smart terminal architecture with secure hostssmart terminal architecture with secure hosts ......

Smart Terminal Architecture with

Secure Hosts A New Evolution in Smart Computing for an Enterprise

System z Virtual Desktop Infrastructure: VDI on Steroids

Overview

What is STASH?

What problem does STASH solve?

The benefits of STASH.

Deployment options.

What each member of the consortium offers.

7/7/2012 © 2012 STASH Consortium 2

What is STASH?

Smart Terminal Architecture with Secure Hosts

STASH is a new computing environment that offers a military grade security from the desktop to the back end.

STASH challenges the traditional assumption that greater security and increased performance utilization comes with increased costs.

STASH is made up of a multi-functional team across IBM, Raytheon Trusted Computer Solutions, CSL International, Intellinx Software, Virtual Bridges and Vicom Infinity.

STASH brings security, resilience and workload management qualities of service to the desktop environment.

STASH is a means of simplifying the IT environment, saving money, and dramatically increasing security.


What problems does STASH solve?

Originally intended to secure Enterprise servers, by having a more secure end to end connection

Security of “target servers” is only as good as the “weakest link” which is typically the end user computing interface.

Experience has shown that desktop weakness can impact server security.

In the process, we learned that this was a cost competitive alternative to any virtual desktop solution

Improves security, resilience and utilization

Can save money on TCO and TCA

A simpler solution to deploy than alternatives

Helps a business/agency look at organizational inefficiencies (separate IT operational units based on server type) and reconsider infrastructure based on business needs

End to end computing – human/machine to target applications and data

Address services levels of workloads (e.g. security, resilience, utilization)


Challenge: Desktop Management Complexity and Cost

Redundant network connections

(where multiple PCs are

deployed in one office)

Backup/recovery at an individual level

Redundant data copied to desktops

Under-utilized desktop systems dedicated to end

user computing

Increased administration

Bringing own device to work and therefore

malware into business (security exposure)

Excessive energy utilization

Complex, expensive, and impossible to secure.


Enterprises are challenged by the ability to manage and secure their extremely complex

distributed computing environments.

Virtualization, although practical, has resulted in powerful desktop PCs running costly VDI

software and server farms hosting back end applications running at far less than 100%

utilization.

Need to reduce costs and embrace green computing requirements exacerbates the

problem.

Typical Industry Use Cases

6

Manufacturing

Casual users in manufacturing

plants

Contact center representatives

Travelling salespeople and

executives

Healthcare

Doctors, nurses, administrators

Patients in hospitals, assisted

living and health centers

Education

Students, Teachers, Staff,

Administrators

K-12, Universities, Training

Centers

Banks

Tellers, supervisors, advisers in

the front office, contact center

representatives, back-office users

Retail

Store workers, contact center

representatives, back-office users

Professional and IT services

Accountants, advisers, law firms,

global delivery center employees

State, Local, Federal Agencies

Leaders, Staff, Service Agents,

Case workers, Analysts

The “Consortium”

Smart Terminal

Raytheon Trusted Computer Solutions delivers its proven Trusted Thin Client

software that is widely deployed across hundreds of thousands of U.S. military ,

intelligence agencies, and other government desktops.

Secure Hosts

IBM provides a secure and resilient hosting environment for desktops within its

zEnterprise BladeCenter Extension (zBX) and z/VM.

CSL International provides customer-proven CSL-WAVE to easily manage

server instances using an intuitive graphical interface which makes the

mainframe consumable to “non-mainframe” skills.

Virtual Bridges provides VDI management of desktop images and provisioning

Intellinx’s zWatch provides user activity monitoring for fraud management.

Vicom Infinity brings a variety of simplification software and experience with

many of the world’s largest financial organizations.


