Best Practices for Securing Criminal Justice Information in the Cloud
November 20,2019
Agenda
• Introduction• Speaker Bios• AWS CJIS Security Overview• Case Study: Annapolis Police Department• Conclusion• Questions
CJIS GROUP LLC Copyright 2019
Introduction
• CJIS GROUP – market intelligence for IT vendors and state and local government agencies (www.cjisgroup.com)– Tracking over 250 cloud projects currently in law enforcement agencies (body
worn camera data, digital evidence management, records management, dispatch among others)
• AWS – the leading vendor of cloud services in the world• Housekeeping
– Attendees are muted– Submit questions via the GoToWebinar control panel
CJIS GROUP LLC Copyright 2019
Speakers
• Gerard Gallant -- Gerard Gallant is the Criminal Justice Information Services (CJIS) Senior Program Manager at Amazon Web Services.
• Patrick Woods -- Patrick Woods is a Security Assurance Lead for AWS and works with Public Sector customers to realize the potential to move workloads to the AWS cloud.
• Sgt. Richard Truitt – Sgt. Truitt is a nearly 20 year veteran of the Annapolis Police Department currently serving as the Special Projects Director for the City of Annapolis.
CJIS GROUP LLC Copyright 2019
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights Reserved.
Patrick J. WoodsSecurity Assurance Lead – U.S. Public SectorAmazon Web Services
Criminal Justice Information (CJI) in AWS GovCloud (US)
Gerard J. GallantSenior Program Manager, CJISAmazon Web Services
Sergeant Richard TruittSpecial Projects DirectorAnnapolis, MD Police Department
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Cloud computing overview• The AWS Cloud• AWS GovCloud (US) overview• Security – a shared responsibility• CJIS Compliance in AWS GovCloud (US)• Annapolis, MD PD – applications at the edge
Agenda
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud Computingis the on-demand delivery of IT resources via the Internet with
a pay-as-you-go pricing. Organizations can acquire
technology such as compute power, storage, databases and
other services on an as-needed basis.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pay only for what you use
Go global in minutes
Increase speed and agility
Benefit from massive economies of scale
Cloud
Stop guessing capacity
Stop spending money running and maintaining data centers
Large up-front expense Higher variable costs
ContractsRunning and maintaining
data centers
Traditional Infrastructure
Guessing on capacity New IT resources take weeks or months
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sydney
TokyoJakarta
Seoul
Hong KongSingapore
Beijing
Ningxia
Mumbai
Bahrain
Stockholm
CapeTown
Frankfurt
MilanParis
London
IrelandMontréal
N. Virginia
GovCloud (US-East)
OregonSāo Paulo
GovCloud (US-West)
Ohio
N. California
AWS Global Infrastructure
3 AWS Regions (coming soon) 69 Availability Zones187 Points of Presence in 69 Cities
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Regions are comprised of multiple AZs for high availability, high scalability, and high fault tolerance. Applications and data are replicated in real time and consistent in the different AZs
AWS Availability Zone (AZ)
A Region is a physical location in the world where we have multiple Availability Zones.
Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities.
AZ
AZ
AZ AZ
Transit
Transit
AWS Region
AWS Region Design
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of the AWS Global Infrastructure
Security ReliabilityAvailability
Low Cost
Scalability Performance
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS GovCloud (US)Isolated AWS infrastructure and services for customers with strict regulatory and compliance requirements and sensitive data
August 2011Launch of AWS GovCloud (US-west) region
November 2018Launch of AWS GovCloud (US-east) region
Addresses the most stringent US Government regulations, policies and security requirements
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Separate Identity and Access Management (IAM)
Credentials
Data, network, and machine isolation from
other AWS regions
separate service endpoints -
FIPS 140-2
Dedicated GovCloud Management Console and
Service Catalog
“Community Cloud” with vetted account holders
Managed by US Citizens on US soil
AWS GovCloud (US) – Isolated regions for customer workloads that must meet specific regulatory requirements
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Defense Federal Acquisition Regulation Supplement (DFARS)
Criminal Justice Information Services Security Policy (CJIS)
AWS GovCloud (US) is all about compliance in the Cloud
International Traffic and Arms Regulation (ITAR)
DOD Cloud Security Req’s Guide(SRG) IL 4 and 5
SP 800-53 (rev 4)SP 800-171
Federal Information Processing Standard Pub (FIPS) 140-2
IRS – 1075 (Section 6103 (p))
FedRAMP High
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS GovCloud (US) is a “vetted” community
Root account holder must be a US Person (defined as a US citizen or a Green Card holder)
US entity incorporated to do business in the United States and is based on US soil
Can handle export control data
Learn more: https://aws.amazon.com/govcloud-us/getting-started/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Elevate your security with the AWS Cloud
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared responsibility model
AWS
Security OF the Cloud
AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud
Security IN the Cloud
Customer responsibility will be determined by the AWS Cloud services that a customer selects
Customer
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understanding the shared responsibility of compliance
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & content
Cus
tom
ers
Customers choose the configurations for their security in the cloud
AWS is responsible for security of the cloud
