Smart Terminal Architecture with Secure Hosts
A New Evolution in Smart Computing for an Enterprise
Analyst Briefing
Overview
What is STASH?
What problem does STASH solve?
The benefits of STASH.
Deployment options.
What each member of the consortium offers.
3/29/12 © 2012 STASH Consortium 2
What is STASH?
Smart Terminal Architecture with Secure Hosts
STASH is a new computing environment that offers a military grade security from the desktop to the back end.
STASH challenges the traditional assumption that greater security and increased performance utilization comes with increased costs.
STASH is made up of a multi-functional team across IBM, Raytheon Trusted Computer Solutions, CSL International, Intellinx Software, Virtual Bridges and Vicom Infinity.
STASH brings security, resilience and workload management qualities of service to the desktop environment.
STASH is a means of simplifying the IT environment, saving money, and dramatically increasing security.
3/29/12 © 2012 STASH Consortium 3
Typical Industry Use Cases
4
Manufacturing Casual users in manufacturing
plants Contact center representatives Travelling salespeople and
executives
Healthcare Doctors, nurses, administrators Patients in hospitals, assisted
living and health centers
Education Students, Teachers, Staff,
Administrators K-12, Universities, Training
Centers
Banks Tellers, supervisors, advisers in the front office, contact center representatives, back-office users
Retail Store workers, contact center representatives, back-office users
Professional and IT services Accountants, advisers, law firms, global delivery center employees
State, Local, Federal Agencies Leaders, Staff, Service Agents, Case workers, Analysts
Target Customer: Desktop or VDI deployment organizations
Desktop to Thin Client
Reduce deskside support 90%
Share processing capacity; fewer processors
Standardize on software and central change management
Reduce data leakage at end user; Centralize security mgt
Improve availability to end users
3/29/12 © 2012 STASH Consortium 5
VDI management
Desktops Thin Clients tablets, mobile
Thin Client to Trusted Thin Client
Military grade security
Up to 8 desktops consolidated to single thin client
Reduces network cabling
Reduces electricity, noise
Pushes “firmware” to desktops; reduces end user risks
Options to re-use existing PCs or leverage Secure USB in existing PCs for secure connections
X86 vs Enterprise Server VDI mgt
Fewer servers to deploy
Reduces intranet bandwidth via direct connection
Built in redundancy for management servers
Enables workload shifts: “Desktop by day, server by night”
“DVR for desktop” for forensics and breach prevention
Less expense COOP site as less redundant HW/SW req’d.
Target Customer: Existing Mainframe organizations
Desktop to Thin Client
Same as Desktop/VDI mgt
Thin Client to Trusted Thin Client
Similar to Desktop/VDI mgt +:
Reduces mainframe security risk due to poor desktop security
3/29/12 © 2012 STASH Consortium 6
X86 vs Enterprise Server VDI mgt
Similar to desktop/VDI mgt +:
Leverage z/OS or Linux for z security servers
Add engines to existing z vs. installing new Enterprise Linux servers; faster/easier C&A
Add IDAA/Neteeza for desktop analytics but also for z/OS analytics
Desktops that access mainframe apps and data have direct interconnect
Reduces intranet bandwidth
Coordinated DR and security for end to end workloads
Windows, Linux, VDI mgt
Desktops, Thin Client, mobile
Unix Mainframe
The “Consortium” Smart Terminal
Raytheon Trusted Computer Solutions delivers its proven Trusted Thin Client software that is widely deployed across hundreds of thousands of U.S. military , intelligence agencies, and other government desktops.
Secure Hosts
IBM provides a secure and resilient hosting environment for desktops within its zEnterprise BladeCenter Extension (zBX) and z/VM.
CSL International provides customer-proven CSL-WAVE to easily manage server instances using an intuitive graphical interface which makes the mainframe consumable to “non-mainframe” skills.
Virtual Bridges provides VDI management of desktop images and provisioning
Intellinx’s zWatch provides user activity monitoring for fraud management.
Vicom Infinity brings a variety of simplification software and experience with many of the world’s largest financial organizations.
3/29/12 © 2012 STASH Consortium 7
Challenge: Desktop Management Complexity and Cost
Redundant network connections (where multiple PCs are deployed in one office)
Backup/recovery at an individual level
Redundant data copied to desktops
Under-utilized desktop systems dedicated to end user computing
Increased administration
Bringing own device to work and therefore malware into business (security exposure)
Excessive energy utilization
Complex, expensive, and impossible to secure.
3/29/12 © 2012 STASH Consortium 8
Enterprises are challenged by the ability to manage and secure their extremely complex distributed computing environments.
Virtualization, although practical, has resulted in powerful desktop PCs running costly VDI software and server farms hosting back end applications running at far less than 100% utilization.
Need to reduce costs and embrace green computing requirements exacerbates the problem.
Trusted Thin Client
Simple desktop configuration: thin client device, monitor, keyboard, mouse.
A “Controlled Access Device” for cloud computing.
TTC software utilizes a trusted operating system to enforce security policy at DCID 6/3 PL4 and CCEVS EAL4+ levels. – Only platform from edge to cloud that meets these criteria.
