Executive Summary

In the ever-evolving digital landscape, robust and secure identity, and access management (IAM) solutions are essential for organizations to protect sensitive data and provide a seamless user experience. The United States Citizenship and Immigration Services (USCIS) recognized the significance of enhancing its IAM capabilities to meet the demands of its growing user base while adhering to stringent security and compliance requirements. To achieve this, USCIS collaborated with Navitas Business Consulting to leverage AWS Cognito Identity Provider (IdP) and revolutionize its mobile application's authentication process. This case study explores the challenges faced by USCIS and the innovative solutions provided by Navitas Business Consulting, transforming USCIS's IAM landscape and elevating user experiences through cutting-edge CI/CD pipelines and AWS services.

Customer Challenge

• Enhanced Security Requirements: As a government agency responsible for immigration services, USCIS deals with highly sensitive immigration-related data. Ensuring robust security measures and compliance with NIST 800-63 digital guidelines was paramount. USCIS needed an IAM solution that could support identity assurance level, authenticator assurance level, and federation assurance level with various authentication methods.
• Seamless User Experience: USCIS aimed to provide a seamless and user-friendly experience for applicants and beneficiaries using its mobile application. The existing authentication process posed challenges for users, leading to frustration and potentially hindering the application and immigration process.
• Scalability for a Growing User Base: With a substantial volume of applications and a growing user base, USCIS required an IAM solution that could scale effortlessly to handle increasing traffic without compromising performance or security.
• Integration with Enterprise Identity Providers: USCIS sought to integrate its IAM system with enterprise identity providers to allow users to log in using their existing credentials, reducing the need for multiple accounts and credentials.
• Multi-Factor Authentication (MFA) Implementation: Recognizing the importance of MFA in bolstering security, USCIS desired a seamless integration of various authenticators and smooth setup to enhance the security of user accounts.
• Self-Registration and User Management: Efficient user onboarding was crucial for USCIS. The agency needed a self-registration mechanism while maintaining centralized user management for streamlined IAM operations.
• Assurance Level Customization: USCIS anticipated future requirements for enhancing identity assurance, authenticator assurance, and federation assurance levels. The agency needed a flexible solution to adapt to changing security needs.

The Solution: Leveraging AWS Cognito for IAM Transformation

USCIS and Navitas Business Consulting devised a comprehensive solution using AWS Cognito Identity Provider (IdP) to address the identified challenges. AWS Cognito, a managed IAM service by AWS, offered a range of features to meet USCIS's requirements for security, scalability, and customization.

• Identity Assurance Level Customization: AWS Cognito provided the flexibility to implement various identity assurance methods such as SMS, email, and biometric authentication. This allowed USCIS to choose the appropriate identity assurance level that aligned with its security needs.
• Authenticator Assurance Level Customization: With AWS Cognito's support for various authenticators like SMS, email, and mobile apps, USCIS could select the most suitable authenticator assurance level for its users.
• Federation Assurance Level Customization: AWS Cognito's support for different federation methods, including Active Directory, SAML, and OpenID Connect, empowered USCIS to choose the federation assurance level that best met its needs.

CI/CD Pipeline for Mobile App Deployment

To deploy the overall IAM solution and automate the process, a CI/CD pipeline was implemented. Jenkins, an automation tool, facilitated the deployment process from a GitHub repository. Infrastructure as Code (1aC) principles were used to provision various AWS services, including Route 53 for URL routing, VPC to host EC2 instances for SonarQube and the Emulator, and AWS Cognito for IAM functionalities. Additionally, 53 was employed to store binaries and artifacts necessary for the mobile app's execution.

The CI/CD pipeline followed a systematic approach:

• Infrastructure Provisioning: laC principles were utilized to provision the required AWS services, ensuring a scalable and resilient infrastructure.
Build and Testing: Gradle, a build tool, was employed for the application code's build process. Jest facilitated unit testing, and SonarQube was used for code quality analys's to maintain high code standards. Artifact Storage: Successful APK files for both iOS and Android were generated and pushed to 3 for the emulator to pick up. Mobile App Testing: Appium, an end-to-end mobile testing tool, was utilized to ensure the mobile app's functionality and usability. Production Deployment: The final artifacts were deployed to production S3 buckets, ensuring seamless app access for users.