“Ensuring compliance with data protection regulations is critical. I also encourage agencies to evaluate the entire security posture of a cloud solution.”
The cloud has changed much about the role of data in our lives. Whether those individual bytes compose a Netflix original series, a tax return or a collaboratively maintained database, they’re delivered faster and more efficiently than ever before. The same is true in the field of public safety. Cloud-based evidence management tools such as Axon Evidence support and accelerate the justice process by allowing officers, prosecutors and defense attorneys to collect, manage and share materials online.
Like any cloud-based service, the data stored within Axon Evidence must be monitored and protected to ensure only authorized parties can gain access. Furthermore, it must abide by the stringent regulations of individual countries and regions that stipulate how and where information related to their public safety system is used.
We spoke with Axon Chief Information Security Officer Jenner Holden to explore how Axon addresses these interrelated challenges. Here’s what he had to say.
Q&A with Axon CISO Jenner Holden
What do cloud users have to consider now that they didn’t five years ago?
Jenner Holden: The breadth and complexity of cloud security considerations have expanded. Five years ago, you may have cared about the specific security capabilities of your new cloud-based SaaS point solutions. But today, you must also consider the security implications of the integration points throughout your dozens of cloud-based SaaS solutions.
For example, five years ago we were all anxious to get better security logs from our SaaS providers to monitor for security issues. Today, we need to figure out how to correlate a central understanding of all our SaaS solution logs to detect security issues that are only apparent when looking across activity from multiple cloud vendors.
While some are concerned about the risks of storing evidence in the cloud, can you also speak to its benefits?
JH: Security risks are lower overall when using cloud solutions instead of traditional on-premises options. This has proven out over time. For example, the rash of ransomware incidents over the past few years has almost exclusively impacted on-prem storage systems, not cloud-based solutions.
Cloud solutions have proven to be more secure and resilient for a few reasons. Malware is still developed to target local hardware and software – servers and laptops get infected with malware, not SaaS applications. Another example: The resources, economies of scale and expertise that a mature cloud provider can bring to the table far outstrip the capabilities of most organizations, even large ones. Security must be a core competency of a cloud vendor, part of its core product value proposition; that’s not the case for public safety agencies.
For digital evidence specifically, cloud technologies enable far greater chain-of-custody tracking, access monitoring and overall proof of integrity. Always connected, cloud-native API-driven products provide a very high level of “always validating” for digital evidence during its lifecycle that on-prem technologies can’t come close to matching.
What is Axon doing to improve Digital Evidence Management System (DEMS) security? And how are you remaining agile in the face of changing rules and regulations?
JH: We’ve had fundamentally strong security practices, capabilities and compliance in place for our cloud products, such as Axon Evidence, for many years. We’ve proven that with external validation through rigorous audits and certifications, including ISO 27001, FedRAMP High in the US, IRAP in Australia, ENS High in Spain and many more.
But the security and privacy landscapes are constantly changing, and we stay focused on adapting to the many new challenges and expectations always coming our way. We spend significant time and resources working with our regulatory partners to ensure we are ready to adjust to meet new expectations, as well as to influence the direction of those regulations. In this way, we ensure our public safety customers' interests are met.
How does Axon approach cloud security?
JH: We run a broad and robust security program at Axon. It includes everything from focused product security engineering to internal enterprise IT security to global risk management and compliance. Certainly, there is a litany of potential threats we need to worry about and be prepared to defend against: hacktivists, criminal syndicates, unscrupulous tabloid press and others.
Due to the wide diversity of threats, our defenses need to be equally diverse. We employ the best solutions and tactics in the industry, such as broad use of encryption, attack detection and prevention, 24x7 monitoring and incident response, regular penetration testing and more.
For the security of our cloud solutions specifically, head to trust.axon.com. There, you can see the long list of certifications, audits and authorizations we’ve earned from external parties that have deeply evaluated our security practices. This includes FedRAMP High, ISO 27001, SOC2, CSA Star, Cyber Essentials, IRAP and many more.
Does Axon approach cloud storage and security differently in countries outside of the US?
JH: We apply the same high-security standards and general protections for all our cloud regions worldwide. Every customer, no matter where they are located, will get the same level of access management features, audit trails, evidence integrity, encryption, intrusion protection, anomalous activity monitoring, incident response and more. However, we also take data sovereignty very seriously. We operate many cloud regions around the world to ensure customers can store their evidence data within the regional or national boundaries they are comfortable with. Their evidence data always stays within that area. Additionally, we work hard to ensure our services align with local data protection regulations, such as GDPR and the more specific Law Enforcement Directives.
Ensuring compliance with data protection regulations is critical. I also encourage agencies to evaluate the entire security posture of a cloud solution, such as Axon Evidence, against their internal security capabilities. Often, cloud providers will be able to provide broader, deeper and more consistent security capabilities, especially as the size and complexity of an agency's digital evidence footprint continue to grow.
A principled approach to public safety technology
Axon Evidence reflects Axon’s commitment to building the future of public safety technology. It’s shaped by an ongoing commitment to security and compliance for all the agencies it supports and the jurisdictions and legislative environments within which these agencies operate. Thank you, Jenner, for answering these questions and for your continued commitment to excellence in information security.
If you’d like to learn more about how Axon combines the power of the cloud with uncompromising public safety principles to drive more efficient practices, then contact us today.
:format(webp))