Automated Biometric Information System helps secure data and borders
The Leidos team's work with the Department of Defense (DOD) on its Automated Biometric Information System (ABIS) program has resulted in a secure, functional system for the government. ABIS allows military branches to flag individuals of interest, putting them on a "Biometrically Enabled Watch List" (BEWL). Once flagged, these individuals are identified through surveillance systems on battlefields, near borders worldwide, and on military bases. Leidos' work secures the data and applications from this system against breaches and attacks in a world of ever-increasing cyber risk.
The ABIS program's biggest challenge was ensuring the cloud environment met the DOD's stringent security standards, and Amazon Web Services (AWS) was selected to deliver the solution. While AWS had previously been used as a backup operational environment, there were lingering concerns about security compliance once the entire ABIS system moved to the cloud. Internal assessments in the past had revealed a series of vulnerabilities. Although mitigated and patched, they remained a source of continuing anxiety to the customer. Notably, the DOD was concerned about the ability to send secure messages to and from the system across the department's secure network, the Secret Internet Protocol Router Network, or SIPRNet. A directive from senior leadership to move the system to the cloud required a secure solution.
The Leidos AWS Approach
The Leidos team drew on its extensive experience with AWS to address the customer's security concerns. Infrastructure-as-code deployments in the cloud allow secure environments to be recreated on-demand – effectively eliminating the risk of misconfiguration due to human error. Services such as Virtual Private Networks (VPNs) in specific configurations, least-privilege Identity and Access Management (IAM) permissions, and secrets managers no longer needed to be painstakingly configured and tested by hand – with the inherent risk of mistakes. Leidos rigorously tests all infrastructure-as-code templates before they are added to our deployment repository. Production environments are created exclusively through these templates to ensure the process is repeatable and conforms to the approved baseline configuration.
AWS' monitoring solutions, including CloudWatch, CloudTrail, and other DOD-mandated tools, immediately inform the Leidos Operations Team of any security-related events. Metrics and logs from these systems are correlated with other system data to provide a holistic view allowing us to effectively respond to the detected event by containing, investigating, and providing remediation guidance using the Leidos PACKIT™ cyber response framework. The Team has automated security compliance assessments to ensure that configurations do not drift out of compliance with DOD security requirements or AWS security best practices. Regular scans of the ABIS environment also notify the Team of any emergent security vulnerabilities that require patching. Finally, automated procedures ensure that in the event of an outage or disaster, the system will failover smoothly and keep ABIS operational.
DOD ABIS does not have a public interface due to the IL 5 requirements. However, for our internal users, DOD ABIS provides multiple approaches to the Digital Workplace:
- We implemented a remote access system via Virtual machines and MFA. This allows developers, testers, and admins access to the system.
- Leidos moved end-user applications to web-based apps that allow users to access via web browser on the NIPRNet.
- Leidos provides access via web-based AWS dashboards and management consoles utilizing MFA.
Our technology roadmap also includes introducing AWS workspaces as a possible replacement for remaining on-premise Windows desktops.
Leidos uses a number of approaches to support backup and recovery following DOD guidelines and AWS Well-Architected Framework. This includes data backups using disk to disk approach, Snapshots for VMs, and continuous data replication for on-premise to cloud environments. Leidos utilizes Snapshots, AMIs, and CloudFormation templates to recover from failed AWS instances. The approach is based on the criticality of the data and the infrastructure resources.
Our security approach largely relies on eliminating the opportunity for user error in the ABIS system. Through advanced monitoring systems and infrastructure-as-code, we harness cloud tools to ensure vulnerabilities are identified and mitigated. This Leidos approach has addressed and alleviated the customer's concerns regarding the security of the cloud.
For more information on Leidos' AWS cloud solutions, please visit leidos.com/cloud or contact us at [email protected].
Related Information on ABIS:
Nextgov: Pentagon will move primary biometrics systems to Amazon cloud