smart terminal architecture with secure hostssmart terminal architecture with secure hosts ......
TRANSCRIPT
Smart Terminal Architecture with
Secure Hosts A New Evolution in Smart Computing for an Enterprise
System z Virtual Desktop Infrastructure: VDI on Steroids
Overview
What is STASH?
What problem does STASH solve?
The benefits of STASH.
Deployment options.
What each member of the consortium offers.
7/7/2012 © 2012 STASH Consortium 2
What is STASH?
Smart Terminal Architecture with Secure Hosts
STASH is a new computing environment that offers a military grade security from the desktop to the back end.
STASH challenges the traditional assumption that greater security and increased performance utilization comes with increased costs.
STASH is made up of a multi-functional team across IBM, Raytheon Trusted Computer Solutions, CSL International, Intellinx Software, Virtual Bridges and Vicom Infinity.
STASH brings security, resilience and workload management qualities of service to the desktop environment.
STASH is a means of simplifying the IT environment, saving money, and dramatically increasing security.
7/7/2012 © 2012 STASH Consortium 3
What problems does STASH solve?
Originally intended to secure Enterprise servers, by having a more secure end to end connection
Security of “target servers” is only as good as the “weakest link” which is typically the end user computing interface.
Experience has shown that desktop weakness can impact server security.
In the process, we learned that this was a cost competitive alternative to any virtual desktop solution
Improves security, resilience and utilization
Can save money on TCO and TCA
A simpler solution to deploy than alternatives
Helps a business/agency look at organizational inefficiencies (separate IT operational units based on server type) and reconsider infrastructure based on business needs
End to end computing – human/machine to target applications and data
Address services levels of workloads (e.g. security, resilience, utilization)
7/7/2012 © 2012 STASH Consortium 4
Challenge: Desktop Management Complexity and Cost
Redundant network connections
(where multiple PCs are
deployed in one office)
Backup/recovery at an individual level
Redundant data copied to desktops
Under-utilized desktop systems dedicated to end
user computing
Increased administration
Bringing own device to work and therefore
malware into business (security exposure)
Excessive energy utilization
Complex, expensive, and impossible to secure.
7/7/2012 © 2012 STASH Consortium 5
Enterprises are challenged by the ability to manage and secure their extremely complex
distributed computing environments.
Virtualization, although practical, has resulted in powerful desktop PCs running costly VDI
software and server farms hosting back end applications running at far less than 100%
utilization.
Need to reduce costs and embrace green computing requirements exacerbates the
problem.
Typical Industry Use Cases
6
Manufacturing
Casual users in manufacturing
plants
Contact center representatives
Travelling salespeople and
executives
Healthcare
Doctors, nurses, administrators
Patients in hospitals, assisted
living and health centers
Education
Students, Teachers, Staff,
Administrators
K-12, Universities, Training
Centers
Banks
Tellers, supervisors, advisers in
the front office, contact center
representatives, back-office users
Retail
Store workers, contact center
representatives, back-office users
Professional and IT services
Accountants, advisers, law firms,
global delivery center employees
State, Local, Federal Agencies
Leaders, Staff, Service Agents,
Case workers, Analysts
The “Consortium”
Smart Terminal
Raytheon Trusted Computer Solutions delivers its proven Trusted Thin Client
software that is widely deployed across hundreds of thousands of U.S. military ,
intelligence agencies, and other government desktops.
Secure Hosts
IBM provides a secure and resilient hosting environment for desktops within its
zEnterprise BladeCenter Extension (zBX) and z/VM.
CSL International provides customer-proven CSL-WAVE to easily manage
server instances using an intuitive graphical interface which makes the
mainframe consumable to “non-mainframe” skills.
Virtual Bridges provides VDI management of desktop images and provisioning
Intellinx’s zWatch provides user activity monitoring for fraud management.
Vicom Infinity brings a variety of simplification software and experience with
many of the world’s largest financial organizations.
7/7/2012 © 2012 STASH Consortium 7
Target Customer: Desktop or VDI deployment
organizations
Desktop to Thin Client
Reduce deskside support 90%
Share processing capacity;
fewer processors
Standardize on software and
central change management
Reduce data leakage at end
user; Centralize security mgt
Improve availability to end
users
7/7/2012 © 2012 STASH Consortium 8
VDI management
Desktops Thin Clients tablets,
mobile
Thin Client to Trusted Thin Client
Military grade security
Up to 8 desktops consolidated
to single thin client
Reduces network cabling
Reduces electricity, noise
Pushes “firmware” to desktops;
reduces end user risks
Options to re-use existing PCs
or leverage Secure USB in
existing PCs for secure
connections
X86 vs Enterprise Server VDI mgt
Fewer servers to deploy
Reduces intranet bandwidth via
direct connection
Built in redundancy for
management servers
Enables workload shifts:
“Desktop by day, server by
night”
“DVR for desktop” for forensics
and breach prevention
Less expense COOP site as
less redundant HW/SW req’d.
