Transition to the Cloud Motivates Nevada DPS to Rethink Its ICAM Approach

I recently was asked by one of our clients, the Nevada Department of Public Safety (DPS), to speak on its behalf at 5 x 5: The Public Safety Innovations Summit, a three-day conferencepresented by the National Institute of Science and Technology (NIST). The event — which has been held annually for about two decades — brings together leaders from public safety, academia, government, and industry to explore new ways that communications technology can be used by emergency responders.

NIST had invited DPS to participate given the latter’s decision to move its statewide message switch and criminal history system into the cloud. The message switch, which connects to every law-enforcement organization in the state, was the first project. It enables law-enforcement agencies to search interconnected federal and state-level databases, such as the FBI’s National Crime Information Center (NCIC) database. When it went live in May 2023, Nevada became the first state to deploy a completely cloud-based statewide message switch in the United States.

The transition of the message switch to the cloud required DPS to rethink identity, credential, and access management, or ICAM, which is a framework established by the Cybersecurity and Infrastructure Security Agency (CISA) to manage information-sharing risks.

Access control and cybersecurity must be more redundant and robust when operating in a cloud environment because physical network boundaries no longer exist, e.g., firewalls and similar edge protections — you’re literally in the wild, communicating across the internet, which is fraught with peril.

DPS, their system integrator, and MCP collaborated to address how user agencies would be served in this new environment. Previously, law-enforcement agencies would implement a virtual private network (VPN) and then establish an account with the state to receive credentials that would enable the organization’s personnel to access the state’s networks and systems, including those provisioned by DPS. It took some effort to set all this up but, more importantly, logging on was very time-consuming for field responders — for example, a law-enforcement officer wanting to follow up on a wants-and-warrants check during a traffic stop.

DPS ultimately decided on two approaches to enhance its ICAM profile and bring it into alignment with CISA’s requirements, which in turn would ease the burden on field personnel. One approach involves leveraging the cloud-based Microsoft Azure platform to set up “B2B collaboration” with the agencies it serves. This approach enables law-enforcement personnel to connect to DPS’s GovCloud — a secure platform implemented in the Microsoft Azure Government environment for managing sensitive data and authenticating users — using their agency-provided credentials.

Recognizing that smaller agencies might not have the information technology (IT) resources necessary for achieving B2B collaboration, DPS established an alternate approach that involves enabling law-enforcement personnel to connect directly to DPS’s GovCloud, via DPS-provided credentials, within the Azure solution. DPS calls the users configured this way “cloud users”

Both approaches are a big improvement over the legacy process. Accessing DPS’s networks and systems is much faster and simpler for field personnel — now all they need to do is go to a website via their personal computers (PCs) or smartphones and log in using the credentials. Either way, no VPN is required, and while it might seem counterintuitive, this approach is more secure because it relies on enforced security and encryption protocols and doesn’t rely on software that eventually will become out of date.

In addition, a level of multifactor authentication (MFA) was established in alignment with CJIS’s security policy. Agency-defined and cloud users are required to sign in using a third-party authentication service like the out-of-the-box solutions developed by Google and Microsoft — but there are numerous others available in the marketplace. Once authenticated, personnel are limited in terms of what they’re allowed to do and where they’re allowed to navigate, based on their credentials.

The MFA implementation presented a few interesting challenges concerning personnel who were not able to use their smartphones — such devices aren’t allowed in correctional facilities, dispatch centers, or secured areas in agencies. A workaround was found using minimal-cost programmable tokens — a little old school but still highly effective. We also found several free-to-install authentication applications — Fortinet for Windows for example — that can be installed on personal computers, which are allowed inside the restricted facilities.

We would love to provide more details on the Nevada DPS project and, more importantly, help you develop a strategy to improve your ICAM profile — please reach out.