FBI Stands Solid on Cloud Security Standard
The FBI is putting its foot down on the security requirements for cloud security. Any law enforcement agency that subscribes to the Criminal Justice Information Services (CJIS) must comply with the federal agency’s security requirements, period.
The issue of security with cloud services came to light following the botched implementation of Google Apps in Los Angeles. The city wanted to migrate from a legacy on-premise Novell GroupWise email system to a cloud service to save money. Google and its partner, CSC, were chosen for the job of moving 30,000 employees – including police – to Google Apps.
What happened during the implementation is a parable of things that go wrong when an organization is fixated solely on cost savings when moving to the cloud. First Novell challenged the contract award, which delayed migration. But the real killer was security concerns raised by the FBI which scuttled half the project.
Across the U.S. and Canada, local and state agencies are migrating to Google, Microsoft and other cloud services in an effort to cut their overhead IT costs and gain access to new technologies. In the wake of the Los Angeles experience, many local law enforcement agencies are looking for the FBI to waive security requirements in light of fiscal hardship.
The FBI’s position is very simple: If a law enforcement agency connects to CJIS, all services must comply with security requirements – including the cloud providers.
In restating its position, the FBI recognized its security requirements are stringent. They are intended to preserve the integrity and confidentiality of the criminal records and intelligence system used by law enforcement.
However, the FBI and security experts say CJIS’s requirements are not impossible to comply with; just difficult and expensive. Critics say the FBI is being shortsighted, as cloud providers are often better equipped to deal with myriad attacks than individual municipalities.
The FBI’s security track record isn’t unblemished, either. It recently had to acknowledge that hacker activist group Anonymous had tapped its phone lines and listened into confidential conference calls, including coordination meetings with the U.K.’s vaunted Scotland Yard.
Without FBI waivers, solution providers will find it hard selling cloud services to law enforcement agencies, particularly on the local level where police departments are grappling with budget cuts. The consensus so far, though, is the FBI’s position is an obstacle that will eventually be overcome by cloud providers stepping up their security capabilities.
One Response to “FBI Stands Solid on Cloud Security Standard”
Leave a Reply
|
|
 |
Perhaps the FBI should require that data only be transferred between systems on hand carried floppy disks (now there’s an old technology). Today’s hackers may not know how to deal with these. A great deal of security itself has moved to the cloud, in part under the premise that it’s better to step threats outside the intranet. and allows for more rapid response to threats, benefiting all customers. The FBI’s edict may motivate firms developing cloud software solutions to coordinate closely with security providers to ensure that their cloud applications are secure.