Cloud-based solutions have a scandalous reputation. Yet, companies, even those who provide services for public safety, continue to push cloud-based solutions. But for mission-critical operations, is the Cloud stable and reliable? Is it secure? Does it put sensitive information at risk?
The following addresses some frequent questions and concerns regarding cloud-based services and software as it relates to mission-critical communications within public safety and beyond.
Firstly, What is Cloud Computing?
The cloud computing model refers to the availability of computer resources, usually computing power and data storage, that is available on-demand via the internet. Many cloud deployment models and services are available from companies like Amazon, Microsoft, and Google. Software companies can leverage these services and resources, instead of standard computing hardware, operating system, and software, to provide next-generation solutions to their customers. Typically, the end customer of these solutions does not have to manage any of these resources directly.
Components of Cloud Computing Services
Cloud computing consists of three services: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
- IaaS is a service that includes storing and maintaining data. It is a viable option for users looking for low cost, scalability, and wanting to move away from on-premise infrastructure.
- Using PaaS as a service, developers no longer manage storage, maintain hardware, or perform manual individual software updates.
- SaaS is the most common and easily accessible service that provides applications managed by third parties such as Outlook or Gmail.
Types of Cloud Deployment Models
There are only a few common types of cloud models:
Public cloud is a set of computing resources that is offered by third-party companies, like Amazon, Google, Microsoft, Apple and more. This is the service people most often think of when talking about “The Cloud.”
Public Clouds are open to any organization who wants to leverage them. For example, a CAD company could leverage Microsoft Azure to host their application for their customers to provide cloud-based access. Or a state police department could use Amazon AWS to build a crime database and web application to consolidate CyberTips and help protect children from online exploitation and sexual assault (read case study).
These computing resources are available on-demand and are charged based on use only, meaning that customers only pay for CPU cycles, storage, or bandwidth used. Public cloud services can easily scale up or down and are easy to maintain. They also have extensive built-in security measures to protect each customer using the service.
Private cloud is a set of cloud-computing resources that is created and maintained by an individual organization. For example, a state-wide 911 PSAP may deploy their own private cloud run by their IT department to host their communications systems. Alternatively, vendors who offer cloud-based features may choose to host their own private cloud for their customers.
A private cloud offers some of the technical advantages of the cloud model but still is costly and resource intensive for organizations to build and maintain. Costs tend to be fixed, since hardware and IT personnel are not easily scaled.
Community cloud is a version of a private cloud that is shared by a handful of organizations which often share similar computing needs, security concerns, SLAs (Service Level Agreement), or other requirements. The configuration can be set up to meet the needs of that group of organizations specifically.
Costs and responsibilities can be shared among the group, making it a more cost-effective and maintainable option than a Private Cloud solution. However, costs are still relatively fixed like in a Private Cloud, and the cost to set up and maintain these computing resources is still quite high compared to the Public Cloud.
Is the Public Cloud Risky for Public Safety and Government?
There are many aspects that make the Public Cloud a much safer and reliable option than traditional on-premise solutions.
Built-In System & Resource Monitoring
Public cloud services offer a variety of built-in tools that can help solution providers and vendors monitor unusual system or resource activity. Cyber-attacks often have familiar patterns of packet activity, which can trigger alarms.
Software Updates & Security Patches
When the Log4j Vulnerability was discovered in 2021, suddenly every on-premise and cloud-based solution leveraging Apache had to be evaluated, and patched if required, to mitigate risk. On-premise solutions prove difficult and time-intensive to update manually. However, public cloud-based solution providers almost immediately deployed patches for their services and already had layers of security services in place to help their customers limit risk (read AWS response here). As IT departments scrambled to update their on-premise or self-hosted applications, most cloud-hosted applications had already been patched.
Public cloud solutions are automatically backed up at consistent intervals, and storage is not limited to a single on-premise server or location, so data can never be lost due to hardware failure.
Reliable Uptime & Availability
Organizations and vendors can configure their cloud-based solutions for up to 99.999% uptime, or even further. Cloud companies leverage various combinations of technologies and services to make this possible. Each cloud provider and software vendor will have their own SLAs and SLOs which will vary, but typically the expected uptime is higher than traditional deployments.
Security Standards and Compliance
Many major public cloud providers have worked directly with governing bodies, like Criminal Justice Information Services (CJIS) officials, to implement offerings for their customers that satisfy a variety of standards and certifications. For example, according to Amazon, their standard AWS cloud is compliant with CJIS, PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171. They also offer GovCloud, which offers a whole other level of security for qualifying entities. This extends to the state and federal level for FedRAMP and StateRAMP certifications.
The Way Forward
Technology has always paved the way for innovation, and the Cloud is no exception. With Public Cloud offerings, the lower costs means that public safety personnel can stretch their resources further without sacrificing the quality of their services. In fact, The Cloud not only offers organizations cheaper and faster ways to do what they do now, but the vast marketplace of cloud-based technologies also allows agencies to innovate and automate.
When the first major public cloud services were launched in 2006, the market was still new, and much of the security, compliance, and monitoring functionality had not been developed or implemented. In the 14 years since then, however, cloud offerings have evolved as there have been learning opportunities for these major public cloud providers. They have had to release security patches urgently and at scale, develop prevention, mitigation, and response tools, rearrange their services to optimize uptime, and implement new processes to meet various compliance requirements. Additionally, vendors who leverage cloud services in their software have had time to learn about and adapt to these new environments, allowing them to fully leverage modern technologies in what they offer to public safety agencies.