Security
Security Architecture
Infrastructure design, encryption layers, key management, and session security.
Infrastructure
EasyWarrant runs exclusively on Microsoft Azure Government — a dedicated cloud environment for US government and compliance-sensitive workloads. The platform operates in a dedicated Azure Government subscription, isolated from all other Brigade Management systems.
- Region: USGov Virginia (primary), USGov Arizona (failover)
- FIPS 140-3 validated cryptographic modules throughout
- FedRAMP High authorized environment
- No data stored outside US jurisdiction — enforced at infrastructure level
- No CJI metadata used for any commercial or advertising purpose
Encryption in Transit
All CJI transmitted by EasyWarrant is protected by FIPS 140-3 validated cryptographic modules. No plaintext CJI traverses any external network at any point.
| Channel | Protocol | Specification |
|---|---|---|
| API / Signaling | TLS 1.3 | FIPS 140-3 validated; AES-128 minimum |
| Video Media Stream | DTLS-SRTP | AES for media; DTLS for key exchange |
| Document Upload | TLS 1.3 | HTTPS; encrypted on receipt |
| Database Connections | TLS 1.3 | Azure PostgreSQL enforced TLS |
| Key Vault Access | TLS 1.3 | FIPS 140-3 HSM-backed endpoint |
Encryption at Rest
All data at rest is encrypted using AES-256 (FIPS 197) with agency-controlled keys.
- Warrant documents: Azure Blob Storage (Gov) with SSE + customer-managed keys via Azure Key Vault
- Database records: Azure PostgreSQL transparent data encryption + CMK
- Audit logs: Encrypted at rest; tamper-evident hash chain
- Encryption keys: Stored in Azure Key Vault HSM-backed tier (FIPS 140-3)
Key Management (SC-12)
CJIS Security Policy v6.0 SC-12 requires agency-controlled key lifecycle. EasyWarrant implements this via Azure Key Vault with customer-managed keys (CMK):
- Each agency's CJI is encrypted under that agency's own CMK
- Brigade Management staff cannot access the plaintext content of any agency's CJI
- Key generation, rotation, and destruction are agency-controlled operations
- Azure Key Vault HSM-backed tier ensures FIPS 140-3 compliance for key storage
- Key access is logged in the tamper-evident audit trail
No vendor lock-in on CJI
Agency-controlled CMK means your CJI cannot be accessed by anyone — including Brigade Management — without your agency's key. You retain complete control.
Session Security (SC-23, SC-10)
EasyWarrant enforces the following session security controls:
- Session timeout: 1 hour of inactivity terminates the session automatically (CJIS SC-10)
- Session reauth: All sessions require reauthentication after 12 hours regardless of activity
- Session keys: Generated fresh per session using FIPS-validated PRNG; never reused
- MitM protection: DTLS handshake with certificate pinning prevents session hijacking (SC-23)
- Session termination: All ephemeral session keys destroyed on termination
Background Checks and Personnel Security
All Brigade Management staff with unescorted access to unencrypted CJI are required to pass a fingerprint-based background check before receiving system access. This requirement applies to:
- System administrators with database or storage access
- DevOps engineers with production environment access
- Support staff with access to agency data in any form
Access is provisioned on a least-privilege basis and reviewed on a quarterly schedule.
Audit Access
Brigade Management is subject to CJIS audits at any time after Security Addenda are signed. All access logs, system configurations, and compliance documentation must be available for audit on demand.