Target Customer: Existing Mainframe organizations
Desktop to Thin Client
Same as Desktop/VDI mgt
Thin Client to Trusted Thin Client
Similar to Desktop/VDI mgt +:
Reduces mainframe security risk due to
poor desktop security
7/7/2012 © 2012 STASH Consortium 9
X86 vs Enterprise Server VDI mgt
Similar to desktop/VDI mgt +:
Leverage z/OS or Linux for z security servers
Add engines to existing z vs. installing new
Enterprise Linux servers; faster/easier C&A
Add IDAA/Neteeza for desktop analytics but also
for z/OS analytics
Desktops that access mainframe apps and data
have direct interconnect
Reduces intranet bandwidth
Coordinated DR and security for end to end
workloads
Windows, Linux, VDI mgt
Desktops, Thin Client, mobile
Unix
Mainframe
Deployment Possibilities Supporting End User Computing
Traditional PCs and Laptops
Thin Client PCs with x86 Virtualization
Trusted Thin Client (TTC) with x86 Virtualization
TTC with x86 Virtualization and System z Management
TTC with zBX Virtualization and System z Management
7/7/2012 © 2012 STASH Consortium 10
“Typical” Layers of a Thin Client PC Solution
Virtualizing Desktops with a Server-hosted Architecture
7/7/2012 © 2012 STASH Consortium 11
Ethernet/ Wireless
Shared Storage
Developer Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop
Users
Microsoft Active Directory / LDAP (Manages Users)
BC or BC-H HS21 LS21
LS41
x3650 x3850 DS3400/4700
x3755 x3950
Virtual Center (Assigns VMs)
System x Servers BladeCenter Blades IBM System Storage
Fault & security isolated
1. Thin Client Front-end
3. User Management
4. Virtualization Software
5. Data CenterHardware
2. Network
6. Systems Management
Connection Server
Virtual Bridges Architecture
Home
Branch Office
SmartSync™
Storage
Optimizer
Shared Datastore
(NAS/SAN)
Directory / Authentication
Service
LAN
Contractor
Employee
Persistent User Data
Application Management
Gold Master Technology
WAN/INTERNET
CLOUD
DATA CENTER
Hypervisor + Distributed Connection Broker
+ Direct Attached Storage
(One or More Servers)
SmartSync™
Managed Endpoint True Offline VDI
Legacy Endpoint Repurpose Older PCs
Zero Endpoint No Install, Boot to VDI
User Segmentation
13
Task Knowledge Power
Workloads
• Call Center
• Transactional
• Lite Desktop User
• Office
• LOB
• High Performance Desktop
• Multimedia
• Design
Access End Point Device
• Repurposed Desktops
• Thin Clients
• Kiosks
• Remote branch VDI, Online VDI
• Desktops
• iPads
• Laptops
• Station Access Points (e.g. Nurses
Workstations)
• Remote branch VDI, integrated offline VDI, Online VDI
• High-end Desktops / Workstations
• Power Laptops
• High Mobility (exec travel)
• Integrated offline VDI, remote branch VDI,
Online VDI
Scaling Considerations
• Up to ~16 Concurrent Virtual Desktops / Server Processor Core
• Up to ~12 Concurrent Virtual Desktops / Server Processor Core
• Up to ~8 Concurrent Virtual Desktops / Server Processor Core
Memory Configurations
• Per Desktop:
• Linux: 512MB
• Win7 / XP: 512MB
• Per Desktop:
• Linux: 512MB
• Win7 / XP: 1GB
• Per Desktop:
• Linux: 1GB
• Win7 / XP: 1-2GB+
Remote Protocol Considerations
• RDP, Nx • RDP, Nx, SPICE • SPICE
Bladecenter Overview
7/7/2012 © 2012 STASH Consortium 14
•One HX5 Blade = 16 processors
•Between 8 (power) and 16 (web
access) users/processor
•128 to 256 desktops/blade
•14 blades/bladecenter
•3584 to 7168
desktops/bladecenter
•2 bladecenters/zBX
•7000 to 14,000 desktops/zBX
•4 zBX/zEnterprise
•28,000 to 56,000 desktops/
zEnterprise
Trusted Thin Client Solution
Smart Terminal: Simplification of Networking and Collaboration
7/7/2012 © 2012 STASH Consortium 15
Shared Storage
Microsoft Active Directory / LDAP (Manages Users)
BC or BC-H HS21 LS21
LS41
x3650 x3850 DS3400/4700
x3755 x3950
Virtual Center (Assigns VMs)
System x Servers BladeCenter Blades IBM System Storage
Fault & security isolated
3. User Management 4. Virtualization Software
5. Data CenterHardware
6. Systems Management
Secure Connection
Server Ethernet/ Wireless Developer
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop
Users
1. Trusted Thin Client Front-end
8. Multiple Secure Networks
2. Network
Trusted Thin Client
Simple desktop configuration: thin client device, monitor, keyboard, mouse.
