Smart Terminal Architecture with
Secure Hosts
A New Evolution in Smart Computing for an Enterprise
System z Virtual Desktop Infrastructure:
VDI on Steroids
What problems does STASH solve?
 Originally intended to secure Enterprise servers, by having a more secure end to
end connection
 Security of “target servers” is only as good as the “weakest link” which is typically the


end user computing interface.
Experience has shown that desktop weakness can impact server security.
Reduce end user role as Systems Programmer of their device to further reduce risk
 In the process, we learned that this was a cost competitive alternative to any
virtual desktop solution
 Improves security, resilience and utilization
 Can save money on TCO and TCA
 A simpler solution to deploy than alternatives
 Helps a business/agency look at organizational inefficiencies (separate IT
operational units based on server type) and reconsider infrastructure based on
business needs
 End to end computing – human/machine to target applications and data
 Address services levels of workloads (e.g. security, resilience, utilization)
© 2012 STASH Consortium
9/14/12
2
Creating Stateless devices for business
Personal Computers
Smart Phones/Tablets
 Business Computer
 Remote PC access
 Thin/Zero Client
 Re-use existing PC with
application (e.g. RDP,
SPICE, Nx)
stateless operating system
 Remote presentation API on
 Bring your own device
device (e.g. Amazon
browser)
 Bootable USB image that
keeps state off PC
 Secure Virtual Machine
 Bluetooth or USB device for
remote access in a stateful
way (e.g. ME4SURE)
 Support multiple networks to
single device
© 2012 STASH Consortium
9/14/12
3
Target Customer: Breaking down organizational barriers
Risk
Across
organizations
PureSystems
Server of
Enterprise
Mainframe
Unix
Windows, Linux, VDI mgt
Reduced
Risk
Desktops, Thin Client, mobile
Internet