Target Customer: Desktop or VDI deployment

organizations

Desktop to Thin Client

Reduce deskside support 90%

Share processing capacity;

fewer processors

Standardize on software and

central change management

Reduce data leakage at end

user; Centralize security mgt

Improve availability to end

users


VDI management

Desktops Thin Clients tablets,

mobile

Thin Client to Trusted Thin Client

Military grade security

Up to 8 desktops consolidated

to single thin client

Reduces network cabling

Reduces electricity, noise

Pushes “firmware” to desktops;

reduces end user risks

Options to re-use existing PCs

or leverage Secure USB in

existing PCs for secure

connections

X86 vs Enterprise Server VDI mgt

Fewer servers to deploy

Reduces intranet bandwidth via

direct connection

Built in redundancy for

management servers

Enables workload shifts:

“Desktop by day, server by

night”

“DVR for desktop” for forensics

and breach prevention

Less expense COOP site as

less redundant HW/SW req’d.

Target Customer: Existing Mainframe organizations

Desktop to Thin Client

Same as Desktop/VDI mgt

Thin Client to Trusted Thin Client

Similar to Desktop/VDI mgt +:

Reduces mainframe security risk due to

poor desktop security


X86 vs Enterprise Server VDI mgt

Similar to desktop/VDI mgt +:

Leverage z/OS or Linux for z security servers

Add engines to existing z vs. installing new

Enterprise Linux servers; faster/easier C&A

Add IDAA/Neteeza for desktop analytics but also

for z/OS analytics

Desktops that access mainframe apps and data

have direct interconnect

Reduces intranet bandwidth

Coordinated DR and security for end to end

workloads

Windows, Linux, VDI mgt

Desktops, Thin Client, mobile

Unix

Mainframe

Deployment Possibilities Supporting End User Computing

Traditional PCs and Laptops

Thin Client PCs with x86 Virtualization

Trusted Thin Client (TTC) with x86 Virtualization

TTC with x86 Virtualization and System z Management

TTC with zBX Virtualization and System z Management


“Typical” Layers of a Thin Client PC Solution

Virtualizing Desktops with a Server-hosted Architecture


Ethernet/ Wireless

Shared Storage

Developer Desktops

Outsourced or Branch

Office PCs, Call Centers

Remote / Laptop

Users

Microsoft Active Directory / LDAP (Manages Users)

BC or BC-H HS21 LS21

LS41

x3650 x3850 DS3400/4700

x3755 x3950

Virtual Center (Assigns VMs)

System x Servers BladeCenter Blades IBM System Storage

Fault & security isolated

1. Thin Client Front-end

3. User Management

4. Virtualization Software

5. Data CenterHardware

2. Network

6. Systems Management

Connection Server

Virtual Bridges Architecture

Home

Branch Office

SmartSync™

Storage

Optimizer

Shared Datastore

(NAS/SAN)

Directory / Authentication

Service

LAN

Contractor

Employee

Persistent User Data

Application Management

Gold Master Technology

WAN/INTERNET

CLOUD

DATA CENTER

Hypervisor + Distributed Connection Broker

+ Direct Attached Storage

(One or More Servers)

SmartSync™

Managed Endpoint True Offline VDI

Legacy Endpoint Repurpose Older PCs

Zero Endpoint No Install, Boot to VDI

User Segmentation

13

Task Knowledge Power

Workloads

• Call Center

• Transactional

• Lite Desktop User

• Office

• LOB

• High Performance Desktop

• Multimedia

• Design

Access End Point Device

• Repurposed Desktops

• Thin Clients

• Kiosks

• Remote branch VDI, Online VDI

• Desktops

• iPads

• Laptops

• Station Access Points (e.g. Nurses

Workstations)

• Remote branch VDI, integrated offline VDI, Online VDI

• High-end Desktops / Workstations

• Power Laptops

• High Mobility (exec travel)

• Integrated offline VDI, remote branch VDI,

Online VDI

Scaling Considerations

• Up to ~16 Concurrent Virtual Desktops / Server Processor Core



Memory Configurations

• Per Desktop:

• Linux: 512MB

• Win7 / XP: 512MB

• Per Desktop:

• Linux: 512MB

• Win7 / XP: 1GB

• Per Desktop:

• Linux: 1GB

• Win7 / XP: 1-2GB+

Remote Protocol Considerations

• RDP, Nx • RDP, Nx, SPICE • SPICE

Bladecenter Overview


•One HX5 Blade = 16 processors

•Between 8 (power) and 16 (web

access) users/processor

•128 to 256 desktops/blade

•14 blades/bladecenter

•3584 to 7168

desktops/bladecenter

•2 bladecenters/zBX

•7000 to 14,000 desktops/zBX

•4 zBX/zEnterprise

•28,000 to 56,000 desktops/

zEnterprise

Trusted Thin Client Solution

Smart Terminal: Simplification of Networking and Collaboration


Shared Storage

Microsoft Active Directory / LDAP (Manages Users)