A “Controlled Access Device” for cloud computing.
TTC software utilizes a trusted operating system to enforce security policy at
DCID 6/3 PL4 and CCEVS EAL4+ levels. – Only platform from edge to cloud
that meets these criteria.
TTC software runs on at the desktop and on a server console providing
separation of any number of networks, applications, or systems.
Internet and internal systems(s)
Multiple internal and external systems
No data is stored at the desktop so there is no risk of data leakage.
Operations and security are transparent to the end user.
7/7/2012 © 2012 STASH Consortium 16
Trusted Thin Client The last workstation you will ever need
7/7/2012
• Multiple user deployment options
• Provides accredited system separation
• Protects internal systems from external intrusion
• Protects mission critical data
• No “cut and paste” from one system to another
• Security policy enforcement via a Trusted OS
• Trusted operating system maintains lock down at the desktop
• No intentional or unintentional data leakage
• Protection from APTs
• Dynamic allocation of user access
© 2012 STASH Consortium
System z Management x86 Virtualization – Reducing Control Points
7/7/2012 © 2012 STASH Consortium 18
Virtual Center (Assigns VMs)
3. User Management
System z196 Server System x Servers IBM
System Storage
5. Data CenterHardware
2A
. Ne
two
rk
6. Systems Management
IBM System z
z/VM
z/O
S
7. Fraud Analytics
4. Virtualization Software
IBM System x
Developer
x3650 x3850
x3755 x3950
Ethernet/ Wireless Developer
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop
Users
1. Trusted Thin Client Front-end
8. Multiple Secure Networks
2. Network
4a. Virtualization Software
Shared Storage
zBX Virtualization Secure Hosts: Simplifying Security and Resilience
7/7/2012 © 2012 STASH Consortium 19
Ethernet/ Wireless Developer
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop
Users
Virtual Center (Assigns VMs)
IBM zEnterprise Servers
IBM System Storage
3. User Management
5. Data CenterHardware
2. Network
6. Systems Management
IBM System z
z/VM
z/O
S
7. Fraud Analytics
8. Multiple Secure Networks
zbx
Developer
Shared Storage
Fault & security isolated
4. Virtualization Software
System x
1. Trusted Thin Client Front-end
zBX Virtualization Secure Hosts: Simplifying Security and Resilience
7/7/2012 © 2012 STASH Consortium 20
Ethernet/ Wireless Developer
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop
Users
3. User Management
IBM zEnterprise Servers
IBM System Storage
5. Data CenterHardware
2. Network
6. Systems Management
IBM System z
z/VM
7. Fraud Analytics
8. Multiple Secure Networks
Shared Storage
Fault & security isolated
4. Virtualization Software
1. Trusted Thin Client Front-end
zbx
9. Virtual Tape Server
Applications
and
Data
Delivery Models
Do this on your own
If so, delete the services cost
Leverage a services engagement to get this up and
running faster
Get this delivered via “cloud” as a managed service
Assume 2x the capital costs
7/7/2012 © 2012 STASH Consortium 21
ROM for STASH
7/7/2012 © 2012 STASH Consortium 22
zBX Virtualization Secure Hosts: Simplifying Security and Resilience
7/7/2012 © 2012 STASH Consortium 23
Ethernet/ Wireless Developer
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop
Users
3. User Management
IBM zEnterprise Servers
IBM System Storage
5. Data Center Hardware
2. Network
6. Systems Management
IBM System z
z/VM
7. Fraud Analytics
8. Multiple Secure Networks
Shared Storage
Fault & security isolated
4. Virtualization Software
1. Trusted Thin Client Front-end
zbx
STASH Value Added functionality
9. Virtual Tape Server
CSL-WAVE Simplified Virtualization Management
Graphical management of your z/VM Complex with no limits
on the number of processors and z/VM logical partitions.
Extremely intuitive: Point-and-Click and Drag-and-Drop.
Full abstraction of the underlying z/VM Environment,
so Linux System Administrators can be productive day-one.
Simplification and automation of all day-to-day tasks.
Provisioning of all virtual entities (Guests, Network and Storage).
Advanced security architecture to enable delegation of authorities.
Flexible reporting capabilities on all managed entities, including internal.
Mainframe management comparable to management of a distributed environment.
7/7/2012 © 2012 STASH Consortium 24
Intellinx Fraud & Forensic Clearing House on System z
7/7/2012 © 2012 STASH Consortium 25
User activity monitoring for forensic and fraud prevention.
