Best Practices for Securing Criminal Justice Information ... · Best Practices for Securing...

Best Practices for Securing Criminal Justice Information in the Cloud

November 20,2019

Agenda

• Introduction• Speaker Bios• AWS CJIS Security Overview• Case Study: Annapolis Police Department• Conclusion• Questions

CJIS GROUP LLC Copyright 2019

Introduction

• CJIS GROUP – market intelligence for IT vendors and state and local government agencies (www.cjisgroup.com)– Tracking over 250 cloud projects currently in law enforcement agencies (body

worn camera data, digital evidence management, records management, dispatch among others)

• AWS – the leading vendor of cloud services in the world• Housekeeping

– Attendees are muted– Submit questions via the GoToWebinar control panel


http://www.cjisgroup.com/

Speakers

• Gerard Gallant -- Gerard Gallant is the Criminal Justice Information Services (CJIS) Senior Program Manager at Amazon Web Services.

• Patrick Woods -- Patrick Woods is a Security Assurance Lead for AWS and works with Public Sector customers to realize the potential to move workloads to the AWS cloud.

• Sgt. Richard Truitt – Sgt. Truitt is a nearly 20 year veteran of the Annapolis Police Department currently serving as the Special Projects Director for the City of Annapolis.


© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights Reserved.

Patrick J. WoodsSecurity Assurance Lead – U.S. Public SectorAmazon Web Services

Criminal Justice Information (CJI) in AWS GovCloud (US)

Gerard J. GallantSenior Program Manager, CJISAmazon Web Services

Sergeant Richard TruittSpecial Projects DirectorAnnapolis, MD Police Department

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

• Cloud computing overview• The AWS Cloud• AWS GovCloud (US) overview• Security – a shared responsibility• CJIS Compliance in AWS GovCloud (US)• Annapolis, MD PD – applications at the edge

Agenda


Cloud Computingis the on-demand delivery of IT resources via the Internet with

a pay-as-you-go pricing. Organizations can acquire

technology such as compute power, storage, databases and

other services on an as-needed basis.


Pay only for what you use

Go global in minutes

Increase speed and agility

Benefit from massive economies of scale

Cloud

Stop guessing capacity

Stop spending money running and maintaining data centers

Large up-front expense Higher variable costs

ContractsRunning and maintaining

data centers

Traditional Infrastructure

Guessing on capacity New IT resources take weeks or months


Sydney

TokyoJakarta

Seoul

Hong KongSingapore

Beijing

Ningxia

Mumbai

Bahrain

Stockholm

CapeTown

Frankfurt

MilanParis

London

IrelandMontréal

N. Virginia

GovCloud (US-East)

OregonSāo Paulo

GovCloud (US-West)

Ohio

N. California

AWS Global Infrastructure

3 AWS Regions (coming soon) 69 Availability Zones187 Points of Presence in 69 Cities


AWS Regions are comprised of multiple AZs for high availability, high scalability, and high fault tolerance. Applications and data are replicated in real time and consistent in the different AZs

AWS Availability Zone (AZ)

A Region is a physical location in the world where we have multiple Availability Zones.

Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities.

AZ

AZ

AZ AZ

Transit

Transit

AWS Region

AWS Region Design


Benefits of the AWS Global Infrastructure

Security ReliabilityAvailability

Low Cost

Scalability Performance


AWS GovCloud (US)Isolated AWS infrastructure and services for customers with strict regulatory and compliance requirements and sensitive data

August 2011Launch of AWS GovCloud (US-west) region

November 2018Launch of AWS GovCloud (US-east) region

Addresses the most stringent US Government regulations, policies and security requirements


Separate Identity and Access Management (IAM)

Credentials

Data, network, and machine isolation from

other AWS regions

separate service endpoints -

FIPS 140-2

Dedicated GovCloud Management Console and

Service Catalog

“Community Cloud” with vetted account holders

Managed by US Citizens on US soil

AWS GovCloud (US) – Isolated regions for customer workloads that must meet specific regulatory requirements


Defense Federal Acquisition Regulation Supplement (DFARS)

Criminal Justice Information Services Security Policy (CJIS)

AWS GovCloud (US) is all about compliance in the Cloud

International Traffic and Arms Regulation (ITAR)

DOD Cloud Security Req’s Guide(SRG) IL 4 and 5

SP 800-53 (rev 4)SP 800-171

Federal Information Processing Standard Pub (FIPS) 140-2

IRS – 1075 (Section 6103 (p))

FedRAMP High


AWS GovCloud (US) is a “vetted” community

Root account holder must be a US Person (defined as a US citizen or a Green Card holder)

US entity incorporated to do business in the United States and is based on US soil

