CJIS in the Cloud. Oregon State Police CJIS Statewide Training September 23 & 24, 2015

CJIS in the Cloud Oregon State Police CJIS Statewide Training September 23 & 24, 2015 Stephen Exley, CISSP Senior Consultant/Technical Analyst FBI CJIS ISO Program

Cloud Computing

Famous Quotes on Cloud Computing one of the most important transformations the federal government will go through in the next decade Andrew McLaughlin, President Obama s TIGR member, We think everyone on the planet deserves to have their own virtual data center in the cloud... Lew Tucker, CTO of SUN cloud group Cloud computing is really a no brainer for any start up because it allows you to test your business plan very quickly for little money " Brad Jefferson, CEO of Animoto Productions 76

Famous Quotes on Cloud Computing (cont.) The interesting thing about cloud computing is that we ve redefined cloud computing to include everything that we already do. I can t think of anything that isn t cloud computing with all of these announcements Larry Ellison, chairman, Oracle Cloud computing is often far more secure than traditional computing, because companies like Google and Amazon can attract and retain cyber security personnel of a higher quality than many governmental agencies. Vivek Kundra, former federal CIO of the United States 77

Famous Quotes on Cloud Computing (cont.) Discontinued products and services are nothing new, of course, but what is new with the coming of the cloud is the discontinuation of services to which people have entrusted a lot of personal or otherwise important data and in many cases devoted a lot of time to creating and organizing that data. As businesses ratchet up their use of cloud services, they re going to struggle with similar problems, sometimes on a much greater scale. I don t see any way around this it s the price we pay for the convenience of centralized apps and databases but it s worth keeping in mind that in the cloud we re all guinea pigs, and that means we re all dispensable. Caveat cloudster. Nick Carr, author of Does IT Matter?, The Big Switch and The Shallows 78

Famous Quotes on Cloud Computing (cont.) Our industry is going through quite a wave of innovation and it's being powered by a phenomenon which is referred to as the cloud. Steve Ballmer, former CEO of Microsoft I don t need a hard disk in my computer if I can get to the server faster carrying around these non connected computers is byzantine by comparison. Steve Jobs, late chairman of Apple 79

What is Cloud Computing? Defined by the CJIS Security Policy as: A distributed computing model that permits on demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services), software, and information. 80

Cloud Computing The Cloud Model Explained Cloud Essential Characteristics Broad Measure Service Rapid Elasticity Network Access On Demand Resource Self Service Pooling Cloud Service Models SaaS (Software as a Service) PaaS (Platform as a Service) IaaS (Infrastructure as a Service) Cloud Deployment Models Public Private Hybrid Community 81

Cloud Computing Cloud Essential Characteristics 82

Cloud Computing Cloud Service Models 83

Cloud Computing Cloud Deployment Models 84

Cloud Computing What Does a Cloud Deployment Actually Look Like? 85

Cloud Computing This is a More Realistic Cloud Deployment Diagram On-premise environment 86

Cloud Computing Benefits of Cloud Computing Reduced Budgets Improved Efficiency Disaster Recovery Service Consolidation 87

Cloud Computing Delineation of Responsibility/Governance in Cloud Computing 88

Cloud Computing Security Concerns with Cloud Computing Privileged user access Regulatory compliance Data location Data segregation Recovery Investigative support Long term viability 89

Cloud Computing Is the CJIS Security Policy (CSP) cloud friendly? Yes! The CJIS Security Policy is solution and device agnostic; not prohibitive. Independent assessment recommended stronger controls (assessment results available on FBI.gov) Some LEAs already using cloud services 90

Achieving CSP Compliance Will access to Criminal Justice Information (CJI) within a cloud environment fall within the category of remote access? (5.5.6 Remote Access) Will advanced authentication (AA) be required for access to CJI within a cloud environment? (5.6.2.2 Advanced Authentication, 5.6.2.2.1 Advanced Authentication Policy and Rationale) Does/do any cloud service provider s datacenter(s) used in the transmission or storage of CJI meet all the requirements of a physically secure location? (5.9.1 Physically Secure Location) 91

Achieving CSP Compliance (cont.) Are the encryption requirements being met? (5.10.1.2 Encryption) Who will be providing the encryption as required in the CJIS Security Policy? (client or cloud service provider) Is the data encrypted while at rest and in transit? What are the cloud service provider s incident response procedures? (5.3 Policy Area 3: Incident Response) Will the cloud subscriber be notified of any incident? If CJI is compromised, what are the notification and response procedures 92

Achieving CSP Compliance (cont.) Is the cloud service provider a private contractor/vendor? If so, they are subject to the same screening and agreement requirements as any other private contractors hired to handle CJI (5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum; 5.12.1.2 Personnel Screening for Contractors and Vendors) How will event and content logging be handled? (5.4 Policy Area 4, Auditing and Accountability) Will the cloud service provider handle logging and provide that upon request? Will the cloud service provider allow the CSA and FBI to conduct audits? (5.11.1 Audits by the FBI CJIS Division; 5.11.2 Audits by the CSA) 93

