NIST releases draft report on securely outsourcing public safety organisation's digital information

The report provides a pathway for an organisation to select the business that will protect its data.

In 2019, the United States National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence and Public Safety Communications Research Division, hosted an invitation-only workshop with subject matter experts and decision-makers from public safety organisations (PSO) to address cybersecurity challenges. Workshop participants made recommendations on a vision for data sharing in PSOs and agreed on this vision statement: getting the correct data to the correct people at the correct time with the correct protections and only if it is for the proper reason and in an efficient manner.

Specifically, PSOs have asked for technical guidance on how cloud solutions can be integrated into existing and new information technology (IT) architectures. The NIST released a document intended as a first step in establishing that guidance by examining the topic of identity as a service known as ‘IDaaS’.

On-demand access to public safety data is critical to ensuring that public safety and first responder (PSFR) personnel can protect life and property during an emergency. The increasing use of cloud technologies can improve data access, but also causes authentication challenges. The objective of the report is to inform PSOs about IDaaS and how they can benefit from using it.

Today, IDaaS providers offer identity, credential and access management (ICAM) services, such as authentication, to customers through a software-as-a-service (SaaS) cloud-service model. PSOs could acquire IDaaS to provide authentication services for their own applications. This would allow the PSOs to offload some of their authentication responsibilities to the IDaaS provider.

The report highlighted common capabilities of cloud services that market themselves as IDaaS providers and documented considerations for PSOs. In summary, while some IDaaS providers offer a mature suite of ICAM services (national coverage for example), others offer supplemental authentication services for existing identity solutions. Thus, PSOs, especially those of smaller size without ICAM expertise that are moving towards enhancing their authentication capabilities, face a difficult task of procuring a satisfactory IDaaS provider.

The following are key recommendations from the report:

• Depending on the nature of a public safety application, such as the sensitivity of the data it uses and the types of devices and locations it is accessed from, stronger forms of authentication may be needed.
• PSOs should perform a risk assessment for all of their applications that might use IDaaS authentication services before selecting an IDaaS provider. This allows PSOs to ask IDaaS providers specific questions about the forms of authentication that they need the provider to support.
• Most PSOs are unlikely to want to shift all authentication to the cloud immediately, so they should consider taking a hybrid IT approach: a mix of on-premises/data centre and cloud-based authentication services. IDaaS providers typically support this type of deployment with software tools that can synchronise credentials, eg, password hashes and/or associated attributes. This allows PSOs to take advantage of IDaaS as they gradually transition from on-premises to cloud.
   

Image credit: ©stock.adobe.com/au/Me studio