Jury Management Service for Court Services Victoria
In 2019, Akkodis assumed support and maintenance responsibility for the Jury Management System (JMS) for the state of Victoria, Australia, running within the Amazon Web Services Cloud in Sydney, Australia.
The system is a web-based application providing a broad range of services for jurors navigating their way through the Victorian justice system. This is a fully managed Software-as-a-Service (SaaS) platform that the state and the public interact.
Akkodis was asked to undertake a review of the application and its infrastructure and identified a number of areas that could be refreshed and strengthened in order to meet the challenges of growing the product into other jurisdictions.
Logging was enabled for CloudFront to allow us to analyze the traffic into JMS to see if the encryption protocols and ciphers could be strengthened. We found that less than 1% of clients were using TLSv1.1 (Transport Layer Security), protocols known to have been compromised previously. We then moved JMS to TLSv1.2, mitigating the possible attack vectors. A review of IAM (Identity and Access Management) users identified unused user accounts (which were removed) and roles providing overly permissive access. Permissions were refined to enforce the principal of least privilege. Furthermore, management access is now federated using AWS SSO with least privilege strictly implemented with role-based access.
Security group rules for all managed services and AWS EC2 instances were reviewed, and unnecessary ports and protocols were removed. This removed vectors that could be exploited. Continuing the strategy of defence, all aspects of AWS S3 usage were reviewed. Versioning and encryption were enabled on all AWS S3 Buckets, Public Access is being disabled at the Account level and a policy implemented to enforce secure access over TLS. This configuration was built into the associated CloudFormation templates. Virtual Private Cloud (VPC) Endpoints were created for AWS S3 so traffic did not have to traverse the public Internet.
The JMS Account uses built-in security features on the AWS Platform; Security Hub for compliance with security best practices, Guard Duty for real time threat monitoring and Cloud Watch to alert support staff on any security related action identified in Guard Duty or CloudTrail which can be investigated.
JMS uses the Amazon Web Services managed services CodeCommit, CodeBuild, and CodeDeploy to create a Blue/Green deployment pipeline to promote build artefacts from the development environment, through staging, and into production. Over time, several expedient changes created a bottleneck in the pipeline, so deployments had to be performed manually. Akkodis analyzed the pipeline and discovered a subtle misconfiguration within CodeDeploy. This misconfiguration was corrected via CloudFormation, capturing the change correctly ensuring any future drift could be seen. The end-to-end deployment pipeline was again optimal.
Public Sector: Government
- AWS S3
- AWS EC2, Virtual Private Cloud (VPC), AutoScale, and Elastic Load Balancing
- AWS Relational Database Service (RDS) - PostgreSQL
- AWS CloudFormation
- AWS Lambda
- Amazon EventBridge
- AWS StepFunctions
- AWS CodeCommit, AWS CodeBuild, AWS CodeDEploy