Cloud Exchange: FBI’s CJIS 4-pronged approach to IT modernization

It didn’t take much to convince Brian Griffith, a deputy assistant director at the Criminal Justice Information Services (CJIS) Division for the FBI, to move more applications and services to the cloud.

Despite the potential for cloud services to cost more in the short term, Griffith was confident in the agility, security and scalability this approach would bring.

Then it came to moving the Next Generation Identification system, which runs the organization’s biometric identification and criminal history services, to the cloud with more than 3,600 on-premise Blade servers. That experience closed the door on any potential rationale for CJIS not moving as many applications as possible to the cloud.

“When we took the biometric aspect of that to the cloud, we did so holding our breath. But knowing that we had had good options, we spec’d out the appropriate size server and we ordered it. We had both reserved and on-demand instances. When the day came, we realized that we had missed spec’d and didn’t have enough memory,” Griffith said on Federal News Network’s Cloud Exchange. “Now if we did that in a hardware order that’s sitting in your data center, we’re probably talking about backing out the initiative and not moving forward with it. Instead, we contacted our cloud service provider and we found the appropriate instance that we actually needed. We changed our configuration to consume that new instance.”

He said over a lunch hour his folks solved the memory shortage challenge.

“There was probably about two hours of hand wringing and sweating because the vast majority of our team had not operated in that environment before. It wasn’t until one of our senior engineers kind of, and I’m not joking, knocked on the door and said, ‘Hey, I think I can move us to a new instance before this afternoon.’ Everybody looked at each other like what kind of witchcraft are you selling here? But we said, ‘yeah, let’s go do that.’ It was an easy transition,” he said. “That’s one of the big reasons why cloud has been successful for us. And probably one of the biggest use cases for why it’s so important for us to get there.”

Griffith said once they made the configuration changes, NGI’s performance picked up and the memory problem went away.

Taking legacy systems to the cloud

The NGI example isn’t typical of a cloud migration in terms of running into the performance and memory challenges, but it is typical of the type of system CJIS is moving the cloud.

The National Crime Information Center (NCIC) has been a mainframe application for 30 years. On a normal day, FBI and other law enforcement agents run more than 10 million transactions a day through it looking for crime data, such as mug shots and crime records.

Griffith said moving that to the cloud is going to require CJIS to rearchitect the entire system.

“It was built and optimized on a mainframe environment. So the idea that the application could just be moved to the cloud just doesn’t happen that way. We have to sever the application logic from an understanding of the platform that it’s residing on, and then optimize, go from a single point of entry for NCIC to massively parallel points of entry for NCIC to be able to service that same kind of a demand,” he said. “In addition to that, other applications that one would actually consider to be modern applications, built around large enterprise databases like Oracle, Sybase and SQL Server and tools like that, where we’ve taken advantage of the enterprise database to accomplish large parts of the application. As you’re looking to make that more cloud enabled, and you’re looking to pull away from the logic of the database so that you can use the cloud for what the cloud offers you, you’re rearchitecting large portions of your application. So it’s bigger than just there are my databases sitting out there. It’s how do I reconstitute all of this application logic that sits around it?”

These two mission critical applications are just two of many that either CJIS has moved to the cloud or is in the process of moving. Griffith estimated that his organization has migrated between 60% and 70% of all of its systems to the cloud.

“We’re still targeting 90-plus percent or higher being in the cloud, only holding out of the cloud those things that are either so workload sensitive that we’ve got to keep them under lock and key or those things that are too maybe too costly to move into the cloud,” he said. “But being quite honest with you, right now we’ve not identified what those applications are right now. We are still moving on a trajectory of consuming cloud services in a secure way on a very large scale.”

Over the long term, Griffith said his goal is to get to a point where CJIS is “cloud agnostic,” meaning applications and services are using the cloud instance that makes the most sense at the time of the transaction.

More reliance on cloud access points

A key factor in reaching that idea of being cloud agnostic is the need to install cloud access points and rely more on automation services.

Griffith said both will ensure the agility and scalability benefits of cloud services are front-and-center for the mission areas.

“We’ve developed tools and automations. One in particular was an automated tool for cloud service security approval and monitoring. It is something that can be dropped down in every developer’s continuous integration, continuous development (CICD) pipeline so that from the very first time they’re compiling and moving code into a test environment, we’re applying security principles,” he said. “We’re using automated security tools in order to verify that the configuration they’re building on is an approved configuration that’s hardened to our standard.”

Cloud access points (CAPs) is the second piece to both the security and flexibility piece of the cloud for CJIS.

Griffith said these CAPs eventually will apply Justice Department security requirements, but not slow down the application and data.

“Currently today, we have relatively few cloud access points, and really the biggest ones are supported and maintained here at CJIS. A future strategy, and we’re not there yet, is to actually have many cloud access points distributed across the country. That security posture, as we consume cloud services, will eliminate this backhaul where every request that starts in California needs to come back to West Virginia to bounce back out to California,” he said. “If we can avoid that, then you start talking about cost savings and the network savings of being able to go directly to the cloud, closer to where you are getting better service and better price point.”

Griffith said the CJIS cloud strategy eventually will be more decentralized because of the multiple cloud access points. But, he said, it also makes CJIS more resilient.

Related Stories

    FBI Cyber crime

    FBI’s data chief seeks better analytics as agency moves to cloud next year

    Read more
    Getty Images/iStockphoto/Artystartycloud

    Clean cloud is critical to sustainability, national security imperatives

    Read more

Comments

Sign up for breaking news alerts