Non-invasive capture activities from a wide variety of systems.
Stealthfull deployment.
Handles encrypted traffic when executed on z/OS. A network appliance cannot do that
without changing network standards.
Deter potential fraud by knowing that all user actions may be recorded.
Improve internal audit effectiveness by alerting on detection of suspicious behavior and
providing full visibility for audit.
Enforce corporate policies by detecting breaches, incidents & exceptions.
Improve privacy compliance by creating a full audit trail of all end-user activity including
queries.
Files
26
© Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved
“Military Grade” Security
Security is the key characteristic of mainframe server deployment.
RTCS provides network separation to prevent cross-network
contamination and intrusion.
RTCS eliminates the storage of sensitive or business-critical data at
the desktop.
Intellinx reduces the risk of insider fraud and data loss.
IBM zEnterprise inhibits malware due to storage protection isolation.
Data privacy can take advantage of built-in hardware cryptography
for improved performance.
End users can sign on to any Trusted Thin Client and securely
access their “desktop in the cloud”.
7/7/2012 © 2012 STASH Consortium 27
Resilience
IBM zEnterprise System:
Fault-avoiding architecture dramatically improves uptime.
Fewer system components reduce the risk of failure.
Hardware automation recovers problems that may have caused
unplanned outages in other platforms.
“Call home” capability when problems are encountered
coordinates service dispatch and problem resolution.
Trusted Thin Client:
“The last desktop you will ever need.”
Reduces recovery time - spare Trusted Thin Clients can be
quickly swapped in to replace defective machines or users can
connect to their desktop from another Trusted Thin Client.
Reduce full time desk side support employees.
7/7/2012 © 2012 STASH Consortium 28
Utilization
x86 Desktop systems run at 5-20% utilization on average.
Typically less than 10 hour days with a lot of idle time.
Virtualization software drives PC servers up to 30-50% utilization.
IBM zBX blade environments, like other x86 servers, can run up to 50%, but
can also run around the clock.
Excess capacity can be utilized by other workloads when the Smart
Terminals are not in use (client by day – enterprise server by night).
IBM System z servers can run at 100% utilization without fear of failover.
Capacity goals can be established on System z to shift processing resources
from pre-production, development, and integration servers in favor of the
production environment.
Additional processors can be added and deleted on demand through
dynamic provisioning on IBM zEnterprise, satisfying peak workloads without
purchasing and deploying additional x86 servers.
7/7/2012 © 2012 STASH Consortium 29
Change Management
Trusted Thin Clients are maintained from central administration.
Middleware servers can be cloned in minutes across both the IBM
z196 server and the zBX blade servers.
Patch management can be provisioned instantly across all
operational servers leveraging Virtual Bridges
New applications can be installed on the Smart Terminal server and
made available to all end users via Virtual Bridges.
Rolling changes can be made to avoid any physical outages in
processing.
Model reduces IT labor necessary to maintain desktop modifications
and drive corporate compliance.
7/7/2012 © 2012 STASH Consortium 30
Smarter Building and Smarter Computing
Trusted Thin Clients use less energy than desktop PCs.
If multiple desktops are consolidated into a single Trusted Thin
Client, there is further reduction in energy, network wiring, and
network bandwidth.
Physical servers take floor space, electricity, and cooling. The ability
of IBM zEnterprise to consolidate many x86 images can dramatically
reduce environmental costs.
When desktops are leveraging mainframe data and applications,
there is a dramatic reduction in networking bandwidth within the
intranet as a direct connection exists between the z196/z114 server
and the zBX.
Improves end user satisfaction with less noise, heat and complexity.
7/7/2012 © 2012 STASH Consortium 31
Greater Security, Not Greater Cost
Through advancements in technology and collaboration
across vendors, STASH:
Reduces initial acquisition costs
Reduces operational costs
Reduces operational and deployment risks
Improves the security and resilience of the deployed solution
Leverages existing investments wherever possible
Provides investment protection and continuous cost benefits
7/7/2012 © 2012 STASH Consortium 32
Vicom Infinity • Account presence since late 1990’s.
• IBM Premier Business Partner.
• Reseller of IBM Hardware, Software, and Maintenance.
• Vendor source for the last four generations of Mainframes/IBM Storage.
• Professional and IT Architectural Services.
• Reseller of Trusted Thin Client, Intellinx, and CSL-WAVE.
• Vicom family of companies also offer leasing & financing, computer services,
and IT staffing & project management.
• http://www.vicominfinity.com/stash.html
• For More Information Or To Buy STASH Please Contact…
Len Santalucia, CTO & Business Development Manager
One Penn Plaza – Suite 2010
New York, NY 10119
212-799-9375 office
917-856-4493 mobile
7/7/2012 © 2012 STASH Consortium 33