smart terminal architecture with secure hosts is stash? smart terminal architecture with secure...

Smart Terminal Architecture with Secure Hosts

A New Evolution in Smart Computing for an Enterprise

Analyst Briefing

Overview

  What is STASH?

  What problem does STASH solve?

  The benefits of STASH.

  Deployment options.

  What each member of the consortium offers.

3/29/12 © 2012 STASH Consortium 2

What is STASH?

  Smart Terminal Architecture with Secure Hosts

  STASH is a new computing environment that offers a military grade security from the desktop to the back end.

  STASH challenges the traditional assumption that greater security and increased performance utilization comes with increased costs.

  STASH is made up of a multi-functional team across IBM, Raytheon Trusted Computer Solutions, CSL International, Intellinx Software, Virtual Bridges and Vicom Infinity.

  STASH brings security, resilience and workload management qualities of service to the desktop environment.

  STASH is a means of simplifying the IT environment, saving money, and dramatically increasing security.


Typical Industry Use Cases

4

Manufacturing  Casual users in manufacturing

plants  Contact center representatives  Travelling salespeople and

executives

Healthcare  Doctors, nurses, administrators  Patients in hospitals, assisted

living and health centers

Education  Students, Teachers, Staff,

Administrators  K-12, Universities, Training

Centers

Banks Tellers, supervisors, advisers in the front office, contact center representatives, back-office users

Retail Store workers, contact center representatives, back-office users

Professional and IT services Accountants, advisers, law firms, global delivery center employees

State, Local, Federal Agencies Leaders, Staff, Service Agents, Case workers, Analysts

Target Customer: Desktop or VDI deployment organizations

Desktop to Thin Client

  Reduce deskside support 90%

  Share processing capacity; fewer processors

  Standardize on software and central change management

  Reduce data leakage at end user; Centralize security mgt

  Improve availability to end users


VDI management

Desktops Thin Clients tablets, mobile

Thin Client to Trusted Thin Client

  Military grade security

  Up to 8 desktops consolidated to single thin client

  Reduces network cabling

  Reduces electricity, noise

  Pushes “firmware” to desktops; reduces end user risks

  Options to re-use existing PCs or leverage Secure USB in existing PCs for secure connections

X86 vs Enterprise Server VDI mgt

  Fewer servers to deploy

  Reduces intranet bandwidth via direct connection

  Built in redundancy for management servers

  Enables workload shifts: “Desktop by day, server by night”

  “DVR for desktop” for forensics and breach prevention

  Less expense COOP site as less redundant HW/SW req’d.

Target Customer: Existing Mainframe organizations

Desktop to Thin Client

  Same as Desktop/VDI mgt

Thin Client to Trusted Thin Client

Similar to Desktop/VDI mgt +:

  Reduces mainframe security risk due to poor desktop security


X86 vs Enterprise Server VDI mgt

Similar to desktop/VDI mgt +:

  Leverage z/OS or Linux for z security servers

  Add engines to existing z vs. installing new Enterprise Linux servers; faster/easier C&A

  Add IDAA/Neteeza for desktop analytics but also for z/OS analytics

  Desktops that access mainframe apps and data have direct interconnect

  Reduces intranet bandwidth

  Coordinated DR and security for end to end workloads

Windows, Linux, VDI mgt

Desktops, Thin Client, mobile

Unix Mainframe

The “Consortium” Smart Terminal

  Raytheon Trusted Computer Solutions delivers its proven Trusted Thin Client software that is widely deployed across hundreds of thousands of U.S. military , intelligence agencies, and other government desktops.

Secure Hosts

  IBM provides a secure and resilient hosting environment for desktops within its zEnterprise BladeCenter Extension (zBX) and z/VM.

  CSL International provides customer-proven CSL-WAVE to easily manage server instances using an intuitive graphical interface which makes the mainframe consumable to “non-mainframe” skills.

  Virtual Bridges provides VDI management of desktop images and provisioning

  Intellinx’s zWatch provides user activity monitoring for fraud management.

  Vicom Infinity brings a variety of simplification software and experience with many of the world’s largest financial organizations.


Challenge: Desktop Management Complexity and Cost

  Redundant network connections (where multiple PCs are deployed in one office)

  Backup/recovery at an individual level

  Redundant data copied to desktops

  Under-utilized desktop systems dedicated to end user computing

  Increased administration

  Bringing own device to work and therefore malware into business (security exposure)

  Excessive energy utilization

Complex, expensive, and impossible to secure.


  Enterprises are challenged by the ability to manage and secure their extremely complex distributed computing environments.

  Virtualization, although practical, has resulted in powerful desktop PCs running costly VDI software and server farms hosting back end applications running at far less than 100% utilization.

  Need to reduce costs and embrace green computing requirements exacerbates the problem.

Trusted Thin Client

  Simple desktop configuration: thin client device, monitor, keyboard, mouse.

