A notable 34 percent of the respondents to our recent 2014 Public Safety Industry Study have moved or are considering moving data applications to a cloud-based solution over the next three years. This is a trend occurring across many industries. At the same time, current news headlines have caused discussion and doubt about the security of cloud services. So, what is ‘the cloud’, really? Is it secure or insecure? How can we properly leverage cloud services in a public safety environment?
The term “cloud” comes from the standard symbol that network engineers have used to represent the internet for decades. On diagrams of organizations’ network devices and cabling, it’s an abstract concept which represents everything outside of the engineer’s control and sight. This abstractness has translated into the way we talk about cloud services today – we refer to ‘the cloud’ in a broad sense as some conceptual place we outsource our data for storage or processing. We might perceive internet-based services differently today if the standard symbol had been a menacing dragon, or perhaps most accurately, a question mark.
So what is “the cloud”, really? The first and most crucial thing to understand is that cloud services aren’t abstract at all. The cloud is essentially a term for other organizations’ computer systems. Every bit of data we send to a cloud service provider is ultimately stored in some form on real hard drives, traverses real network cabling, and is processed by real software. Cloud providers use similar technologies to those we use within our own organizations. However, they do so at an exponentially larger scale, allowing them to offer services to many organizations simultaneously and at significant bulk cost savings.
When we think about the cloud this way, our perspective should change. “The cloud” isn’t inherently more or less secure than any other digital system. These services are tools of varying quality which we can use to cost-effectively centralize our data storage, applications or processing. They provide us access to centrally-hosted hardware and software that may be more cost- and time-effective than in-house solutions.
This centralization does provide an opportunity for improved security. Our data can be stored in a single defensible location, with uniform security controls. Since many organizations’ networks have grown too large and too piecemeal for limited IT staff to monitor accurately, a homogenous environment can make security monitoring and management more effective, less costly, and easier to handle. In an era of budget cutbacks, this can be a big help in getting our networks under control.
However, cloud services come with an equal amount of security risk if they’re not used properly. We must keep in mind that cloud services still reside on real computer systems.
Cloud-based services can provide cost savings, centralization, and easier management and monitoring of data and applications for public safety organizations. They can also provide a standardized and defensible security platform for our data and applications. Despite this, we must carefully evaluate these services as what they actually are: off-premise computer systems which are only as secure as they are designed, implemented, and monitored to be. By understanding this and asking the right questions, we can make educated decisions about how we can best leverage cloud service providers.
Lesley Carhart is the Incident Response Team Lead for the Motorola Solutions Security Operations Center. She has 14 years of experience in information technology, including computer networking and tactical communications. For the past five years, she has focused on security, specializing in digital forensics.
Welcome guest blogger Mike Coleman, Vice President of SchoolSAFE Communications, a Motorola Solutions partner.
Parents have purchased school supplies for their children, teachers have decorated their classrooms, and backpacks are filling up with homework. With the school year now in full swing, school safety is top of mind for school administrators, parents, and staff. With 74 incidents involving guns in schools since the Sandy Hook tragedy of December 2012, school officials need to be asking themselves, do we have a safety plan?
Safety plans go by many names and formats, but no matter what they’re called, it is imperative that every school district and campus has a plan that is “all-hazard” based. Not having a safety plan and not practicing the safety plan is not a good plan. Many moving parts can impact plans and their processes. Each aspect of the plan needs to be scrutinized for being up to date and whether it addresses the needs of staff, students, and their parents. If plans have emergency contact lists, the lists need to be reviewed and the contact information verified. Staff turnover is a constant within schools and up to date lists need to be a part of the human resources process. If no safety plan currently exists, it would be helpful to define a standardized response protocol that is easy to remember and implement during stressful situations.
Another key element of any plan is all-hazards safety training for staff and the school safety team. Teachers are busy preparing for students to arrive every morning, and should also be ready to handle a crisis in accordance with the plan. It is important to include substitute teachers in school safety briefings. A school that does not have a set pool of substitute teachers should have their standardized response protocols on one side of a safety plan document and the critical elements of the plan on the other. The document should be distributed to every substitute when they report to work. Emergency procedure training is routinely a very short part of any district agenda for staff gatherings. Since the school staff will be tasked to act as a “first responder” until the professional response agencies arrive, staff members need to ready. Training needs to be more than a “worksheet handed out in class” to review and find the answers. It would be ideal for school administrators to take a few minutes at each leadership meeting and staff meeting to discuss how staff will need to respond to the “emergency event of the day.” This can be accomplished by simply taking a look at current events from other schools for the discussion as well as partnering with local public safety agencies to participate in table tops or functional exercises.
Just like students, educators and administrators have their own learning style. It is important to make the training useful and teach a decision making process as opposed to a checklist process.
When finished reviewing the safety plan, it’s time to inventory and test the safety equipment. Most schools update their “go bag” shortly after school starts. Verify the reliability of all parts of the schools communication system from the radios to the intercom system to school alerting systems. Determine how you will interface with the school district and public safety when a crisis hits. Mobile phone communications are almost always the first to fail during a crisis due to student, staff, and parents overloading with voice and data. Once media and public safety arrive at the school, the mobile phone system is bogged down even further.
