Automated Biometric Information System helps secure data and borders
The Leidos team's work with the Department of Defense (DOD) on its Automated Biometric Information System (ABIS) program has resulted in a secure, functional system for the government. ABIS allows military branches to flag individuals of interest, putting them on a "Biometrically Enabled Watch List" (BEWL). Once flagged, these individuals are identified through surveillance systems on battlefields, near borders worldwide, and on military bases. Leidos' work secures the data and applications from this system against breaches and attacks in a world of ever-increasing cyber risk.
The ABIS program's biggest challenge was ensuring the cloud environment met the DOD's stringent security standards, and Amazon Web Services (AWS) was selected to deliver the solution. While AWS had previously been used as a backup operational environment, there were lingering concerns about security compliance once the entire ABIS system moved to the cloud. Internal assessments in the past had revealed a series of vulnerabilities. Although mitigated and patched, they remained a source of continuing anxiety to the customer. Notably, the DOD was concerned about the ability to send secure messages to and from the system across the department's secure network, the Secret Internet Protocol Router Network, or SIPRNet. A directive from senior leadership to move the system to the cloud required a secure solution.
The Leidos AWS Approach
The Leidos team drew on its extensive experience with AWS to address the customer's security concerns. Infrastructure-as-code deployments in the cloud allow secure environments to be recreated on-demand – effectively eliminating the risk of misconfiguration due to human error. Services such as Virtual Private Networks (VPNs) in specific configurations, least-privilege Identity and Access Management (IAM) permissions, and secrets managers no longer needed to be painstakingly configured and tested by hand – with the inherent risk of mistakes. Leidos rigorously tests all infrastructure-as-code templates before they are added to our deployment repository. Production environments are created exclusively through these templates to ensure the process is repeatable and conforms to the approved baseline configuration. Leidos incorporated additional cloud native services such as AWS RDS to support database functionality and AWS EKS to support our move to containers and container orchestration.
AWS' monitoring solutions, including CloudWatch, CloudTrail, and other DOD-mandated tools, immediately inform the Leidos Operations Team of any security-related events. Metrics and logs from these systems are correlated with other system data to provide a holistic view allowing us to effectively respond to the detected event by containing, investigating, and providing remediation guidance using the Leidos PACKIT™ cyber response framework. The team has automated security compliance assessments to ensure that configurations do not drift out of compliance with DOD security requirements or AWS security best practices. Regular scans of the ABIS environment also notify the team of any emergent security vulnerabilities that require patching. Finally, automated procedures ensure that in the event of an outage or disaster, the system will failover smoothly and keep ABIS operational.
DOD ABIS does not have a public interface due to the IL 5 requirements. However, for our internal users, DOD ABIS provides multiple approaches to the Digital Workplace:
- We implemented a remote access system via Virtual machines and MFA. This allows developers, testers, and admins access to the system.
- Leidos moved end-user applications to web-based apps that allow users to access via web browser on the NIPRNet.
- Leidos provides access via web-based AWS dashboards and management consoles utilizing MFA.
- Leidos worked directly with AWS to utilize the AWS Migration Acceleration Program (MAP) which is a comprehensive and proven cloud migration program based upon AWS's experience migrating thousands of enterprise customers to the cloud. This framework provided additional cloud guidance as Leidos utilized a multiple deployment strategy to help ease the migration of on-premise technologies to the cloud environments.
- Leidos also leveraged the AWS Infrastructure Event Management (IEM) service which offers architecture and scaling guidance and operational support during the preparation and execution of our deployments and migration activities.
- Leidos uses a number of approaches to support backup and recovery following DOD guidelines and AWS Well-Architected Framework. This includes data backups using disk to disk approach, Snapshots for VMs, and continuous data replication for on-premise to cloud environments. Leidos utilizes Snapshots, AMIs, and CloudFormation templates to recover from failed AWS instances. The approach is based on the criticality of the data and the infrastructure resources. Leidos built a multi-region disaster recovery solution within the AWS GovCloud to support additional availability and reliability into DoD ABIS.
- Leidos and AWS engineers developed a multi-AZ (Availability Zones) design to help support specific DoD requirements for system availability. This includes support for AWS services like AWS RDS, AWS EKS, and various AWS VPC and networking infrastructure.
Our security approach largely relies on eliminating the opportunity for user error in the ABIS system. Through advanced monitoring systems and infrastructure-as-code, we harness cloud tools to ensure vulnerabilities are identified and mitigated. This Leidos approach has addressed and alleviated the customer's concerns regarding the security of the cloud.
Related Information on ABIS: