Providing Equal Access: Implementing Information Kiosks

By Paul Chin

Originally published in Intranet Journal (15-Aug-2005)

back back to portfolio

It used to be that access to the Internet from within an organization was a privilege. The majority of us peons looked enviously at our more fortunate colleagues in the same manner that we looked upon those holding the golden key to the executive washrooms. These "chosen ones" had the power to magically step through the digital walls that protect the corporate network and enter an informational nirvana called the Web. All the while the rest of us stood behind them on our tiptoes, desperately trying to peer over their shoulders to catch a glimpse of what was on the other side.

All of this has changed. Access to the Internet, e-mail, and more importantly, corporate resources only available through an intranet are no longer seen as a privilege but a necessity and a right. Some organizations, however, especially those in the manufacturing industry, have a substantial user-base (or more accurately, a potential user-base) who don't have a fixed work area or access to a PC. For example, factory workers, facility maintenance personnel, and mail room staff are constantly in motion and probably don't have a desk much less a dedicated computer.

As valuable members of the organization, they should be granted the same access to these types of resources as their office worker counterparts. The best way to even out the informational playing field is by setting up secured Internet kiosks within the company.

Essential Services

Every organization has a fundamental set of resources that can be considered essential services. These are the resources that should be available to all employees regardless of their role within the company. E-mail, for instance, has become a fundamental and preferred method of communication for many people nowadays. And to deny them the availability and use of e-mail is akin to denying them the use of a telephone.

Intranets are also becoming more of a business essential than business enhancement. Organizations are continuing to do away with hard copies in favor of a digital medium, porting company and employee information onto their intranet. But this leaves employees without a PC in the dark. It's unfair to deny them access to these resources simply because of circumstance. This creates a gap between the digital haves and have-nots, and will make employees without PCs feel as though they're "informationally underprivileged."

While some may argue that Internet, e-mail, and intranet access aren't necessary for plant workers to do their jobs, the same argument can be made for certain office workers. If the decision to grant access to employees were to be based solely on their productivity needs, few would have access at all.

According to the 2005 Web@Work survey—a comprehensive annual survey of Internet usage in the workplace commissioned by Websense Inc. and conducted by Harris Interactive—only 48 percent of the employees surveyed stated that they use the Internet solely for work-related tasks. The results of a similar survey conducted by NetApp revealed that as much as 73 percent of respondents accessed the Internet at work for personal use. With these findings, providing Internet access based solely on work-related necessity is irrelevant.

This issue of equal access needs to go beyond providing only what's required for employees to do their job. You're not running a third-world sweatshop. Giving all employees access to corporate resources (with the exception of secured and sensitive content that must be granted on a per-user, need-to-know basis) on the intranet and public resources on the Internet will go a long way towards promoting a positive corporate culture, improving morale, and creating a healthy working environment.

Setting Up Your Kiosks

You have a lot of choices when it comes to kiosks. But it's not necessary to buy and install high-end, freestanding kiosks such as those found in public settings like retail stores, tourism offices, self-service government offices, where presentation plays an important role For internal corporate use, the most cost effective way to offer PC-less employees basic access to the Internet, e-mail, and intranet, is by using inexpensive network appliances (sometimes referred to as network PCs) with little-to-no local processing power and storage, or a secured desktop computer. Shared printers can also be provided within proximity of the kiosk stations.

Companies can take advantage of existing equipment such as PCs and printers when they acquire newer, more powerful replacements. Since Internet kiosks require little local processing power and storage, retrofitting older PCs to be used as kiosks is a perfect solution for those companies with a large hardware inventory.

In terms of the software interface, it's quite simple to run a standard Web browser such as Microsoft Internet Explorer, Mozilla Firefox, and Netscape in kiosk mode. You can, depending on the particular browser, limit certain user actions and browser functionality. For example, you can run Internet Explorer in kiosk mode by typing:

iexplore -k

This will launch IE in full-screen mode and load the company's intranet as the starting page. User will not see or have access to any toolbars, menu options, or the address bar. But the problem here is that the kiosks aren't secure from tampering. It's not enough to roll out several desktops in kiosk mode and letting everyone have at it. Someone with even an elementary knowledge of computers can bypass kiosk mode and access the underlying operating system—and that's something you definitely don't want.

In order to set up a truly dedicated kiosk, you should consider the installation of third-party kiosk security and configuration software such as SiteKiosk or NetStop Pro. They will enable you to configure browser behavior, mange what users will have access to, and specify the actions they're allowed to perform on the kiosk stations.

Since kiosks will be placed in open areas around the organization, security measures will have to be taken to fully protect the kiosks, the company's network, and the organization in general. Here are the most important kiosk implementation issues to take into account:

1. Network Membership
Kiosk stations can be set up to be members of the organization's existing network, sharing use of the same firewall and proxy servers or they can be set-up with their own infrastructure. The former is simpler to implement and allows for more centralized management of resources and security. The latter will take more effort, but is more secure since the kiosk network will reside completely separate from the main corporate network. A breach in the kiosk network by malware or a denial of service attack can be isolated without any adverse affects to the core network.