Therefore, systems should be placed to provide fast and direct communications with public safety right from the location of the emergency. Radio communications systems provide more accurate and timely updates during the response to and management of an incident, which in turn help the school, district, and community.School readiness does not have to be time consuming and complicated. By investing time in creating and reviewing a plan that is coupled with equipping and training staff to implement the plan, schools will be ready to respond in the most efficient and effective manner possible in times of emergency.
Mike Coleman is Vice President, SchoolSAFE Communications
Learn more about SchoolSAFE Communications.
Motorola Solutions and SchoolSAFE Communications will be at the Association of School Business Officials (ASBO) Annual Meeting and Expo today to September 22, featuring Motorola’s two-way radios and SchoolSAFE communication solutions.
Community Policing is part of an age-old philosophy wherein a police department is a full-service, personalized and decentralized entity – where citizens feel encouraged and empowered to work in proactive and equal partnerships with the police to solve problems of crime, fear of crime, disorder, decay and quality of life. Sounds great, right? But to achieve that requires constant communication.
There was a time, not so long ago, when the relationship between citizens and their local public safety agencies consisted of a phone call for assistance, a community bulletin, and perhaps a monthly meeting. For public safety agencies, communication to their citizens came in the form of local news on TV, over the radio, in the newspaper, or just good old-fashioned talking face-to-face. Certainly a simpler time, but those mediums were limited by inherent delays, reducing the value of the Community Policing philosophy. You wouldn't get the paper until the morning, the news didn't air until the evening, you had to be listening to a radio, or you had to arrange your personal schedule around town meetings. Those methods are ineffectual in this age. Citizens have always had a desire to communicate more effectively, but the means to do so wasn't available until recently.
As a citizen myself, I now have a plethora of options. I can use Twitter to see real-time public safety news, Facebook to create conversations with the larger community, email to ask a personal question and on and on. Now I'm even able to use social community tools like Nextdoor to create a virtual neighborhood watch and dialog with police about my local communities’ issues and needs. The police can monitor the communities’ input and use the information to provide more proactive policing to stem small issues before they become large trends. It's Community Policing in the 21st century. But still, there's something missing. With all of this data comes the challenge of extrapolating the right kind of information to make it actionable. Otherwise, we're still limiting our ability to execute on that valuable philosophy.
Many of you have heard some variation of the following recently. Someone gets their phone stolen, and they use software installed on their phone to automatically capture an image of the suspect. Through social media they crowdsource the identity of the suspect, then share it with local police to help arrest the suspect and retrieve their stolen property. A citizen is encouraged and empowered to work in proactive and equal partnership with their local police to solve a problem of crime and improve the overall quality of life. This is community policing through digital intelligence.
As a result of this evolution of technology as well as the needs of both citizens and the agencies that serve them, the value of data has increased exponentially. Citizens expect that their transparency will result in safer communities. Public safety agencies expect that data will allow them to be more effective in light of increasingly less resources. The key to achieving that is extracting the right data at the right time to make it actionable.
Now imagine a scenario where an individual makes a direct threat to someone on social media. In many departments the only way to mitigate the action from being taken is to rely on another citizen to notify them directly or to comb through social media, identify the threat and hope that it's not too late. Now imagine that same scenario except this time the police department is using intelligence-led tools to automate the discovery of the threat, the location of it and can identify personnel nearby to investigate and defuse the situation before it's too late. Now agencies can be proactive instead of reactive, reducing crime and increasing overall safety to themselves and citizens. Now the grand vision of Community Policing is better enabled through Intelligence-Led Policing. Agencies can now leverage those social tools to respond and communicate in real-time with their communities more effectively.
But it's more than just that. Criminals don't just commit crimes in their own neighborhoods, they cross borders. They target small communities without the manpower to respond effectively. In an increasingly digital community, borders don't exist like before. Agencies are taxed with requests to provide information to their surrounding towns, cities, counties, states and even federal agencies to assist in fighting and solving crimes. In an intelligence-led model of policing, that data can be made available in minutes eliminating the bottlenecks of phone calls, emails, and other communications technologies that resulted in long delays in the past. Civilians are able to share information anytime to anywhere in real-time, and public safety agencies should be able to do the same.
In an intelligence-led environment, public safety agencies are equipped with the technologies and methodologies to enable rapid, efficient communications among local, state and federal agencies while providing levels of service to their communities like never before. Community policing is back and better than ever enabled through Intelligence-led policing.
Motorola Solutions has developed intelligence-led capabilities to enable real-time public safety solutions and deliver on the vision of safer communities so our customers can make good on their promise.
Steve Sebestyen is a Senior Marketing Manager of Global Solutions and Services for Motorola Solutions
Learn more about Intelligence-Led policing and Motorola Solutions' Real-Time Crime Center.