  A “Controlled Access Device” for cloud computing.

  TTC software utilizes a trusted operating system to enforce security policy at DCID 6/3 PL4 and CCEVS EAL4+ levels. – Only platform from edge to cloud that meets these criteria.

  TTC software runs on at the desktop and on a server console providing separation of any number of networks, applications, or systems.   Internet and internal systems(s)   Multiple internal and external systems

  No data is stored at the desktop so there is no risk of data leakage.

  Operations and security are transparent to the end user.


Trusted Thin Client The last workstation you will ever need

3/29/12

Users

Traditional

Multiple Monitors

Remote Access

Virtual Access

Distribution Console

Internet

Sensitive Internal System

Internal System

•  Multiple user deployment options

•  Provides accredited system separation

•  Protects internal systems from external intrusion

•  Protects mission critical data

•  No “cut and paste” from one system to another

•  Security policy enforcement via a Trusted OS

•  Trusted operating system maintains lock down at the desktop

•  No intentional or unintentional data leakage

•  Protection from APTs

•  Dynamic allocation of user access

© 2012 STASH Consortium Help avoid cloud multi-tenancy stuff

User Segmentation

11

Task Knowledge Power

Workloads

•  Call Center

•  Transac,onal

•  Lite Desktop User

•  Office

•  LOB

•  High Performance Desktop

•  Mul,media

•  Design

Access End Point Device

•  Repurposed Desktops

•  Thin Clients

•  Kiosks

•  Remote branch VDI, Online VDI

•  Desktops

•  iPads

•  Laptops

•  Sta,on Access Points (e.g. Nurses Worksta,ons)

•  Remote branch VDI, integrated offline VDI, Online VDI

•  High-‐end Desktops / Worksta,ons

•  Power Laptops

•  High Mobility (exec travel)

•  Integrated offline VDI, remote branch VDI, Online VDI

Scaling Considera:ons

•  Up to ~16 Concurrent Virtual Desktops / Server Processor Core



Memory Configura:ons

•  Per Desktop:

•  Linux: 512MB

•  Win7 / XP: 512MB

•  Per Desktop:

•  Linux: 512MB

•  Win7 / XP: 1GB

•  Per Desktop:

•  Linux: 1GB

•  Win7 / XP: 1-‐2GB+

Remote Protocol Considera:ons

•  RDP, Nx •  RDP, Nx, SPICE •  SPICE

“Military Grade” Security   Security is the key characteristic of mainframe server deployment.

  RTCS provides network separation to prevent cross-network contamination and intrusion.

  RTCS eliminates the storage of sensitive or business-critical data at the desktop.

  Intellinx reduces the risk of insider fraud and data loss.

  IBM zEnterprise inhibits malware due to storage protection isolation.

  Data privacy can take advantage of built-in hardware cryptography for improved performance.

  End users can sign on to any Trusted Thin Client and securely access their “desktop in the cloud”.


Resilience   IBM zEnterprise System:

  Fault-avoiding architecture dramatically improves uptime.   Fewer system components reduce the risk of failure.   Hardware automation recovers problems that may have caused

unplanned outages in other platforms.   “Call home” capability when problems are encountered

coordinates service dispatch and problem resolution.

  Trusted Thin Client:   “The last desktop you will ever need.”   Reduces recovery time - spare Trusted Thin Clients can be

quickly swapped in to replace defective machines or users can connect to their desktop from another Trusted Thin Client.

  Reduce full time desk side support employees.


Utilization   x86 Desktop systems run at 5-20% utilization on average.

  Typically less than 10 hour days with a lot of idle time.

  Virtualization software drives PC servers up to 30-50% utilization.

  IBM zBX blade environments, like other x86 servers, can run up to 50%, but can also run around the clock.

  Excess capacity can be utilized by other workloads when the Smart Terminals are not in use (client by day – enterprise server by night).

  IBM System z servers can run at 100% utilization without fear of failover.

  Capacity goals can be established on System z to shift processing resources from pre-production, development, and integration servers in favor of the production environment.

  Additional processors can be added and deleted on demand through dynamic provisioning on IBM zEnterprise, satisfying peak workloads without purchasing and deploying additional x86 servers.


Change Management

  Trusted Thin Clients are maintained from central administration.

  Middleware servers can be cloned in minutes across both the IBM z196 server and the zBX blade servers.

  Patch management can be provisioned instantly across all operational servers leveraging Virtual Bridges

  New applications can be installed on the Smart Terminal server and made available to all end users via Virtual Bridges.

  Rolling changes can be made to avoid any physical outages in processing.

  Model reduces IT labor necessary to maintain desktop modifications and drive corporate compliance.


Smarter Building and Smarter Computing

  Trusted Thin Clients use less energy than desktop PCs.

  If multiple desktops are consolidated into a single Trusted Thin Client, there is further reduction in energy, network wiring, and network bandwidth.