BC or BC-H HS21 LS21

LS41

x3650 x3850 DS3400/4700

x3755 x3950


System x Servers BladeCenter Blades IBM System Storage


3. User Management 4. Virtualization Software



Secure Connection

Server Ethernet/ Wireless Developer

Desktops



Remote / Laptop

Users

1. Trusted Thin Client Front-end

8. Multiple Secure Networks

2. Network

Trusted Thin Client

Simple desktop configuration: thin client device, monitor, keyboard, mouse.

A “Controlled Access Device” for cloud computing.

TTC software utilizes a trusted operating system to enforce security policy at

DCID 6/3 PL4 and CCEVS EAL4+ levels. – Only platform from edge to cloud

that meets these criteria.

TTC software runs on at the desktop and on a server console providing

separation of any number of networks, applications, or systems.

Internet and internal systems(s)

Multiple internal and external systems

No data is stored at the desktop so there is no risk of data leakage.

Operations and security are transparent to the end user.


Trusted Thin Client The last workstation you will ever need

7/7/2012

• Multiple user deployment options

• Provides accredited system separation

• Protects internal systems from external intrusion

• Protects mission critical data

• No “cut and paste” from one system to another

• Security policy enforcement via a Trusted OS

• Trusted operating system maintains lock down at the desktop

• No intentional or unintentional data leakage

• Protection from APTs

• Dynamic allocation of user access

© 2012 STASH Consortium

System z Management x86 Virtualization – Reducing Control Points



3. User Management

System z196 Server System x Servers IBM

System Storage


2A

. Ne

two

rk


IBM System z

z/VM

z/O

S

7. Fraud Analytics


IBM System x

Developer

x3650 x3850

x3755 x3950

Ethernet/ Wireless Developer

Desktops



Remote / Laptop

Users



2. Network

4a. Virtualization Software

Shared Storage

zBX Virtualization Secure Hosts: Simplifying Security and Resilience



Desktops



Remote / Laptop

Users


IBM zEnterprise Servers

IBM System Storage

3. User Management


2. Network


IBM System z

z/VM

z/O

S

7. Fraud Analytics


zbx

Developer

Shared Storage



System x





Desktops



Remote / Laptop

Users

3. User Management


IBM System Storage


2. Network


IBM System z

z/VM

7. Fraud Analytics


Shared Storage




zbx

9. Virtual Tape Server

Applications

and

Data

Delivery Models

Do this on your own

If so, delete the services cost

Leverage a services engagement to get this up and

running faster

Get this delivered via “cloud” as a managed service

Assume 2x the capital costs


ROM for STASH





Desktops



Remote / Laptop

Users

3. User Management


IBM System Storage

5. Data Center Hardware

2. Network


IBM System z

z/VM

7. Fraud Analytics


Shared Storage




zbx

STASH Value Added functionality

9. Virtual Tape Server

CSL-WAVE Simplified Virtualization Management

Graphical management of your z/VM Complex with no limits

on the number of processors and z/VM logical partitions.

Extremely intuitive: Point-and-Click and Drag-and-Drop.

Full abstraction of the underlying z/VM Environment,

so Linux System Administrators can be productive day-one.

Simplification and automation of all day-to-day tasks.

Provisioning of all virtual entities (Guests, Network and Storage).

Advanced security architecture to enable delegation of authorities.

Flexible reporting capabilities on all managed entities, including internal.

Mainframe management comparable to management of a distributed environment.


Intellinx Fraud & Forensic Clearing House on System z


User activity monitoring for forensic and fraud prevention.

Non-invasive capture activities from a wide variety of systems.

Stealthfull deployment.

Handles encrypted traffic when executed on z/OS. A network appliance cannot do that

without changing network standards.

Deter potential fraud by knowing that all user actions may be recorded.

Improve internal audit effectiveness by alerting on detection of suspicious behavior and

providing full visibility for audit.