Desktop to Thin Client
Thin Client to Trusted Thin Client
Reduce deskside support  Military grade security
90%
 Up to 8 desktops consolidated
Share processing
to single thin client
capacity; fewer processors
 Reduces network cabling
Standardize on software
 Reduces electricity, noise
and central change
 Pushes “firmware” to desktops;
management
reduces end user risks
Reduce data leakage at
 Options to re-use existing PCs
end user; Centralize
or leverage Secure USB in
security mgt
existing PCs for secure
Improve availability to end
connections
users
 Reduces mainframe security
Pure Systems
risk due to poor desktop
security
STASH Value add
© 2012 STASH Consortium
9/14/12
X86 vs Enterprise Server VDI mgt
Similar to desktop/VDI mgt +:
 Leverage z/OS or Linux for z
security servers
 Add engines to existing z vs.
installing new Enterprise Linux
servers; faster/easier C&A
 Add IDAA/Neteeza for desktop
analytics but also for z/OS analytics
 Desktops that access mainframe
apps and data have direct
interconnect
 Reduces intranet bandwidth
 Coordinated DR and security for
end to end workloads
System z Value add
4
Deployment Possibilities
Supporting End User Computing
 Traditional PCs and Laptops
 Thin Client PCs with x86 Virtualization (SmartCloud
offering)
 Trusted Thin Client (TTC) with x86 Virtualization
(SmartCloud with STASH Value Add)
 TTC with PureSystem Virtualization and System z
Management (SmartCloud with z Value Add)
© 2012 STASH Consortium
9/14/12
5
“Typical” Layers of a Thin Client PC Solution
Virtualizing Desktops with a Server-hosted Architecture
4. Virtualization Software
1. Thin Client
Front-end
Outsourced
or Branch
Office PCs,
Call Centers
3. User Management
2. Network
Ethernet/
Wireless
6. Systems
Management
Microsoft Active
Directory / LDAP
(Manages Users)
Connection
Server
Developer
Desktops
Fault & security isolated
Shared Storage
Remote /
Laptop
Users
Virtual Center
(Assigns VMs)
5. Data CenterHardware
System x Servers BladeCenter
Blades IBM System Storage
x3650
DS3400/4700
x3755
© 2012 STASH Consortium
9/14/12
x3850
x3950
BC or BC-H
HS21 LS21
LS41
6
Virtual Bridges Architecture
Managed Endpoint
True Offline VDI
Zero Endpoint
Home
No Install, Boot to VDI
SmartSync™
SmartSync™
Legacy Endpoint
Branch Office
Repurpose Older PCs
WAN/INTERNET
CLOUD
Gold Master Technology
Storage
Optimizer
Application Management
Employee
LAN
Shared Datastore
(NAS/SAN)
Persistent User Data
(One or More Servers)
Hypervisor + Distributed Connection Broker
+ Direct Attached Storage
Contractor
DATA CENTER
Directory / Authentication
Service
© 2012 STASH Consortium
9/14/12
7
User Segmentation
Task
Workloads
Access End Point Device
•
Call Center
•
Office
•
Transactional
•
LOB
•
Lite Desktop User
Remote Protocol
Considerations
© 2012 STASH Consortium
Power
•
High Performance
Desktop
•
Multimedia
•
Design
•
High-end Desktops /
Workstations
•
Repurposed Desktops
•
Desktops
•
Thin Clients
•
iPads
•
Kiosks
•
Laptops
•
Power Laptops
•
Remote branch VDI,
Online VDI
•
Station Access Points
(e.g. Nurses
Workstations)
•
High Mobility (exec
travel)
•
Integrated offline VDI,
remote branch VDI,
Online VDI
•
Remote branch VDI,
integrated offline VDI,
Online VDI
•
Up to ~16 Concurrent
Virtual Desktops / Server
Processor Core
•
Up to ~12 Concurrent
Virtual Desktops / Server
Processor Core
•
Up to ~8 Concurrent
Virtual Desktops / Server
Processor Core
•
Per Desktop:
•
Per Desktop:
•
Per Desktop:
•
Linux: 512MB
•
Linux: 512MB
•
Linux: 1GB
•
Win7 / XP: 512MB
•
Win7 / XP: 1GB
•
Win7 / XP: 1-2GB+
•
RDP, Nx
•
RDP, Nx, SPICE
•
SPICE
Scaling Considerations
Memory Configurations
Knowledge
9/14/12
8
Trusted Thin Client Solution
Smart Terminal: Simplification of Networking and Collaboration
4. Virtualization Software
3. User Management
1. Trusted Thin Client
Front-end
Microsoft Active
Directory / LDAP
(Manages Users)
Outsourced
or Branch
Office PCs,
Call Centers
2. Network
Developer
Desktops
Remote /
Laptop
Users
6. Systems
Management
Ethernet/
Wireless
Secure
Connection
Server
Fault & security isolated
Shared Storage
8. Multiple Secure
Networks
A “Controlled Access Device” for cloud
computing.
TTC software utilizes a trusted
operating system to enforce security
policy at DCID 6/3 PL4 and CCEVS
EAL4+ levels. – Only platform from edge
to cloud that meets these criteria.
TTC software runs on at the desktop
and on a server console providing
separation of any number of networks,
applications, or systems.
© 2012 STASH Consortium
Virtual Center
(Assigns VMs)
5. Data CenterHardware
System x Servers BladeCenter
Blades IBM System Storage
x3650
DS3400/4700
x3755
9/14/12
x3850
x3950
BC or BC-H
HS21 LS21
LS41
9
Trusted Thin Client
The last workstation you will ever need
•
•
•
•
•
•
•
•
•
•
© 2012 STASH Consortium
Multiple user deployment options
Provides accredited system separation
Protects internal systems from external intrusion
Protects mission critical data
No “cut and paste” from one system to another
Security policy enforcement via a Trusted OS
Trusted operating system maintains lock down at the desktop
No intentional or unintentional data leakage
Protection from APTs
Dynamic allocation of user access
9/14/12
10
System z Management
x86 Virtualization – Reducing Control Points
3. User Management
6. Systems Management
7. Fraud Analytics
1. Trusted Thin Client
Front-end
Outsourced
or Branch
Office PCs,
Call Centers
Virtual Center
(Assigns VMs)
2. Network
Remote /
Laptop
Users
Developer
8. Multiple Secure
Networks
IBM System x
2A. Network
Developer
Desktops
IBM System z
z/OS
Ethernet/
Wireless
z/VM
4a. Virtualization
Software
5. Data CenterHardware
Shared Storage
System z196 Server
System x Servers IBM
System Storage
© 2012 STASH Consortium
4. Virtualization
Software
9/14/12
x3650
x3850
x3755
x3950
11
© 2012 STASH Consortium
© Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved
9/14/12
12
System z Virtualization value
x86 Virtualization
Mainframe Virtualization
Security
Guests/Clients can be compartmentalized on
individual virtualized x86 servers
Alleviates issues with hardware and
critical data theft ;reduces viruses
Centralized
Desktop
Hosted desktops has the potential to significantly