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption at scale Meet data residency requirements
build compliant infrastructure
Comply with local data privacy laws
Highest standards for privacy
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical customers handling Criminal Justice Information
End Users Customer Data Needs
State and Local Public Safety Agencies
County Sheriff Offices
Child Protective Agencies
Jails, Prisons, and Dept. of Corrections
Courts and Probation Programs
State Licensing Departments –childcare, rideshare drivers, professional licenses (insurance, medical)
State Bureaus of Identification
Records Management Systems (RMS)
Computer-Aided Dispatch (CAD)
Body-worn Video and Storage
Next Gen 911 – Text, Video, Images
Real-time Crime Centers
Digital Evidence Management
Voice/Video/Data Forensics & Analytics
Criminal Background Checks
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FBI data provided by the Criminal Justice Information Services (CJIS) Division
• Houses the world’s largest repository of criminal history records and fingerprintsSystems such as:• National Crime Information Center (NCIC)• National Instant Criminal Background Check System (gun checks) • Next Gen Identification (biometric data)
The FBI provides valuable data to law enforcement agencies including:
• Biometric data (e.g. finger and palm prints)• Identity history data (criminal or civil events for persons)• Biographic data (Unique case information for persons)• Property data (Vehicles and property with PII)• Case/incident history (criminal history incidents)
(Most data actually is sourced originally from local law enforcement through national justice data sharing programs)
Data driven law enforcement
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CJIS Security Policy
All encompassing standard:…contains requirements for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).
…provides appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit.
…provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI.
The data security and privacy policy of the FBI CJIS Division based largely on NIST publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations)
“…applies to every individual – contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity – with access to, or who operate in support of, criminal justice services and information.”
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CJIS implementation – a shared responsibility
• The responsibility to implement CJIS Security Policy controls is the joint responsibility of:
• Criminal Justice Agencies – “end customer”• Software vendors who create solutions for customers• AWS
• Examples:• Agencies configure software access controls to restrict access• Software vendors implement password controls in their applications• AWS provides FIPS 140-2 certified encryption services
• There is no CJIS Certification• There is no independent assessor like FedRamp Certification• Determination of CJIS Compliance is the responsibility of the customers who work with CJIS data
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CJIS Security Policy Controls5.1 - Information Exchange Agreements
Defines security controls, roles, responsibilities, & data ownership
5.5 – Access Control
Logical access rules, session lock, public, & BYOD restrictions
5.9 – Physical Protection
Physically secure/controlled locations with network control
5.2 - Security Awareness Training
Required within 6 months and every 2 years thereafter
5.6 – Identification & Authentication
Unique IDs, password/PIN, & two-factor authentication for remote users
5.10 – Communications Protection & Integrity Information flow, VOIP, encryption, virtualization,
patch, spam, & malicious code
5.3 - Incident Response
Incident management process to track, document, and report
5.7 - Configuration Management
Documentation & change control of compute resources and network
5.11 – Formal Audits
FBI audit of controls once every 3 years at a minimum
5.4 - Auditing & Accountability
Audit specific events and keep logs for at least 1 year
5.8 – Media Protection
Control electronic & physical media in transit & at rest
5.12 – Personnel Security
Background checks & fingerprints for unencrypted data access
5.13 – Mobile Devices
802.11 Wi-Fi, Cellular, Bluetooth, MDM, Personal Firewall, Device Certs, enhanced procedures
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CJIS Security Policy controls & AWS
5.7 - Configuration Management
Documentation & change control of compute resources and network
5.6 – Identification & Authentication
Unique IDs, password/PIN, & two-factor authentication for remote users
5.10 – Communications Protection & Integrity
Information flow, VOIP, encryption, virtualization, patch, spam, & malicious code
5.4 - Auditing & Accountability
Audit specific events and keep logs for at least 1 year
AWS GovCloud (US), VPCs, Networking, FIPS Encryption, AWS KMS
AWS CloudTrail, AWS CloudWatch, AWS Trusted Advisor, Amazon SNS, Amazon GuardDuty
AWS Identity and Access Management (IAM), AWS Directory Service, Amazon Cognito
AWS Config, AWS CloudFormation, Amazon Machine Images (AMI), AWS Elastic Beanstalk
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Boundary protection: Control how data moves from one place to the next in a secure manner• Encryption required:
• Data in-transit: 128 bit SYMMETRIC FIPS 140-2 certified cryptographic module• Data at-rest: 256 bit SYMMETRIC FIPS-197 certified or 128 bit SYMMETRIC FIPS 140-2
• Intrusion detection tools required• Malicious code, spyware, and patching requirements• Cloud computing:
• Permits the storage of CJI, regardless of encryption status• Within the physical boundaries of CJIS Advisory Policy Board member countries• Within legal authority of APB member agency
• CJI metadata protected and not used for advertising.