Enforce corporate policies by detecting breaches, incidents & exceptions.

Improve privacy compliance by creating a full audit trail of all end-user activity including

queries.

Files

“Military Grade” Security

Security is the key characteristic of mainframe server deployment.

RTCS provides network separation to prevent cross-network

contamination and intrusion.

RTCS eliminates the storage of sensitive or business-critical data at

the desktop.

Intellinx reduces the risk of insider fraud and data loss.

IBM zEnterprise inhibits malware due to storage protection isolation.

Data privacy can take advantage of built-in hardware cryptography

for improved performance.

End users can sign on to any Trusted Thin Client and securely

access their “desktop in the cloud”.


Resilience

IBM zEnterprise System:

Fault-avoiding architecture dramatically improves uptime.

Fewer system components reduce the risk of failure.

Hardware automation recovers problems that may have caused

unplanned outages in other platforms.

“Call home” capability when problems are encountered

coordinates service dispatch and problem resolution.

Trusted Thin Client:

“The last desktop you will ever need.”

Reduces recovery time - spare Trusted Thin Clients can be

quickly swapped in to replace defective machines or users can

connect to their desktop from another Trusted Thin Client.

Reduce full time desk side support employees.


Utilization

x86 Desktop systems run at 5-20% utilization on average.

Typically less than 10 hour days with a lot of idle time.

Virtualization software drives PC servers up to 30-50% utilization.

IBM zBX blade environments, like other x86 servers, can run up to 50%, but

can also run around the clock.

Excess capacity can be utilized by other workloads when the Smart

Terminals are not in use (client by day – enterprise server by night).

IBM System z servers can run at 100% utilization without fear of failover.

Capacity goals can be established on System z to shift processing resources

from pre-production, development, and integration servers in favor of the

production environment.

Additional processors can be added and deleted on demand through

dynamic provisioning on IBM zEnterprise, satisfying peak workloads without

purchasing and deploying additional x86 servers.


Change Management

Trusted Thin Clients are maintained from central administration.

Middleware servers can be cloned in minutes across both the IBM

z196 server and the zBX blade servers.

Patch management can be provisioned instantly across all

operational servers leveraging Virtual Bridges

New applications can be installed on the Smart Terminal server and

made available to all end users via Virtual Bridges.

Rolling changes can be made to avoid any physical outages in

processing.

Model reduces IT labor necessary to maintain desktop modifications

and drive corporate compliance.


Smarter Building and Smarter Computing

Trusted Thin Clients use less energy than desktop PCs.

If multiple desktops are consolidated into a single Trusted Thin

Client, there is further reduction in energy, network wiring, and

network bandwidth.

Physical servers take floor space, electricity, and cooling. The ability

of IBM zEnterprise to consolidate many x86 images can dramatically

reduce environmental costs.

When desktops are leveraging mainframe data and applications,

there is a dramatic reduction in networking bandwidth within the

intranet as a direct connection exists between the z196/z114 server

and the zBX.

Improves end user satisfaction with less noise, heat and complexity.


Greater Security, Not Greater Cost

Through advancements in technology and collaboration

across vendors, STASH:

Reduces initial acquisition costs

Reduces operational costs

Reduces operational and deployment risks

Improves the security and resilience of the deployed solution

Leverages existing investments wherever possible

Provides investment protection and continuous cost benefits


Vicom Infinity • Account presence since late 1990’s.

• IBM Premier Business Partner.

• Reseller of IBM Hardware, Software, and Maintenance.

• Vendor source for the last four generations of Mainframes/IBM Storage.

• Professional and IT Architectural Services.

• Reseller of Trusted Thin Client, Intellinx, and CSL-WAVE.

• Vicom family of companies also offer leasing & financing, computer services,

and IT staffing & project management.

• http://www.vicominfinity.com/stash.html

• For More Information Or To Buy STASH Please Contact…

Len Santalucia, CTO & Business Development Manager

One Penn Plaza – Suite 2010

New York, NY 10119

212-799-9375 office

917-856-4493 mobile

[email protected]


http://www.vicominfinity.com/stash.html

smart terminal architecture with secure hostssmart terminal architecture with secure hosts ......

Documents