How to buy a cloud solution secure enough for police data
Make sure your cloud provider addresses these issues before signing on the dotted line
The following is paid content sponsored by VIEVU, now part of The Safariland Group—a leading provider of a diverse range of safety and survivability products designed for the public safety, military, professional and outdoor markets
By PoliceOne BrandFocus Staff
Like any technology, there are guidelines for using cloud computing—especially when it comes to storing police data. This is because police data is unique, as it is the lifeblood of prosecutors when trying to get a conviction. Prosecutors depend on officers to ensure when they are capturing incident data, it is secure and protected from tampering, data mining and more.
So when buying a cloud storage solution, make sure you address the following issues with the service provider to make sure their cloud is secure and reliable enough for law enforcement agencies.
1. FBI CJIS Security Policy Compliance
The first question to ask a cloud provider is, “Are you FBI CJIS compliant?” Without this compliance, law enforcement agencies cannot ensure police data is secured under the standards set forth by CJIS, or the Criminal Justice Information Services (CJIS) Security Policy.
A CJIS-compliant cloud is a secure way to manage video data, said Steve Ward, President, VIEVU.
“It is a more secure way to store their data than most police agencies can do themselves,” Ward said. “It will make your life easier, save money and save time.”
A recent report released by the International Association of Chiefs of Police (IACP) identified the standards law enforcement agencies should follow when choosing a cloud solution to store police data, including a mandate that providers meet or exceed the requirements of the current FBI CJIS Security Policies - including, where applicable,the CJIS Security Addendum.
It also is recommended the cloud provider acknowledge that the FBI CJIS Security Policy places restrictions and limitations on the access, use, storage and dissemination of criminal justice information and complies with those restrictions and limitations.
This means getting CJIS Transparency in writing. Agencies should make sure the company they buy cameras from have their CJIS compliance information readily available, over companies who require them to sign an NDA to find out about their CJIS terms.
“This wastes time and resources, while causing confusion as to whether the camera company really follows the CJIS standards or not,” Ward said.
2. Data Ownership
Another area of emphasis in the IACP report: when it comes to owning or accessing your data, always get it in writing. The data still belongs to the agency, even if it’s not stored onsite. To maintain peace of mind, Ward said, the agency should communicate with its cloud provider to know what’s being done with the data at all times.
For example, the agency should establish an understanding with the cloud provider that they are unauthorized to use any police data – specifically videos, but including text, numerical data, database records, media files, demographic information, search history, geo-location information, meta-data or any other information, including CJI data that law enforcement users or contractors provide to a cloud service provider.
A cloud provider also should guarantee that no data is released to any third party without an authorized court order, and agencies be notified immediately of any attempted or completed unauthorized access to their data.
3. Data Mining
Police data in the cloud needs to be secure and kept private from prying eyes—including third-party and internal data mining campaigns by cloud providers.
Data mining is the process of discovering patterns in large data sets involving methods at the intersection of artificial intelligence, machine learning, statistics and database systems. The goal of the data mining process is to extract information for further use. This means taking private, police data and using the information often for profit.
There are obvious negatives to this, including privacy issues and tampering with court evidence. That’s why, Ward said, it is essential agencies include in their contract that cloud providers cannot mine or otherwise analyze data for any purpose not explicitly authorized by the law enforcement agency.
“No one wants a marketer or the cloud provider to use data gathered by police in any way,” he said.
The report added that any agreement with a cloud service provider “must take precedence over and replace any generally applicable privacy, data access or use or similar policy of the provider, which might otherwise permit data mining for purposes not explicitly authorized in the agreement.”
Data needs to survive any type of interruption, whether natural or manmade. The report recommended agencies ensure an agreement with cloud service providers includes provisions for continuity of operations and the security, confidentiality, integrity, access and utility of all data.
“Since their data isn’t stored onsite, agencies need to make sure it’s backed up in case anything happens to the cloud provider’s facility,” Ward said.
The IACP report also recommended that any terms of an agreement with a cloud provider should address potential changes in the business structure, operations and security—meaning continuity of data even if their business closes.
“Providers must ensure data survivability irrespective of the commercial viability of the service provider or changes in operations, ownership, structure, technical infrastructure and/or geographic location,” the report said.
From CJIS compliance to business continuity, police agencies must ensure they get these guarantees from cloud providers before signing on the dotted line.
For more information, visit VIEVU.