Customer Solution Case Study
Kiosk Deployment Automation
A company delivering state-of-the-art biometric identification solutions for anywhere heightened security restrictions are needed. Through the touch of a finger or the blink of an eye, this solution enables a highly secure mechanism to protect physical location or secure transactions, as well as providing a flexible security solution for public venues or private facilities.
As part of the preparations for their next phase of significant growth, the client needed to revise their remote application deployment and management mechanisms. The technology team wanted to further leverage the cloud to create a more scalable and lower-cost approach, while maintaining high-levels of security and availability.
The client wanted to address several technical concerns with a new solution.
First, the kiosks are deployed in open, public and inherently unsecured locations. To ensure secure operation and data handling, the kiosks had required a constant encrypted connection via a VPN back to their datacenter. Not only did this add additional operating costs but acquiring and maintaining the circuits meant relying on the facility managers of the airports and arenas where the kiosks are located.
Second, the existing administrative access security and configuration management process were dependent on Active Directory and AD Group Policy Objects. While this approach was working, it necessitated an undesirable amount of administrative overhead.
Finally, the build and configuration management of the kiosks was a slow, manually intensive process requiring an on-site visit by a trained technician. This approach was prone to user error and led to inconsistent builds. The client wanted a more streamlined, predictable process for distributing new builds and patching deployed kiosks.
Innova was able to address all of these needs with our Kiosk Deployment Automation (KDA) solution. KDA provides a distributed, scalable approach to the configuration management of remote computing devices operating in inherently unsecured and exposed locations. KDA can:
- Deploy a known desired system state in a secure, controlled and automated manner
- Natively autocorrect deviations from that desired state
- Report on any deviations to a central authority without the intervention of a system administrator
KDA is a cross-platform solution that builds upon Microsoft’s PowerShell Desired State Configuration (DCS) management platform (which is itself cross-platform). In this situation, the client’s platform of choice was Windows 10 running on Microsoft Surface Pro 4 tablets, allowing KDA to addtionally take advantage of the built-in Local Configuration Manager included in Windows tablets. KDA eliminates the need for each kiosk to communicate directly to the home datacenter, obviating the need for dedicated VPN connections.
KDA operates from a Kiosk Command Center (KCC) running on the cloud (Amazon AWS or Microsoft Azure). The kiosks connect to the KCC over the public Internet using an encrypted SSL certificate. The KCC is a highly scalable set of serverless components that can reliably build and curate a versioned set of builds from Infrastructure-as-Code scripts. The KCC for this implementation was implement on AWS and was constructed from both Innova’s own custom components (providing patching, configuration and identity management) and core AWS services (such as API Gateway, SQS, S3, DynamoDB and Parameter Store). The Kiosk Command Center components are themselves instantiated via CloudFormation, ensuring a highly available and resilient environment.
The versioned kiosk builds can then be securely deployed in an automated way without requiring onsite visits from company techs. Enhanced security is provided through strong data encryption throughout the ecosystem (both in transit and at rest, both on the tablet and on the cloud). User management is enforced at the kiosk via unique randomized passwords generated by the configuration management process and stored securely in the AWS Systems Manager Parameter Store, using AES-256 encryption.
As the client’s deployed footprint grows, along with a corresponding increased need for distributed system management, Innova’s Kiosk Deployment Automation solution will be there to meet those needs.
- Reduces overall system administration overhead significantly
- Delivers a kiosk configuration and management solution that extends the client’s existing DevOps CI/CD pipeline process and toolset
- Enables secure configuration management without requiring constant connectivity between kiosks and the home datacenter, eliminating the need for AD and VPN connectivity for tablet management
- Enables kiosk system-state health reporting
- Introduces a new flexible, granular and secure user management capability
- Enhances reliability and resilience, with automatic system recovery and rollback
- Reduces “blast radius” of problems to individual kiosks, protecting neighboring kiosks and the broader network
- Supports rolling deployments in a controlled fashion