Jury Management System for Court Services Victoria
By James Bromberger
23rd January 2020
In 2019, Akkodis assumed support and maintenance responsibility for the Jury Management System (JMS) for the state of Victoria, Australia, running within the Amazon Web Services Cloud in Sydney, Australia.
The Challenge
This system is a web-based application providing a broad range of services for jurors navigating their way through the Victorian justice system. This is a fully managed Software-as-a-Service (SaaS) platform that the state and the public interact via.
Akkodis was asked to undertake a review of the application and its infrastructure and identified a number of areas that could be refreshed and strengthened in order to meet the challenges of growing the product into other jurisdictions.
The Solution
As part of an overall monitoring strategy, logging was enabled for CloudFront. This allowed the team to analyse the traffic coming into JMS to see if the encryption protocols and ciphers could be strengthened. It was found that less than 1% of clients were using TLSv1.1 and below, protocols known to have been compromised in the past. This allowed JMS to move to the more secure TLSv1.2 as a minimum, mitigating the range of possible attack vectors. A review of IAM users and groups identified unused user accounts (which were removed) and roles providing with overly permissive access. Permissions were refined to enforce the principal of least privilege. Furthermore, management access is now federated using AWS SSO with least privilege strictly implemented with role based access.
Security group rules for all managed services and EC2 instances were reviewed and unnecessary ports and protocols were removed. Again, this removed vectors that possible attackers might be able to exploit. Continuing the strategy of defence in depth, all aspects of S3 usage were reviewed. Versioning and encryption were enabled on all S3 Buckets, Public Access is being disabled at the Account level and a policy implemented to enforce secure access over TLS. This configuration was built into the associated CloudFormation templates. VPC Endpoints were created for S3 so that this traffic did not have to traverse the public Internet.
The JMS Account makes use of built-in security features available on the AWS Platform; Security Hub for compliance with security best practices, Guard Duty for real time threat monitoring and Cloud Watch to alert support staff on any security related action identified in Guard Duty or CloudTrail which can be promptly investigated.
JMS uses the Amazon web Services managed services CodeCommit, CodeBuild, and CodeDeploy to create a Blue/Green deployment pipeline to promote build artefacts from the development environment, through staging, and into production. Over time, a number of expedient, emergency changes had created a bottleneck in this pipeline so that deployments had to be performed manually; the Akkodis team analysed the pipeline and discovered a subtle misconfiguration within CodeDeploy. This misconfiguration was corrected via CloudFormation, ensuring the change was captured correctly and so that any future drift could be seen readily. The end-to-end deployment pipeline was again optimal.
Outcomes and Results
With these changes in place, the JMS application is now more secure and the infrastructure more robust, making it better able to meet the challenges of moving into other jurisdictions. This ongoing maintenance and modernisation brings continuous improvement, helping ensure that Jurors make it on time to the correct courts, and helping the Justice system operates for citizens.