provider should ensure that CJI maintained by the providers is portable to other systems and interoperable with other operating systems to an extent that does not compromise the security and integrity of the data.
    8. The cloud service provider must maintain the physical or logical integrity of CJI
    9. The terms of any agreement with cloud service providers should recognize potential changes in business structure, operations, and/or organization of the cloud service provider, and ensure continuity of operations and the security, confidentiality, integrity, access and utility of data.
    10. The cloud service provider should ensure the confidentiality of CJI it maintains on behalf of a law enforcement agency.
    11. The cloud service provider must ensure that CJI will be available to the law enforcement agency when it is required within agreed performance metrics.
    12. Law enforcement agencies should focus cloud acquisition decisions on the Total Cost of Ownership model.

    IACP explains each of these in further detail and offers some suggested language for when drawing up contracts. Check it out, bookmark, print, save (http://www.theiacp.org/Portals/0/documents/pdfs/CloudComputingPrinciples.pdf) --- and be safe.

    -J

    Continue Reading

    Sponsored Recommendations

    Build Your Real-Time Crime Center

    March 19, 2024
    A checklist for success

    Whitepaper: A New Paradigm in Digital Investigations

    July 28, 2023
    Modernize your agency’s approach to get ahead of the digital evidence challenge

    A New Paradigm in Digital Investigations

    June 6, 2023
    Modernize your agency’s approach to get ahead of the digital evidence challenge.

    Listen to Real-Time Emergency 911 Calls in the Field

    Feb. 8, 2023
    Discover advanced technology that allows officers in the field to listen to emergency calls from their vehicles in real time and immediately identify the precise location of the...

    Voice your opinion!

    To join the conversation, and become an exclusive member of Officer, create an account today!