CloudNation - Inspiration

How we designed a highly scalable and secure solution for Diebold Nixdorf

Written by CloudNation | Jul 20, 2022 2:30:00 PM

The Customer

Diebold Nixdorf offers banking and retail solutions to their customers worldwide and it’s essential for their offerings to be secure and flexible in nature. Their products range from ATM machines to self-service kiosk solutions (such as the ones you see in supermarkets) which means there’s no room for error when it comes to uptime and processing speed.

The Challenge

The team at Diebold Nixdorf Dieren came to us with the request to design a highly scalable and secure solution for their retail solutions on AWS. Their application was previously hosted on Virtual Machines in a private hosting solution. It should be migrated and modernized, simplified where possible, but also adhere to modern security standards such as vulnerability scanning on workloads and make sure that any load is handled within the agreed SLA processing times.

The Tech

The first focus would be to containerize the application. To be able to predictably build containers and have them available on AWS (or Azure for that matter), we decided to use Harbor to build containers from the customer’s code repository in Azure DevOps, and push containers to an AWS ECR repository in the Diebold Nixdorf “Shared” Account.

Choosing Harbor to manage and push artifacts enables Diebold Nixdorf to remain cloud-agnostic with their container pipelines. The team can now deploy to different platforms in similar manners, which is perfect, given that Diebold Nixdorf hosts applications on both AWS and Azure.


Other accounts that need a specific container were then granted access to the relevant container repository to ensure we deploy the exact same container to TST first, and only then to Staging and Production based on tags. Pushing a new container image triggers an AWS CloudWatch Event to automatically deploy the container to AWS ECS in the respective account / environment, according to the tags attached.
             AWS ECS was configured to use a range of families and types of EC2 spot instances as hosts, with CloudWatch alerting set to scale up and down automatically based on SQS Queue depth (yes, the application was decoupled! This made everyone’s life so much easier). All in all, the solution is robust while keeping costs limited, saves time in the day-to-day workload, and adheres to customer SLA’s, all while keeping track of the security of the environment and applications.


Security First

Security posture was something to always keep in the front of our minds when designing or implementing. The team at Diebold Nixdorf needs to be able to keep track of any vulnerabilities within their containers and / or AWS Landing Zone and be notified as soon as something is off. To make sure they adhere (now and in the future) to AWS and CIS best practices, we enabled AWS Security Hub and onboarded the accounts in the Organization. For vulnerability management and threat detection, Orca Security was chosen and integrated into the AWS Landing Zone. Both were then configured to notify the team at Diebold Nixdorf for any threats found by means of PagerDuty, since PagerDuty allows for multi-team configurations, each with their own timeslot configuration. Result is that the team does not have to worry about management for incident response, as the team responsible will automatically be informed during their respective timeslots.

After all said and done, Diebold Nixdorf has migrated to AWS with relative ease and experiences increased time to allocate to development and less time looking after their resources. Meanwhile, they also have a great, much improved security posture all-round, along with improved response times to incidents. Diebold Nixdorf and AWS are a great match and will be for years to come.

The AWS Services and tooling used in the Diebold Nixdorf AWS environment:

- AWS ECS
- AWS KMS
- AWS ALB
- AWS ECR
- AWS IOT
- AWS SSM
- AWS Config
- AWS Security Hub
- AWS SSO
- AWS Secrets Manager
- AWS CodePipeline
- AWS CodeCommit
- AWS EC2
- AWS Transit Gateway
- AWS VPC Peering
- AWS Customer Gateway
- AWS Lambda
- AWS ACM
- AWS Route53
- AWS S3
- AWS RDS
- Orca Security
- Harbor

CloudNation

CloudNation brings public cloud knowledge, skill and experience to companies in order to accelerate IT transformations. We enable, empower and deliver successful cloud solutions, while focusing on people and process. We support organizations of all sizes with Cloud Native Consulting and Engineering to accelerate their journey in the Cloud. CloudNation is an AWS Advanced Tier Consulting Partner and is an AWS Program Partner for 7 different programs, among which the AWS Well-Architected Partner Program and the AWS Solution Provider Program. For more information on CloudNations partner highlights, see https://partners.amazonaws.com/partners/0010L00001tByAoQAK/CloudNation