IACP's Updated Cloud Computing Guidelines

July 15, 2015
So much rests on the provider's shoulders.

Michael Donlan, Vice President, Microsoft’s State and Local Government, recently put up a response to IACP's updated cloud computing guidelines. Very simply, he says, "we agree." And further explains how the company's Azure solution has been CJIS-compliant from the ground up.

One interesting thing Microsoft is doing is attempting to be very transparent about these standards. Donlan even quotes LAPD Information Security Officer Sanjoy Datta: 

“The fact that Microsoft contractually committed to CJIS compliance by signing the FBI’s CJIS Security Addendum and having their employees background-checked by California DOJ helped give the LAPD the confidence that we could begin to leverage Azure Government for our most critical, sensitive workloads." 

As a police department, agency, sheriff's office, etc., you already are. And getting there while mandated probably wasn't easy. Now imagine doing a background check on every employee in such a massive company. While it's their job, this had to have given the California DOJ a headache or a hundred. It's impressive. To the California DOJ, my hat off to you.

The Guidelines

SPOILER: IACP's guidelines don't explain what was updated; just a dozen points to be 100% clear on when shopping for, implementing, and continuing cloud storage. You can find the guidelines here.

It must be a day for seeing things interesting, here's another. Most of the points are on the provider - and not law enforcement agencies. Sure you need to confirm and hold providers responsible - wouldn't you do that anyway? I know you hold your data dear. That value will only increase as technology helps out more. More evidence on cellphones. More video. More analytics. And, ugh, probably more reports. By my count I see nine items directed towards the provider. This may be the reason of Microsoft's transparency. (Clever.) 

Donlan's post offers a handful of questions for agencies to ask providers. To me,  these emphasize the work load is heavy on cloud storage companies.

Here are the "principles" (as the association calls them):

  1. Services provided by a cloud service provider must comply with the requirements of the CJIS Security Policy (current version 5.3, dated August 4, 2014), as it may be amended.
  2. All Data Storage Systems Should Meet the Highest Common Denominator of Security
  3. Data Storage Technology Can Be Disaggregated from Collection
  4. Law enforcement agencies should ensure that they retain ownership of all data. 
  5. Law enforcement agencies should ensure that the cloud service provider does not mine or otherwise process or analyze data for any purpose not explicitly authorized by the law enforcement agency.
  6. Upon request, or at regularly scheduled intervals mutually agreed, the cloud service provider should conduct, or allow the law enforcement agency to conduct audits of the cloud service provider’s performance, use, access, and compliance with the terms of any agreement.
  7. The cloud service provider should ensure that CJI maintained by the providers is portable to other systems and interoperable with other operating systems to an extent that does not compromise the security and integrity of the data.
  8. The cloud service provider must maintain the physical or logical integrity of CJI
  9. The terms of any agreement with cloud service providers should recognize potential changes in business structure, operations, and/or organization of the cloud service provider, and ensure continuity of operations and the security, confidentiality, integrity, access and utility of data.
  10. The cloud service provider should ensure the confidentiality of CJI it maintains on behalf of a law enforcement agency.
  11. The cloud service provider must ensure that CJI will be available to the law enforcement agency when it is required within agreed performance metrics.
  12. Law enforcement agencies should focus cloud acquisition decisions on the Total Cost of Ownership model.

IACP explains each of these in further detail and offers some suggested language for when drawing up contracts. Check it out, bookmark, print, save (http://www.theiacp.org/Portals/0/documents/pdfs/CloudComputingPrinciples.pdf) --- and be safe.

-J

About the Author

Jonathan Kozlowski

Jonathan Kozlowski was with Officer.com, Law Enforcement Technology, and Law Enforcement Product News from August 2006 to 2020.

As former Managing Editor for Officer Media Group, he brought a dedicated focus to the production of the print publications and management of the Officer.com online product and company directory. You can connect with Jonathan through LinkedIn.

Jonathan participated as a judge for the 2019 and 2020 FOLIO: Eddie & Ozzie Awards. In 2012, he received an APEX Award of Excellence in the Technology & Science Writing category for his article on unmanned aerial vehicles (UAVs) in police work, aptly titled "No Runway Needed".

He typically does not speak in the third person.

Sponsored Recommendations

Voice your opinion!

To join the conversation, and become an exclusive member of Officer, create an account today!