Achieving CSP Compliance (cont.) Cloud Computing and the CJIS Security Policy Section 5.10.1.5 Cloud Computing The metadata derived from CJI shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided. Appendix G.3 Cloud Computing White Paper 94

Cloud Computing Use Case #1 Encryption for Data in the Cloud An NCJA decides to start utilizing cloud storage to backup files which do contain CJI. The agency encrypts the files using a product that provides FIPS 140 2 certified encryption of 128 bit. Then, the agency sends the files to a cloud storage solution. The agency maintains the decryption passphrases so no cloud service provider will have access to unencrypted CJI. 95

Cloud Computing Use Case #2 Personnel Security for Cloud Service Provider A local PD is transitioning to a cloud based virtualized network service and will permit the storage and transmission of CJI to/from the cloud. The cloud service provider as part of the service level agreement will provide encryption services for: Data at rest (AES, 256 bit), and An encrypted link for data in transit TLS/SSL (FIPS 140 2 certified, 128 bit) This concept is not much different than outsourcing to a non cloud provider. Any cloud service provider employee that has the capability of accessing the CJI in an unencrypted state (remember: cloud service provider is providing encryption services) must undergo a finger print based background check, security awareness training, and sign the 96 Security Addendum (SA)

Cloud Computing FAQ #1 Question: If our agency wants to store our backup data in a public cloud environment would we be required to have the cloud service provider (a private vendor) employees sign a Security Addendum and be subject to fingerprint based background checks? Answer: Yes. The Security Addendum must be incorporated or referenced in the contract with the cloud service provider, and the Security Addendum Certificate pages must be signed by any and all cloud service provider employees who have access to unencrypted CJI. This ensures the provider agrees to abide by the requirements of the CJIS Security Policy (CSP) including submitting those cloud service provider employees (with access to the unencrypted CJI) for a fingerprint based background check. 97

Cloud Computing FAQ #2 Question: Our city has recently been considering moving to cloud based email service covering all city departments and agencies, to include the local police department. Our question is: Are we allowed to send criminal justice information (CJI) through email? Answer: You can send e mail containing Criminal Justice Information (CJI) as long as it remains within your physically secure environment (as described in the Policy), you send the e mail along an encrypted path (FIPS 140 2 certified, 128 bit) to the recipient, or you encrypt (FIPS 140 2 certified, 128 bit) the payload of an e mail. 98

Questions?

ISO RESOURCES ISO Resources

ISO RESOURCES State CJIS Representatives State CJIS CSO/ISO should be the first stop for any questions or concerns Responsible for CJIS systems in their state/agency State CJIS requirements may differ from the CSP CSO/ISO should be kept in the loop with the CJIS issues in their state/agency Forwards requests for changes to the CJIS Security Policy to the CJIS ISO Program

ISO RESOURCES CJIS ISO Program Steward the CJIS Security Policy for the Advisory Policy Board Draft and present topic papers at the APB meetings Provide Policy support to state ISOs and CSOs Policy Clarification Solution technical analysis for compliance with the Policy Operate a public facing web site on FBI.gov: CJIS Security Policy Resource Center Provide training support to ISOs Provide policy clarification to vendors in coordination with ISOs

ISO RESOURCES The CJIS Security Policy!!!

ISO RESOURCES CSP Requirements Document Companion document to the CSP Lists every requirement, shall statement, and corresponding location and effective date Updated annually in conjunction with the CSP

ISO RESOURCES CSP Resource Center Publically Available http://www.fbi.gov/about us/cjis/cjis security policy resourcecenter/view Features: Search and download the CSP Download the CSP Requirements Document 2014 ISO Symposium Presentations Use Cases (Advanced Authentication and others to follow) Cloud Computing Report & Cloud Report Control Catalog Mobile Appendix Submit a Question (question forwarded to CJIS ISO Program) Links of Importance

ISO RESOURCES CSP Resource Center http://www.fbi.gov/about us/cjis/cjis security policy resource center/view Step #1 Select About Us Step #2 Select Criminal Justice Information Services

ISO RESOURCES CSP Resource Center http://www.fbi.gov/about us/cjis/cjis security policy resource center/view Step #3 Select Security Policy Resource Center

ISO RESOURCES CSP Resource Center http://www.fbi.gov/about us/cjis/cjis security policy resource center/view iso@leo.gov

ISO RESOURCES CSP Resource Center http://www.fbi.gov/about us/cjis/cjis security policy resource center/view iso@leo.gov

CJIS ISO CONTACT INFORMATION George White, CJIS ISO (304) 625 5849 george.white@ic.fbi.gov Chris Weatherly, CJIS ISO Program Manager (304) 625 3660 john.weatherly@ic.fbi.gov Jeff Campbell, CJIS Assistant ISO (304) 625 4961 jeffrey.campbell@ic.fbi.gov Steve Exley, Senior Consultant/Technical Analyst (304) 625 2670 stephen.exley@ic.fbi.gov iso@ic.fbi.gov

QUESTIONS? Stephen Exley, CISSP Senior Consultant/Technical Analyst FBI CJIS ISO Program (304) 625 2670 stephen.exley@ic.fbi.gov iso@ic.fbi.gov