CJIS 5.10 – Communications ProtectionAs defined in the CJIS Security Policy:
“… applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.”
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Isolate the host from the virtual machine (VM)
• Virtual machine users cannot access host files, firmware, etc.
• Maintain audit logs for VMs & hosts and store the logs outside the hosts’ VM
• Physically separate or virtually firewall Internet facing VMs from CJI processing VMs
• Each VM is to be treated as an independent system – secured as independently as possible
• Device drivers that are “critical” shall be contained within the specific VM
CJIS 5.10.3.2 - Virtualization ProtectionAs defined in the CJIS Security Policy:
“Virtualized environments are authorized for criminal justice and noncriminal justice activities.”
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual private cloud (VPC) security tools
Virtual Private CloudProvision a logically isolatedcloud where you can launch
AWS resources in a virtual network
VPC EndpointsPrivate and secure connectivity to Amazon S3 and Amazon DynamoDB
Security Groups & ACLs NAT Gateway Flow Logs
Amazon S3 Amazon DynamoDB
VPC
5.10 – Communications Protection & Integrity
AWS GovCloud (US), VPCs & VMs, Networking, FIPS Encryption, AWS
KMS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Transparent encryption in AWSTwo-tiered key hierarchy for customer keys
• Unique symmetric data keys encrypt data• Customer master keys (CMK) encrypt data keys
Benefits• Built on FIPS 140-2 validated hardware to meet the CJIS
requirements• Limits the impact of a compromised data key• Better performance for encrypting large data• Easier to manage small number of master keys than billions of
data keys• Centralized controls and audit of master key activity• Integrated into AWS Services
Customer Master Key
Data key 1
Amazon S3object
Amazon EBS volume
Amazon Redshift cluster
Data key 2 Data key 3 Data key 4
Customapplication
AWS KMS
5.10 – Communications Protection & Integrity
AWS GovCloud (US), VPCs & VMs, Networking, FIPS Encryption, AWS
KMS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS GovCloud (US) FIPS endpoints
• Connect programmatically to an AWS service using an endpoint• An endpoint is the URL of the entry point for an AWS web service• FIPS endpoints use a TLS encryption software library that complies with
Federal Information Processing Standards (FIPS) standards• Example: s3-fips.us-gov-west-1.amazonaws.com
• Over 75 FIPS 140-2 Certified Endpoints in AWS GovCloud (US)• Allows data in-transit to be received by AWS services when encrypted with FIPS 140-2
encryption• Full list: https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html
5.10 – Communications Protection & Integrity
AWS GovCloud (US), VPCs & VMs, Networking, FIPS Encryption, AWS
KMS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
5.4 - Auditing & accountability “Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior.”
Use time stamps in all audit records Generated by the internal system clocks Synchronize internal information system clocks on an annual basis
Log of all NCIC and III transactions with unique identifier Retain logs for 1 year and then discard only if not needed
Successful & UnSuccessful Date Time Event Type User Identity
Event Outcome
Logon attemptsAccess Resource permissionsCreate Resource permissionsWrite Resource permissions
Delete Resource permissionsChange Resource permissions
Password changesPrivileged account actions
Audit Log access/change/destroy
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudWatch & CloudTrail5.4 – Auditing and Accountability
AWS CloudTrail, AWS CloudWatch, AWS Trusted Advisor, Amazon
SNS, Amazon GuardDuty
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty & Trusted Advisor5.4 – Auditing and Accountability
AWS CloudTrail, AWS CloudWatch, AWS Trusted Advisor, Amazon
SNS, Amazon GuardDuty
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
5.6 Identification and authentication
• Unique identification of people and agencies• Each person who accesses CJI or administers/maintain systems that access CJI shall be uniquely identified – includes user of ORI
• Password and PIN requirements:• Specific rules
Examples: Passwords min. 8 characters and PIN minimum of 6 characters Passwords expire in 90 days, PINS in 365 daysDifferent than last 10 passwords or 3 PINS
• Advanced authentication required when:• CJI is accessed outside physically secure location OR• Access Controls and Communications Protections not MET
As defined in the CJIS Security Policy:
“…shall identify information system users and processes acting on behalf of users and authenticate the identities ofthose users or processes …”
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
• Manage users and their access• Security credentials including multi-factor authentication
• Manage roles and permissions• Manage federated users
5.6 – Identification and Authentication
AWS Identity and Access Management (IAM), AWS
Directory Service, Amazon Cognito
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Directory Service & Amazon Cognito5.4 – Identification and
Authentication
AWS Identity and Access Management (IAM), AWS
Directory Service, Amazon Cognito
Amazon Cognito
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
5.7 – Configuration managementAs defined in the CJIS Security Policy:
“Planned or unplanned changes to the hardware, software, and/or firmware components of the information system canhave significant effects on the overall security of the system.”