TTC software runs on at the desktop and on a server console providing separation of any number of networks, applications, or systems. Internet and internal systems(s) Multiple internal and external systems
No data is stored at the desktop so there is no risk of data leakage.
Operations and security are transparent to the end user.
3/29/12 © 2012 STASH Consortium 9
Trusted Thin Client The last workstation you will ever need
3/29/12
Users
Traditional
Multiple Monitors
Remote Access
Virtual Access
Distribution Console
Internet
Sensitive Internal System
Internal System
• Multiple user deployment options
• Provides accredited system separation
• Protects internal systems from external intrusion
• Protects mission critical data
• No “cut and paste” from one system to another
• Security policy enforcement via a Trusted OS
• Trusted operating system maintains lock down at the desktop
• No intentional or unintentional data leakage
• Protection from APTs
• Dynamic allocation of user access
© 2012 STASH Consortium Help avoid cloud multi-tenancy stuff
User Segmentation
11
Task Knowledge Power
Workloads
• Call Center
• Transac,onal
• Lite Desktop User
• Office
• LOB
• High Performance Desktop
• Mul,media
• Design
Access End Point Device
• Repurposed Desktops
• Thin Clients
• Kiosks
• Remote branch VDI, Online VDI
• Desktops
• iPads
• Laptops
• Sta,on Access Points (e.g. Nurses Worksta,ons)
• Remote branch VDI, integrated offline VDI, Online VDI
• High-‐end Desktops / Worksta,ons
• Power Laptops
• High Mobility (exec travel)
• Integrated offline VDI, remote branch VDI, Online VDI
Scaling Considera:ons
• Up to ~16 Concurrent Virtual Desktops / Server Processor Core
• Up to ~12 Concurrent Virtual Desktops / Server Processor Core
• Up to ~8 Concurrent Virtual Desktops / Server Processor Core
Memory Configura:ons
• Per Desktop:
• Linux: 512MB
• Win7 / XP: 512MB
• Per Desktop:
• Linux: 512MB
• Win7 / XP: 1GB
• Per Desktop:
• Linux: 1GB
• Win7 / XP: 1-‐2GB+
Remote Protocol Considera:ons
• RDP, Nx • RDP, Nx, SPICE • SPICE
“Military Grade” Security Security is the key characteristic of mainframe server deployment.
RTCS provides network separation to prevent cross-network contamination and intrusion.
RTCS eliminates the storage of sensitive or business-critical data at the desktop.
Intellinx reduces the risk of insider fraud and data loss.
IBM zEnterprise inhibits malware due to storage protection isolation.
Data privacy can take advantage of built-in hardware cryptography for improved performance.
End users can sign on to any Trusted Thin Client and securely access their “desktop in the cloud”.
3/29/12 © 2012 STASH Consortium 12
Resilience IBM zEnterprise System:
Fault-avoiding architecture dramatically improves uptime. Fewer system components reduce the risk of failure. Hardware automation recovers problems that may have caused
unplanned outages in other platforms. “Call home” capability when problems are encountered
coordinates service dispatch and problem resolution.
Trusted Thin Client: “The last desktop you will ever need.” Reduces recovery time - spare Trusted Thin Clients can be
quickly swapped in to replace defective machines or users can connect to their desktop from another Trusted Thin Client.
Reduce full time desk side support employees.
3/29/12 © 2012 STASH Consortium 13
Utilization x86 Desktop systems run at 5-20% utilization on average.
Typically less than 10 hour days with a lot of idle time.
Virtualization software drives PC servers up to 30-50% utilization.
IBM zBX blade environments, like other x86 servers, can run up to 50%, but can also run around the clock.
Excess capacity can be utilized by other workloads when the Smart Terminals are not in use (client by day – enterprise server by night).
IBM System z servers can run at 100% utilization without fear of failover.
Capacity goals can be established on System z to shift processing resources from pre-production, development, and integration servers in favor of the production environment.
Additional processors can be added and deleted on demand through dynamic provisioning on IBM zEnterprise, satisfying peak workloads without purchasing and deploying additional x86 servers.
3/29/12 © 2012 STASH Consortium 14
Change Management
Trusted Thin Clients are maintained from central administration.
Middleware servers can be cloned in minutes across both the IBM z196 server and the zBX blade servers.
Patch management can be provisioned instantly across all operational servers leveraging Virtual Bridges
New applications can be installed on the Smart Terminal server and made available to all end users via Virtual Bridges.
Rolling changes can be made to avoid any physical outages in processing.
Model reduces IT labor necessary to maintain desktop modifications and drive corporate compliance.
3/29/12 © 2012 STASH Consortium 15
Smarter Building and Smarter Computing
Trusted Thin Clients use less energy than desktop PCs.
If multiple desktops are consolidated into a single Trusted Thin Client, there is further reduction in energy, network wiring, and network bandwidth.
Physical servers take floor space, electricity, and cooling. The ability of IBM zEnterprise to consolidate many x86 images can dramatically reduce environmental costs.
