Larry Zorio, chief information security officer at Mark43, offers helpful insight from the battlefront.
What institutions are the most likely victims of data breaches? With cybercriminals on the prowl, the targets that come to mind these days are big, data-rich institutions like banks, retail chains and hospital networks. But what about your local police headquarters?
There are roughly 18,000 local, state and federal law enforcement agencies in the United States, and most are chock-full of sensitive personal data that criminals might want to sell or hold for ransom. In addition, most law enforcement agencies’ IT departments are not well funded and are sometimes inadequately defended. Unfortunately, they don’t have the cyber budgets of a large financial institution like Bank of America or a healthcare insurer like United Healthcare.
SEE: Hiring Kit: Cloud Engineer (TechRepublic Premium)
But law enforcement officials also suffer from a peculiar vulnerability: They labor under the illusion that because their buildings have thick walls and people walk the halls with guns, their data is safe. In fact, all it takes is one employee to visit the wrong website or click on a phishing email for cybercriminals to gain access to the most sensitive data. That data might include thousands of criminal records, Social Security numbers and other identifiers that are valuable on the black market.
One answer for law enforcement agencies is to switch from on-premises systems to those that are cloud-native. What does that mean?
What are on-prem and cloud-native systems?
On-prem, where physical servers are locally managed, usually involves having servers kept in locked rooms. It brings security challenges and financial cost. The law enforcement agency must protect, service and maintain its on-prem servers 24 hours a day, seven days a week.
By contrast, cloud-native technologies are designed, constructed and operate totally in the cloud. This allows agencies to continue to stay up-to-date with the latest upgrades and compliance mandates with an update from the vendor. Technology is updated and deployed, eliminating the need to wait years for the latest upgrades. They take full advantage of the cloud computing model. Under this model, the agency no longer needs a staff to operate, update and secure those on-premises or self-managed servers.
Nonetheless, a well-resourced agency confident in its current staffing, processes and technology stack may prefer an on-prem solution. On-prem creates a very clear picture of where the accountability lies with those risks, as the agency is deciding to run this technology on their own network and assets.
Why use cloud-native systems?
Cloud-native systems have several other advantages over on-prem solutions.
Better security
The team overseeing an on-prem server at a local law enforcement agency must be concerned about a seemingly endless list of threats, weaknesses and vulnerabilities, ranging from floods to temperature variations and malware to denial of service attacks. These threats can all lead to downtime, which can’t happen with critical infrastructure. This poses quite a challenge to many agencies that have neither the funding nor the personnel to do all these things right.
In addition, agency IT systems are sometimes linked to other agencies in the same city, county or state. A law enforcement agency may feel its IT system is secure, only to be compromised when a hacker penetrates through another, connected agency.
Cost savings and convenience
At first glance, moving from an on-prem or self-managed system to a cloud-native system might seem like the more expensive choice, but the hidden costs of an on-prem or self-managed system are many. Functions such as configuring and maintaining servers or fixing vulnerabilities and other basic security hygiene get transferred to the cloud-native system. Staff dedicated to the care and feeding of the server can now be free to focus on more meaningful tasks.
With an on-prem system, a task like applying an update or security patch may require taking down the system for an hour — or much longer if something goes wrong. With a cloud-native system, all the work is done automatically in the background.
Risk and responsibility
One of the primary benefits for a law enforcement agency in moving to a cloud-native system is that so many responsibilities are passed on to a company that is dedicated to the IT mission. The cloud-native platform becomes an extension of the agency’s IT team, and the IT team transfers over substantial risk to the vendor.
Are cloud-native systems a perfect solution?
Some critics will say that cloud-native systems are not a perfect solution. For example, cloud service providers have been attacked. It’s all a question of risk management: Would you rather place your trust in a dedicated cloud-native platform or in a physical server locked in a closet at police headquarters?
Some law enforcement agencies find that the decision to switch to a cloud-native technology is not an easy one. Leaders of police departments may become concerned at the prospect of data migration, fearing that data could be lost or corrupted in the transition, while others may express trepidation about the impact on their existing workforce. Leaders of departments that have made previous investments in their legacy systems may wonder how they will now justify new spending after past tech investments.
While understandable, such concerns are generally unjustifiable. When done correctly, data migration is extremely safe. In most cases, technology workers can be reassigned to other tasks that directly support the agency’s mission. The move to a cloud-native system will save money on staffing and other costs for many years to come.
The most important question law enforcement agencies face about cybersecurity is similar to one consumers have faced for centuries: Would you sleep better at night with your money under your mattress or in a bank? Most people would choose the bank.
Larry Zorio is Chief Information Security Officer at Mark43, a cloud-native public safety technology company, who has twenty years of cybersecurity and risk management experience leading both public and private companies. Mark43 is headquartered in New York, and works with more than 120 local, state and federal public safety agencies.