Enforce least functionality
Allow only essential capabilities in system Prohibit/restrict use of specified functions, ports, protocols, & services
Secure configuration documentation from unauthorized access
Sample Images Only
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config & AWS CloudFormation5.7 Configuration Management
Amazon Machine Learning (Amazon ML), AWS Config, AWS
CloudFormation, AWS Elastic Beanstalk
AWS Config
AWS CloudFormation
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CJIS: Safeguarding criminal justice data in the CloudAWS GovCloud (US) implements the FBI CJIS Cloud Best Practices
Provides infrastructure and services for law enforcement agencies and solutions providers to securely meet CJIS requirements and responsibilities
Criminal Justice Agencies (CJA’s) and Non-Criminal Justice Agencies (NCJA’s) in all 50 states can operate CJI workloads on
AWS GovCloud (US)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FBI CJIS Division Cloud Best Practices*
Must only use FedRAMP High Government Community Cloud• JAB accredited; 3PAO audited; continuous monitoring controls• Facility, personnel, and infrastructure control inheritance
Services must also be approved at FedRAMP High Data must be encrypted at rest Data must be encrypted in transit Encryption keys must be managed by LEA
AWS Key Management Service (AWS KMS)…. are FedRAMP High
All authentication 2-Factor Processing within a secure virtual private cloud (VPC) Internet access to/from VPC through secure transit gateway Least Privileged User approach to roles for account permissions
* 2019 CJIS Information Security Officer Symposiumhttps://www.fbi.gov/file-repository/2019-iso-symosium-presentations.pdf
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Annapolis, MD Police Department Challenges
Costly on-prem infrastructure and
upgrades to existing laptops
$
Complex appmanagement
Unsecured personal devices
Poor user experience
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WorkSpaces transforms end user computing
Increase user productivity
Improve security and control
Scale with the changing workforce
Enable Innovation
Access resources anywhere, on any device
Pay-as-you-go
Highly interactive cloud desktops users love
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Improves Security
Amazon WorkSpaces encrypts data and streams, and keeps information off devices
No sensitive data on end users’
devices
WorkSpace data encrypted at rest
Desktop stream encrypted in transit
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon AppStream 2.0
• Deliver desktop applications to any computer – Users access the desktop applications they need at any time on any computer
• Secure applications and data - Applications and data are not stored on users' computers. Applications are streamed as encrypted pixels and access data secured within your network.
• Provides a fluid and responsive user experience - Each user's applications are highly responsive because they run on VMs optimized for their use cases.
• Centrally manage applications - Centrally manage your applications on AppStream 2.0 and can stop managing installations and updates on each user's computer.
• Integrate with your IT - Connects to Active Directory, network, cloud storage, and file shares. Users access applications using their existing credentials and your existing security policies manage access.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS GovCloud West
Private subnet
Private subnet
Public subnet
AD Connector
NAT gateway
AD Connector
WorkSpacesSymmetrical FIPS-197 AES-256
encryption using CMK
Annapolis-controlled site-to-site VPN connection using
FIPS 140-2 validated module (certification #1747)
Annapolis PD On-Premises Environment
Virtual Private
Gateway
Annapolis PD VPC
Key Management
Service
Customer Master Key
(CMK) –managed by Annapolis
WorkSpacesSymmetrical FIPS-197 AES-256
encryption using CMK
NetworkGateway
Network gateway
Docked laptops in cruisers:- DELL- Two-factor
authentication via Duo
AT&T Mobility
VPN
AWS Workspaces in Action with CJIS Data
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates.
Patrick J. WoodsSecurity Assurance Lead – U.S. Public [email protected]
Gerard J. GallantCJIS Program Manager [email protected]
Sergeant Richard TruittSpecial Projects Director - Annapolis Police [email protected]
Thank you
Conclusion
• Cloud can enhance security of criminal justice data• As a law enforcement agency, or vendor, you can build on the experience of AWS
and other agencies to create secure, effective and cost efficient applications in the cloud
• Contact information– Gerard Gallant --- [email protected]– Patrick Wood --- [email protected]– David Heinemann --- [email protected]– Sgt. Richard Truitt --- [email protected]
• Webinar recording and presentation will be available at cjisgroup.com• Questions?
CJIS GROUP LLC Copyright 2019