Picture this scenario: It’s tornado season, and your agency sits in the middle of tornado alley. With a rush and a roar, multiple tornados sweep through your city.
First a twister hits the east side of your town, and all your on-call officers are dispatched to help the community there. The second in the series hits the other side of town creating a mutual aid scenario, requiring you to call in the neighboring city’s police department to help search for victims and secure the area.
Because a typical family of tornados consists of two cyclones, you think the turmoil is over – but then a third twister strikes the edge of your county. This requires the State Police and Sheriff’s Department to be activated as well.
In this scenario, you, the police supervisor, would need to communicate directly with other state and local first responders to better coordinate response activities. It would be ideal to use GPS to track your personnel, text your chief, and sync your communications – but your analog radio operating on an analog land mobile (LMR) network will not provide this capability. To make matters worse, your officers cannot hear you clearly due to the loud background noises from blaring sirens and rushing winds as you speed to the scene. Your ability to manage your officers’ response activity is also impacted due to system coverage and capacity limitations, hindering your operations and creating officer safety issues.
Today, agencies are mitigating the potential difficulties in this type of scenario by migrating to a P25 Digital LMR System with P25 Digital Subscribers, allowing law enforcement agencies like yours to take advantage of a large suite of applications and features designed to provide enhanced operational capability. Applications like Talkgroup Geofencing can provide dispatch with the ability to create talkgroups by simply drawing defined areas on a map to address your immediate tactical communications needs. You can learn more about this feature and more by reviewing Motorola’s Why Migrate to P25 Digital LMR White Paper, which describes these benefits in further detail.
Globally since 2010 communities have sustained over $2.5 trillion in damages due to natural disasters. Tornados are just one example of the many outside threats that continue to challenge our first responders. As these threats evolve public safety is looking for broader capability to collaborate and share information in real time. The white paper also details the many benefits of migrating from analog to P25 digital LMR to mitigate these threats as illustrated below.
Lt. Col. Tom Miller (Ret.) is the Director of Mission Critical Systems and Solutions Business Development Team at Motorola Solutions.
Learn more now about the advantages of P25 Digital LMR in the Why Migrate to P25 Digital
LMR White Paper.
While this year’s edition of Black Hat, the annual hackers’ conclave that met recently in Las Vegas, was bigger and glitzier than ever, don’t get the impression that security has finally turned the corner and now is a real concern for commercial enterprise and original equipment manufacturer products, particularly smartphones.
As usual, there was an abundant selection of security training classes for attendees at Black Hat, along with the traditional Capture the Flag contest. Numerous researchers from industry and academia lectured on and demonstrated the latest techniques for hacking everything from home Wi-Fi access points to national databases. Security product vendors had professional models, celebrities and high-tech toys to deliver the message: “We have the ultimate solution to your security needs.”
Meanwhile, at the same conference, casually dressed, self-proclaimed experts and legitimate researchers presented an endless stream of hacks to defeat those “ultimate solutions.” That made me wonder: What’s really going on here? If so many companies have “the” answer,” why are there so many successful hacks and why do we keep hearing that the bad guys are winning?
I think it’s because there’s a principle at work here that I call “the WOW factor.” Simply stated, the WOW factor wins out over security every time in the commercial world. Or to put it another way, commercial smartphone manufacturers will always give a higher priority to the user experience than security and commercial enterprise decision-makers will always give a higher priority to cost than security. It’s hard to disagree with that principle. WOW sells far more smartphones than security features, and it’s hard to show the benefit of something NOT happening in an enterprise compared to NOT spending.
Clearly the WOW factor was the root cause of the latest Android vulnerability announced at Black Hat this year. In a highly publicized presentation, Blue Box Security described how one app can masquerade as another app by exploiting an Android vulnerability, which, by the way, is present in every version of (unpatched) OSAP Android.
With a newly purchased smartphone, Blue Box demonstrated how malware can use this vulnerability to infect several applications at once without ever requesting user permissions. It occurs because the identity of the application is not properly verified by a cryptographic process even though Android is fully capable of checking an application’s identity credentials in this way.
The cryptographic verification process takes more time and power to perform than what was actually implemented in Android, a simple string check. Processing time and power have the potential of degrading the user experience, thus degrading the WOW factor.
During the past several years, Motorola Solutions has been developing the Assured Mobile Environment, known as AME. It’s a secure smartphone solution that’s capable of protecting classified information. AME incorporates a commercial off-the-shelf Android smartphone because it provides the compelling Android user experience.
AME mitigates the risk of vulnerabilities by embedding the Android experience into a multilevel secure architecture. It uses not one but several layers of protection, including a separate hardware security module to segregate and protect critical security elements and processes.
AME adds the security assurance that is needed to overcome the vulnerabilities introduced by the WOW factor, delivering a compelling user experience while meeting the special needs of government agencies, enterprise and security-conscious smartphone users. Here at Motorola Solutions, security isn’t an afterthought; it’s a stream of consciousness.
Tom Mihm is the Chief Security Architect of the Motorola Solutions Secure Products Group.