impact the performance, availability, and cost of
the client solutions
1000’s of virtual images on far fewer
server instances
Manageability
Manage remotely, alleviating issues around
software upgrades or fixes, tracking hardware
assets, moving users’ hardware, support call
transit time, reduces user down time
Change management is reduced;
SLA’s by user groups
Operating
Cost
Centralization minimizes install & config issues;
speeds time for moves, user changes; lowers
time to problem resolution by eliminating trips to
the user workspace
Less hardware; Rapid deployment;
fewer points of failure; built in
redundancy
End User
Adoption
Better end user experience with better ‘fat’ client
features
Same as x86 Virtualization
Improved
Productivity
Infrastructure standardization, common service
levels for all device types
Same as x86 Virtualization
Access latest
technology
Ease of upgrading HW and SW
Easier and faster deployment of new
tech.
Capital Cost
Share resources across multiple users; Single
application classification per server
‘Client by day, Enterprise by
night’
© 2012 STASH Consortium
9/14/12
13
CSL-WAVE Foundation
 GUI: Rich and intuitive graphic environment with
dynamic views of the server farm as the workplace
1)
2)
3)
4)
5)
6)
7)
8)
© 2012 STASH Consortium
9/14/12
Simplification
Automation
Provisioning
Graphical Control
Auto-Detection
Enhanced Server
Farm Administration
Network Support
Extended Security
14
IBM Smartcloud Desktop Infrastructure Objective
Secure Hosts: Simplifying Security and Resilience
3. User Management
6. Systems Management
7. Fraud Analytics
1. Trusted Thin Client
Front-end
Outsourced
or Branch
Office PCs,
Call Centers
Applications
and
Data
Pure
2. Network
Ethernet/
Wireless
Developer
Desktops
8. Multiple Secure
Networks
Remote /
Laptop
Users
4. Virtualization Software
Fault & security isolated
IBM System z
Shared Storage
5. Data CenterHardware
IBM zEnterprise Servers
IBM System Storage
iOS
Android
z/VM
© 2012 STASH Consortium
9/14/12
9. Virtual Tape Server
15
IBM Smartcloud Desktop Infrastructure Reality
Secure Hosts: Simplifying Security and Resilience
3. User Management
6. Systems Management
7. Fraud Analytics
1. Trusted Thin Client
Front-end
Outsourced
or Branch
Office PCs,
Call Centers
Pure
2. Network
Ethernet/
Wireless
Developer
Desktops
IBM System z
8. Multiple Secure
Networks
Remote /
Laptop
Users
4. Virtualization Software
Shared Storage
Fault & security isolated
Pure
iOS
z/VM
5. Data CenterHardware
IBM zEnterprise Servers
Android
IBM System Storage
8. Single Network
9. Virtual Tape Server
© 2012 STASH Consortium
9/14/12
16
Why use a mainframe to manage infrastructure?
 Security and resilience of virtual machines and hosted
data
 Cost per virtual machine: CapEx, OpEx, energy
 Scale of solution: on demand, no outage necessary
 Speed of provisioning
 Simplicity of management through intuitive GUI
 Co-location with other applications and data for enhanced
end to end operations benefit
 Manage “Desktops by day, enterprise servers by night”
© 2012 STASH Consortium
9/14/12
17
Delivery Models
 Do this on your own
 If so, delete the services cost
 Leverage a services engagement to get this up and
running faster
 Get this delivered via “cloud” as a managed service
 Assume 2x the capital costs
© 2012 STASH Consortium
9/14/12
18
The “Consortium”
Smart Terminal
 Raytheon Trusted Computer Solutions delivers its proven Trusted Thin Client
software that is widely deployed across hundreds of thousands of U.S. military ,
intelligence agencies, and other government desktops.
 Empennage/Mantissa – z86VM to leverage Desktop on the mainframe and
later zARMvm to enable Android, iOS, Windows RT and Linux on zVM
 STASH V2-V4 only
Secure Hosts
 IBM provides a secure and resilient hosting environment for desktops within its
PureSystems and z/VM.
 CSL International provides customer-proven CSL-WAVE to easily manage
server instances using an intuitive graphical interface which makes the
mainframe consumable to “non-mainframe” skills.
 Virtual Bridges provides VDI management of desktop images and provisioning
 Intellinx’s zWatch provides user activity monitoring for fraud management.
 Vicom Infinity brings a variety of simplification software and experience with
many of the world’s largest financial organizations.
 CDS – managed desktop clouds using STASH
© 2012 STASH Consortium
9/14/12
19
STASH Virtualization
Secure Hosts: Simplifying Security and Resilience
3. User Management
6. Systems Management
7. Fraud Analytics
1. Trusted Thin Client
Front-end
Outsourced
or Branch
Office PCs,
Call Centers
Ethernet/
Wireless
Developer
Desktops
Remote /
Laptop
Users
zbx
2. Network
8. Multiple Secure
Networks
4. Virtualization Software
Fault & security isolated
IBM System z
Shared Storage
5. Data Center Hardware
IBM zEnterprise Servers
IBM System Storage
STASH Value Added
functionality
z/VM
9. Virtual Tape Server
© 2012 STASH Consortium
9/14/12
20
Complimentary Sales for STASH
Simplify, Save, Secure……..Smart



Less expensixe
z/OS build

Build for any
platform
Co-Locate with
other apps and
data on z

Change resilience
and security

System utilization
Developer
Ultimate Cloud
Server


IBM System z
z/OS

Application
Sandbox
Sell to ISPs for
mobile computing
hosting
Analytics

One server
applied to
desktops and
enterprise
applications
© 2012 STASH Consortium
z86VM
z/OS
zARMvm
z/VM
LPAR
LPAR
9/14/12
21
Start today – save tomorrow
 Deployment goals:
 Take out cost
 Reduce risk
 Improve Security and Resilience
 Meet or exceed service level needs
 Provide investment protection for the future
 Identify immediate ROI potential. For example:
 Infrastructure as a service
 Desktop computing in a Cloud
 Linux server instances
 Database consolidation
 Smart Analytics via data sharing
 Software as a Service
 Java virtual machines
 Mail and Collaboration
 Security Services
 Development environment
 Designate and execute pilot projects to validate/quantify ROI benefit
 Joint Agency/IBM effort
 Identify who will solicit other workloads for this model
 Provide results back within three months
© 2012 STASH Consortium
9/14/12
22