Can handle export control data

Learn more: https://aws.amazon.com/govcloud-us/getting-started/


Elevate your security with the AWS Cloud


Shared responsibility model

AWS

Security OF the Cloud

AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud

Security IN the Cloud

Customer responsibility will be determined by the AWS Cloud services that a customer selects

Customer


Understanding the shared responsibility of compliance

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability ZonesEdge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network, & Firewall Configuration

Customer applications & content

Cus

tom

ers

Customers choose the configurations for their security in the cloud

AWS is responsible for security of the cloud


Encryption at scale Meet data residency requirements

build compliant infrastructure

Comply with local data privacy laws

Highest standards for privacy


Typical customers handling Criminal Justice Information

End Users Customer Data Needs

State and Local Public Safety Agencies

County Sheriff Offices

Child Protective Agencies

Jails, Prisons, and Dept. of Corrections

Courts and Probation Programs

State Licensing Departments –childcare, rideshare drivers, professional licenses (insurance, medical)

State Bureaus of Identification

Records Management Systems (RMS)

Computer-Aided Dispatch (CAD)

Body-worn Video and Storage

Next Gen 911 – Text, Video, Images

Real-time Crime Centers

Digital Evidence Management

Voice/Video/Data Forensics & Analytics

Criminal Background Checks


FBI data provided by the Criminal Justice Information Services (CJIS) Division

• Houses the world’s largest repository of criminal history records and fingerprintsSystems such as:• National Crime Information Center (NCIC)• National Instant Criminal Background Check System (gun checks) • Next Gen Identification (biometric data)

The FBI provides valuable data to law enforcement agencies including:

• Biometric data (e.g. finger and palm prints)• Identity history data (criminal or civil events for persons)• Biographic data (Unique case information for persons)• Property data (Vehicles and property with PII)• Case/incident history (criminal history incidents)

(Most data actually is sourced originally from local law enforcement through national justice data sharing programs)

Data driven law enforcement


CJIS Security Policy

All encompassing standard:…contains requirements for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).

…provides appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit.

…provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI.

The data security and privacy policy of the FBI CJIS Division based largely on NIST publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations)

“…applies to every individual – contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity – with access to, or who operate in support of, criminal justice services and information.”


CJIS implementation – a shared responsibility

• The responsibility to implement CJIS Security Policy controls is the joint responsibility of:

• Criminal Justice Agencies – “end customer”• Software vendors who create solutions for customers• AWS

• Examples:• Agencies configure software access controls to restrict access• Software vendors implement password controls in their applications• AWS provides FIPS 140-2 certified encryption services

• There is no CJIS Certification• There is no independent assessor like FedRamp Certification• Determination of CJIS Compliance is the responsibility of the customers who work with CJIS data


CJIS Security Policy Controls5.1 - Information Exchange Agreements

Defines security controls, roles, responsibilities, & data ownership

5.5 – Access Control

Logical access rules, session lock, public, & BYOD restrictions

5.9 – Physical Protection

Physically secure/controlled locations with network control

5.2 - Security Awareness Training

Required within 6 months and every 2 years thereafter

5.6 – Identification & Authentication

Unique IDs, password/PIN, & two-factor authentication for remote users

5.10 – Communications Protection & Integrity Information flow, VOIP, encryption, virtualization,

patch, spam, & malicious code

5.3 - Incident Response

Incident management process to track, document, and report

5.7 - Configuration Management

Documentation & change control of compute resources and network

5.11 – Formal Audits

FBI audit of controls once every 3 years at a minimum

5.4 - Auditing & Accountability

Audit specific events and keep logs for at least 1 year

5.8 – Media Protection

Control electronic & physical media in transit & at rest

5.12 – Personnel Security

Background checks & fingerprints for unencrypted data access

5.13 – Mobile Devices

802.11 Wi-Fi, Cellular, Bluetooth, MDM, Personal Firewall, Device Certs, enhanced procedures


CJIS Security Policy controls & AWS

5.7 - Configuration Management

Documentation & change control of compute resources and network

5.6 – Identification & Authentication

Unique IDs, password/PIN, & two-factor authentication for remote users

5.10 – Communications Protection & Integrity

Information flow, VOIP, encryption, virtualization, patch, spam, & malicious code

5.4 - Auditing & Accountability

Audit specific events and keep logs for at least 1 year

AWS GovCloud (US), VPCs, Networking, FIPS Encryption, AWS KMS

AWS CloudTrail, AWS CloudWatch, AWS Trusted Advisor, Amazon SNS, Amazon GuardDuty

AWS Identity and Access Management (IAM), AWS Directory Service, Amazon Cognito

AWS Config, AWS CloudFormation, Amazon Machine Images (AMI), AWS Elastic Beanstalk


• Boundary protection: Control how data moves from one place to the next in a secure manner• Encryption required:

• Data in-transit: 128 bit SYMMETRIC FIPS 140-2 certified cryptographic module• Data at-rest: 256 bit SYMMETRIC FIPS-197 certified or 128 bit SYMMETRIC FIPS 140-2

• Intrusion detection tools required• Malicious code, spyware, and patching requirements• Cloud computing:

• Permits the storage of CJI, regardless of encryption status• Within the physical boundaries of CJIS Advisory Policy Board member countries• Within legal authority of APB member agency

• CJI metadata protected and not used for advertising.