When desktops are leveraging mainframe data and applications, there is a dramatic reduction in networking bandwidth within the intranet as a direct connection exists between the z196/z114 server and the zBX.
Improves end user satisfaction with less noise, heat and complexity.
3/29/12 © 2012 STASH Consortium 16
Greater Security, Not Greater Cost
Through advancements in technology and collaboration across vendors, STASH:
Reduces initial acquisition costs
Reduces operational costs
Reduces operational and deployment risks
Improves the security and resilience of the deployed solution
Leverages existing investments wherever possible
Provides investment protection and continuous cost benefits
3/29/12 © 2012 STASH Consortium 17
Deployment Possibilities Supporting End User Computing
Traditional PCs and Laptops
Thin Client PCs with x86 Virtualization
Trusted Thin Client (TTC) with x86 Virtualization
TTC with x86 Virtualization and System z Management
TTC with zBX Virtualization and System z Management
3/29/12 © 2012 STASH Consortium 18
“Typical” Layers of a Thin Client PC Solution Virtualizing Desktops with a Server-hosted Architecture
3/29/12 © 2012 STASH Consortium 19
Ethernet/ Wireless
Shared Storage
Developer Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
Microsoft Active Directory / LDAP (Manages Users)
BC or BC-H HS21 LS21
LS41
x3650 x3850 DS3400/4700
x3755 x3950
Virtual Center (Assigns VMs)
System x Servers BladeCenter Blades IBM System Storage
Fault & security isolated
Connection Server
Virtual Bridges Architecture
Home
Branch Office
SmartSync™
Storage Optimizer
Shared Datastore (NAS/SAN)
Directory / Authentication Service
LAN
Contractor
Employee
Persistent User Data
Application Management
Gold Master Technology
WAN/INTERNET CLOUD
DATA CENTER
Hypervisor + Distributed Connection Broker + Direct Attached Storage
(One or More Servers)
SmartSync™
Managed Endpoint True Offline VDI
Legacy Endpoint Repurpose Older PCs
Zero Endpoint No Install, Boot to VDI
Trusted Thin Client Solution Smart Terminal: Simplification of Networking and Collaboration
3/29/12 © 2012 STASH Consortium 21
Shared Storage
Microsoft Active Directory / LDAP (Manages Users)
BC or BC-H HS21 LS21
LS41
x3650 x3850 DS3400/4700
x3755 x3950
Virtual Center (Assigns VMs)
System x Servers BladeCenter Blades IBM System Storage
Fault & security isolated
Secure Connection
Server Ethernet/ Wireless Developer
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
System z Management x86 Virtualization – Reducing Control Points
3/29/12 © 2012 STASH Consortium 22
Virtual Center (Assigns VMs)
System z196 Server System x Servers IBM
System Storage
IBM System z
z/VM
z/OS
IBM System x Developer
x3650 x3850
x3755 x3950
Ethernet/ Wireless Developer
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
Shared Storage
zBX Virtualization Secure Hosts: Simplifying Security and Resilience
3/29/12 © 2012 STASH Consortium 23
Ethernet/ Wireless Developer
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
Virtual Center (Assigns VMs)
IBM zEnterprise Servers
IBM System Storage
IBM System z
z/VM
z/OS
zbx Developer
Shared Storage
Fault & security isolated
System x
CSL-WAVE Simplified Virtualization Management Graphical management of your z/VM Complex with no limits
on the number of processors and z/VM logical partitions.
Extremely intuitive: Point-and-Click and Drag-and-Drop.
Full abstraction of the underlying z/VM Environment, so Linux System Administrators can be productive day-one.
Simplification and automation of all day-to-day tasks.
Provisioning of all virtual entities (Guests, Network and Storage).
Advanced security architecture to enable delegation of authorities.
Flexible reporting capabilities on all managed entities, including internal.
Mainframe management comparable to management of a distributed environment.
3/29/12 © 2012 STASH Consortium 25
Intellinx Fraud & Forensic Clearing House on System z
3/29/12 © 2012 STASH Consortium 26
User activity monitoring for forensic and fraud prevention.
Non-invasive capture activities from a wide variety of systems.
Stealthfull deployment.
Handles encrypted traffic when executed on z/OS. A network appliance cannot do that without changing network standards.
Deter potential fraud by knowing that all user actions may be recorded.
Improve internal audit effectiveness by alerting on detection of suspicious behavior and providing full visibility for audit.
Enforce corporate policies by detecting breaches, incidents & exceptions.
Improve privacy compliance by creating a full audit trail of all end-user activity including queries.
Files
Vicom Infinity
• Account presence since late 1990’s.
• IBM Premier Business Partner.
• Reseller of IBM Hardware, Software, and Maintenance.
• Vendor source for the last four generations of Mainframes/IBM Storage.
• Professional and IT Architectural Services.
• Reseller of Trusted Thin Client, Intellinx, and CSL-WAVE.
• Vicom family of companies also offer leasing & financing, computer services, and IT staffing & project management.
3/29/12 © 2012 STASH Consortium 27