2. Browser Access
Unlike office workers who have their own PC and can configure it to match their individual tastes, kiosks will be used by hundreds, or even thousands, of different employees—all with their own preferences. This raises both usability and security issues. You want to prevent users from changing the look and behavior of the browser application as much as possible. Third-party kiosk software can be used to lock down access to bookmarks/favorites, the browser's toolbars, right-click context menus, and shortcut keys to name a few.

3. Preventing Software Installations
Kiosk stations should be configured to prevent software and plug-in installations, whether accidentally or maliciously. Open kiosks can become a security hazard if users are allowed to install questionable software or browser plug-ins. Casual Internet users who aren't computer savvy might haphazardly choose to install something they don't fully understand. All it takes is for one user to click the "OK" button to a pop-up window requesting installation of a new browser component to compromise the integrity of the kiosk and possibly the network.

4. Access to Kiosk Hardware
If a regular desktop is used, you'll need to decide how much, if any, access to the physical CPU will be permitted. They can be stripped of all peripheral storage devices such as diskette and CD-ROM drives, and the USB ports can be disabled to prevent use of flash drives. Another option is to secure the CPU inside a locked cabinet or desk drawer (depending on the layout of the kiosks). However, if you decide to provide users with the ability to download and save files onto a diskette, CD-ROM, or USB flash drive, you need to ensure that they won't be able to upload or execute anything from their storage devices to the kiosk station or the network by protecting the underlying kiosk station's O/S.

5. Protecting the Underlying Operating System
In a dedicated kiosk environment, users must never be allowed to access the underlying O/S. A Web browser should be the only interface kiosk users have. If they ever gain access to the O/S, they can easily tamper with the underlying files and applications (which, seeing as the computer's only purpose is to serve as a kiosk, should always be kept to a bare minimum), change the configuration and behavior of the station, or possibly install their own software.

6. Implement a Timeout
It's far too easy for a user to leave a kiosk unattended without logging off their account. The next person to use that station will have the ability to access the Internet and any internal resources the prior user has access to without logging on themselves. This creates not only a security concern but also a liability concern. The original user can be held responsible for any misuse by subsequent users. To prevent this, all kiosks must be configured to automatically log users off after a pre-determined period of inactivity.

7. Number of Kiosks
It's up to you to determine the ratio between the number of kiosks and the number of potential users. While greater numbers of stations will eliminate wait times, it's not necessary to deploy a huge fleet of kiosks because factory workers probably won't be using them during the majority of the workday. Most will be used before the beginning of their shifts, during breaks, and after work hours.

8. Location of the Kiosks
Kiosks can be placed in several locations throughout the company to maximize exposure and convenience or they can be grouped together in a central area like an "Internet cafe." In any case, the kiosks should never be placed in high traffic areas, near heavy machinery, or in overly noisy areas. Users should be afforded some privacy and peace-and-quiet when using the kiosks.

Network Access and Accountability

Many cities around the world have begun providing the public with Internet kiosks in certain government offices such as employment centers, post offices, and tourism bureaus. Unless payment is required, these kiosks allow people to access the Internet anonymously. But in a corporate setting this should never be an option—users must never be allowed to access any resource available from the kiosk anonymously.

New network and e-mail accounts will have to be generated for every employee who doesn't currently have one. And they will be required to log onto the network for the same reasons as their office worker counterparts:

The purpose of identifying and logging user access isn't to fulfill an Orwellian prophecy, nor is it an issue of mistrust. Rather, it's a necessary security measure to protect the company from legal or criminal liability, and to prevent users from abusing or misusing corporate resources. Inappropriate or illegal activities within the company can include:

If anonymous access were allowed, you would only be able to identify the station that was used to carry out the misdeeds but not who was responsible for it. Having kiosk users log-in holds them accountable for their activity when using corporate resources.

Closing Thoughts

Implementing Internet kiosks doesn't have to be a long and drawn-out process; we're not talking about a one kiosk to one employee ratio. Even a handful of openly available kiosks will make your PC-less employees feel less marginalized when it comes to equal access to information and Internet resources. But if kiosks are to be implemented, it must be done with much consideration to overall security—in terms of hardware, software, internal content, and legality. You want users to be able to access the Internet, e-mail, and intranet without being overly restrictive but you must also balance the security implications of installing open, multi-user kiosks. It's your responsibility to determine the level of access users will have to, and from, these kiosk stations.

While most PC-less employees might not rely as heavily on the Internet as their office worker counterparts, it doesn't mean they shouldn't have access to the Internet or intranet at all. Executives like to refer to all employees of their company as one big family when they give presentations. It makes the company sound less cold and creates a more inviting atmosphere in the eyes of shareholders and the public. Nowadays Internet access, and access to basic corporate information, is so common that denying employees without PCs this basic right would be to deny Uncle Jeb or Aunt Sue use of the washroom. And if this were to happen, things could get rather ugly.

Copyright © 2005 Paul Chin. All rights reserved.
Reproduction of this article in whole or part in any form without prior written permission of Paul Chin is prohibited.