CJIS 5.10 – Communications ProtectionAs defined in the CJIS Security Policy:

“… applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.”


• Isolate the host from the virtual machine (VM)

• Virtual machine users cannot access host files, firmware, etc.

• Maintain audit logs for VMs & hosts and store the logs outside the hosts’ VM

• Physically separate or virtually firewall Internet facing VMs from CJI processing VMs

• Each VM is to be treated as an independent system – secured as independently as possible

• Device drivers that are “critical” shall be contained within the specific VM

CJIS 5.10.3.2 - Virtualization ProtectionAs defined in the CJIS Security Policy:

“Virtualized environments are authorized for criminal justice and noncriminal justice activities.”


Virtual private cloud (VPC) security tools

Virtual Private CloudProvision a logically isolatedcloud where you can launch

AWS resources in a virtual network

VPC EndpointsPrivate and secure connectivity to Amazon S3 and Amazon DynamoDB

Security Groups & ACLs NAT Gateway Flow Logs

Amazon S3 Amazon DynamoDB

VPC


AWS GovCloud (US), VPCs & VMs, Networking, FIPS Encryption, AWS

KMS


Transparent encryption in AWSTwo-tiered key hierarchy for customer keys

• Unique symmetric data keys encrypt data• Customer master keys (CMK) encrypt data keys

Benefits• Built on FIPS 140-2 validated hardware to meet the CJIS

requirements• Limits the impact of a compromised data key• Better performance for encrypting large data• Easier to manage small number of master keys than billions of

data keys• Centralized controls and audit of master key activity• Integrated into AWS Services

Customer Master Key

Data key 1

Amazon S3object

Amazon EBS volume

Amazon Redshift cluster

Data key 2 Data key 3 Data key 4

Customapplication

AWS KMS



KMS


AWS GovCloud (US) FIPS endpoints

• Connect programmatically to an AWS service using an endpoint• An endpoint is the URL of the entry point for an AWS web service• FIPS endpoints use a TLS encryption software library that complies with

Federal Information Processing Standards (FIPS) standards• Example: s3-fips.us-gov-west-1.amazonaws.com

• Over 75 FIPS 140-2 Certified Endpoints in AWS GovCloud (US)• Allows data in-transit to be received by AWS services when encrypted with FIPS 140-2

encryption• Full list: https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html



KMS

https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html


5.4 - Auditing & accountability “Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior.”

Use time stamps in all audit records Generated by the internal system clocks Synchronize internal information system clocks on an annual basis

Log of all NCIC and III transactions with unique identifier Retain logs for 1 year and then discard only if not needed

Successful & UnSuccessful Date Time Event Type User Identity

Event Outcome

Logon attemptsAccess Resource permissionsCreate Resource permissionsWrite Resource permissions

Delete Resource permissionsChange Resource permissions

Password changesPrivileged account actions

Audit Log access/change/destroy


AWS CloudWatch & CloudTrail5.4 – Auditing and Accountability

AWS CloudTrail, AWS CloudWatch, AWS Trusted Advisor, Amazon

SNS, Amazon GuardDuty


Amazon GuardDuty & Trusted Advisor5.4 – Auditing and Accountability

AWS CloudTrail, AWS CloudWatch, AWS Trusted Advisor, Amazon

SNS, Amazon GuardDuty


5.6 Identification and authentication

• Unique identification of people and agencies• Each person who accesses CJI or administers/maintain systems that access CJI shall be uniquely identified – includes user of ORI

• Password and PIN requirements:• Specific rules

Examples: Passwords min. 8 characters and PIN minimum of 6 characters Passwords expire in 90 days, PINS in 365 daysDifferent than last 10 passwords or 3 PINS

• Advanced authentication required when:• CJI is accessed outside physically secure location OR• Access Controls and Communications Protections not MET

As defined in the CJIS Security Policy:

“…shall identify information system users and processes acting on behalf of users and authenticate the identities ofthose users or processes …”


AWS Identity and Access Management (IAM)

• Manage users and their access• Security credentials including multi-factor authentication

• Manage roles and permissions• Manage federated users

5.6 – Identification and Authentication

AWS Identity and Access Management (IAM), AWS

Directory Service, Amazon Cognito


AWS Directory Service & Amazon Cognito5.4 – Identification and

Authentication

AWS Identity and Access Management (IAM), AWS

Directory Service, Amazon Cognito

Amazon Cognito


5.7 – Configuration managementAs defined in the CJIS Security Policy:

“Planned or unplanned changes to the hardware, software, and/or firmware components of the information system canhave significant effects on the overall security of the system.”