  Physical servers take floor space, electricity, and cooling. The ability of IBM zEnterprise to consolidate many x86 images can dramatically reduce environmental costs.

  When desktops are leveraging mainframe data and applications, there is a dramatic reduction in networking bandwidth within the intranet as a direct connection exists between the z196/z114 server and the zBX.

  Improves end user satisfaction with less noise, heat and complexity.


Greater Security, Not Greater Cost

Through advancements in technology and collaboration across vendors, STASH:

  Reduces initial acquisition costs

  Reduces operational costs

  Reduces operational and deployment risks

  Improves the security and resilience of the deployed solution

  Leverages existing investments wherever possible

  Provides investment protection and continuous cost benefits


Deployment Possibilities Supporting End User Computing

  Traditional PCs and Laptops

  Thin Client PCs with x86 Virtualization

  Trusted Thin Client (TTC) with x86 Virtualization

  TTC with x86 Virtualization and System z Management

  TTC with zBX Virtualization and System z Management


“Typical” Layers of a Thin Client PC Solution Virtualizing Desktops with a Server-hosted Architecture


Ethernet/ Wireless

Shared Storage

Developer Desktops

Outsourced or Branch

Office PCs, Call Centers

Remote / Laptop Users

Microsoft Active Directory / LDAP (Manages Users)

BC or BC-H HS21 LS21

LS41

x3650 x3850 DS3400/4700

x3755 x3950

Virtual Center (Assigns VMs)

System x Servers BladeCenter Blades IBM System Storage

Fault & security isolated

Connection Server

Virtual Bridges Architecture

Home

Branch Office

SmartSync™

Storage Optimizer

Shared Datastore (NAS/SAN)

Directory / Authentication Service

LAN

Contractor

Employee

Persistent User Data

Application Management

Gold Master Technology

WAN/INTERNET CLOUD

DATA CENTER

Hypervisor + Distributed Connection Broker + Direct Attached Storage

(One or More Servers)

SmartSync™

Managed Endpoint True Offline VDI

Legacy Endpoint Repurpose Older PCs

Zero Endpoint No Install, Boot to VDI

Trusted Thin Client Solution Smart Terminal: Simplification of Networking and Collaboration


Shared Storage

Microsoft Active Directory / LDAP (Manages Users)

BC or BC-H HS21 LS21

LS41

x3650 x3850 DS3400/4700

x3755 x3950


System x Servers BladeCenter Blades IBM System Storage


Secure Connection

Server Ethernet/ Wireless Developer

Desktops




System z Management x86 Virtualization – Reducing Control Points



System z196 Server System x Servers IBM

System Storage

IBM System z

z/VM

z/OS

IBM System x Developer

x3650 x3850

x3755 x3950

Ethernet/ Wireless Developer

Desktops




Shared Storage

zBX Virtualization Secure Hosts: Simplifying Security and Resilience


Ethernet/ Wireless Developer

Desktops





IBM zEnterprise Servers

IBM System Storage

IBM System z

z/VM

z/OS

zbx Developer

Shared Storage


System x

Backup Slides


CSL-WAVE Simplified Virtualization Management   Graphical management of your z/VM Complex with no limits

on the number of processors and z/VM logical partitions.

  Extremely intuitive: Point-and-Click and Drag-and-Drop.

  Full abstraction of the underlying z/VM Environment, so Linux System Administrators can be productive day-one.

  Simplification and automation of all day-to-day tasks.

  Provisioning of all virtual entities (Guests, Network and Storage).

  Advanced security architecture to enable delegation of authorities.

  Flexible reporting capabilities on all managed entities, including internal.

  Mainframe management comparable to management of a distributed environment.


Intellinx Fraud & Forensic Clearing House on System z


  User activity monitoring for forensic and fraud prevention.

  Non-invasive capture activities from a wide variety of systems.

  Stealthfull deployment.

  Handles encrypted traffic when executed on z/OS. A network appliance cannot do that without changing network standards.

  Deter potential fraud by knowing that all user actions may be recorded.

  Improve internal audit effectiveness by alerting on detection of suspicious behavior and providing full visibility for audit.

  Enforce corporate policies by detecting breaches, incidents & exceptions.

  Improve privacy compliance by creating a full audit trail of all end-user activity including queries.

Files

Vicom Infinity

•  Account presence since late 1990’s.

•  IBM Premier Business Partner.

•  Reseller of IBM Hardware, Software, and Maintenance.

•  Vendor source for the last four generations of Mainframes/IBM Storage.

•  Professional and IT Architectural Services.

•  Reseller of Trusted Thin Client, Intellinx, and CSL-WAVE.

•  Vicom family of companies also offer leasing & financing, computer services, and IT staffing & project management.


smart terminal architecture with secure hosts is stash? smart terminal architecture with secure...

Documents