Enforce least functionality

Allow only essential capabilities in system Prohibit/restrict use of specified functions, ports, protocols, & services

Secure configuration documentation from unauthorized access

Sample Images Only


AWS Config & AWS CloudFormation5.7 Configuration Management

Amazon Machine Learning (Amazon ML), AWS Config, AWS

CloudFormation, AWS Elastic Beanstalk

AWS Config

AWS CloudFormation


CJIS: Safeguarding criminal justice data in the CloudAWS GovCloud (US) implements the FBI CJIS Cloud Best Practices

Provides infrastructure and services for law enforcement agencies and solutions providers to securely meet CJIS requirements and responsibilities

Criminal Justice Agencies (CJA’s) and Non-Criminal Justice Agencies (NCJA’s) in all 50 states can operate CJI workloads on

AWS GovCloud (US)


FBI CJIS Division Cloud Best Practices*

Must only use FedRAMP High Government Community Cloud• JAB accredited; 3PAO audited; continuous monitoring controls• Facility, personnel, and infrastructure control inheritance

Services must also be approved at FedRAMP High Data must be encrypted at rest Data must be encrypted in transit Encryption keys must be managed by LEA

AWS Key Management Service (AWS KMS)…. are FedRAMP High

All authentication 2-Factor Processing within a secure virtual private cloud (VPC) Internet access to/from VPC through secure transit gateway Least Privileged User approach to roles for account permissions

* 2019 CJIS Information Security Officer Symposiumhttps://www.fbi.gov/file-repository/2019-iso-symosium-presentations.pdf


Annapolis, MD Police Department Challenges

Costly on-prem infrastructure and

upgrades to existing laptops

$

Complex appmanagement

Unsecured personal devices

Poor user experience


WorkSpaces transforms end user computing

Increase user productivity

Improve security and control

Scale with the changing workforce

Enable Innovation

Access resources anywhere, on any device

Pay-as-you-go

Highly interactive cloud desktops users love


Improves Security

Amazon WorkSpaces encrypts data and streams, and keeps information off devices

No sensitive data on end users’

devices

WorkSpace data encrypted at rest

Desktop stream encrypted in transit


Amazon AppStream 2.0

• Deliver desktop applications to any computer – Users access the desktop applications they need at any time on any computer

• Secure applications and data - Applications and data are not stored on users' computers. Applications are streamed as encrypted pixels and access data secured within your network.

• Provides a fluid and responsive user experience - Each user's applications are highly responsive because they run on VMs optimized for their use cases.

• Centrally manage applications - Centrally manage your applications on AppStream 2.0 and can stop managing installations and updates on each user's computer.

• Integrate with your IT - Connects to Active Directory, network, cloud storage, and file shares. Users access applications using their existing credentials and your existing security policies manage access.


AWS GovCloud West

Private subnet

Private subnet

Public subnet

AD Connector

NAT gateway

AD Connector

WorkSpacesSymmetrical FIPS-197 AES-256

encryption using CMK

Annapolis-controlled site-to-site VPN connection using

FIPS 140-2 validated module (certification #1747)

Annapolis PD On-Premises Environment

Virtual Private

Gateway

Annapolis PD VPC

Key Management

Service

Customer Master Key

(CMK) –managed by Annapolis

WorkSpacesSymmetrical FIPS-197 AES-256

encryption using CMK

NetworkGateway

Network gateway

Docked laptops in cruisers:- DELL- Two-factor

authentication via Duo

AT&T Mobility

VPN

AWS Workspaces in Action with CJIS Data

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates.

Patrick J. WoodsSecurity Assurance Lead – U.S. Public [email protected]

Gerard J. GallantCJIS Program Manager [email protected]

Sergeant Richard TruittSpecial Projects Director - Annapolis Police [email protected]

Thank you

mailto:[email protected]



Conclusion

• Cloud can enhance security of criminal justice data• As a law enforcement agency, or vendor, you can build on the experience of AWS

and other agencies to create secure, effective and cost efficient applications in the cloud

• Contact information– Gerard Gallant --- [email protected]– Patrick Wood --- [email protected]– David Heinemann --- [email protected]– Sgt. Richard Truitt --- [email protected]

• Webinar recording and presentation will be available at cjisgroup.com• Questions?






Best Practices for Securing Criminal Justice Information ... · Best Practices for Securing...

Documents

Transcript of Best Practices for Securing Criminal Justice Information ... · Best Practices for Securing...