Embed Size (px)
Citation preview
Secure Citizen and Employee Access to Applications:Anytime, Anywhere on Any Device1:30 p.m. -2:10 p.m.
• Jim Porell, Distinguished Engineer & Deputy CTO, Federal Sales, IBM
Secure Citizen & Employee Access to Applications:
Anywhere, Anytime, on Any Device
Jim PorellIBM Distinguished Engineer
Deputy CTO, US Federal
Digital Government: The Move to BYOD
Digital Government Strategy announced in 2012
Overview
Goals: - Enable BYOD and other devices with secure access to Corporate or Agency data - Keep data from getting lost or stolen by or from employees.
What problem does are we trying to solve?
Introducing STASH: Smart Terminal Architecture with Secure Hosts
The benefits of STASH: The value it brings
Deployment options: How does it deliver value
Executive Summary
Many new devices, both government owned and BYOD, need to be enabled for agency or external partner accessPrivacy, security and policies must be enforced regardless of device
ownership“Traditional” VDI solutions are not enough to meet these requirements
-Theft, loss, virus, Trojan Horse, misuse can still put information at riskSTASH – Smart Terminal Architecture with Secure Hosts introduces
additional capabilities to further mitigate riskGovernment is best served when an end to end solution is deployed to
ensure security and resilience
Challenge: Desktop Management Complexity and Cost
Under-utilized desktop systems dedicated to end user computing Increased administration Bringing own device to work and therefore malware into the
organization (security exposure) Excessive energy utilization Complex, expensive, and impossible to secure.
Organizations are challenged by ability to manage and secure their extremely complex distributed computing environments
Virtualization, although practical, has resulted in powerful desktop PCs running costly Virtual Desktop Integration (VDI) software and server farms hosting back end applications running at far less than 100% utilization
The need to reduce costs and embrace green computing requirements exacerbates the problem Backup/recovery at an individual level Redundant data copied to desktops – Creates difficulty for HIPAA, Sarbanes-Oxley and other regulatory
compliance
“Typical” Layers of a Thin Client PC SolutionVirtualizing Desktops with a Server-hosted Architecture
Ethernet/
Wireless
Shared Storage
Developer Desktops
Outsourced or
Branch Office PCs,
Call Centers
Remote /
Laptop Users
Microsoft Active
Directory / LDAP
(Manages Users)
BC or BC-HHS21 LS21
LS41
x3650 x3850 DS3400/4700
x3755 x3950
Virtual Center (Assigns VMs)
System x Servers BladeCenter Blades IBM
System Storage
Fault & security isolated
1. Thin Client Front-end
3. User Management
4. Virtualization Software
5. Data CenterHardware
2. Network
6. Systems Management
Connection Server
Transactions,Applications,
Data
Will the End to End solution be protected and resilient?
Developer
Desktops
Outsourced or
Branch Office
PCs, Call Centers
Remote /
Laptop Users
Shared Storage
Linux on x86
Windows
VDI layer
Theft LossVirusTrojan HorseMisuse
Puts corporate and agency data at risk.Are you managing end to end?
What is STASH? Smart Terminal Architecture with Secure Hosts
STASH is a new computing environment that offers a military grade security from the desktop/end user device to the back end.
STASH challenges the traditional assumption that greater security and increased performance utilization comes with increased costs.
STASH is made up of a multi-functional team across IBM, Raytheon Trusted Computer Solutions, CSL International, Intellinx Software, Virtual Bridges, CDS and Vicom Infinity.
STASH brings security, resilience and workload management qualities of service to the desktop/end user device environment.
STASH is a means of simplifying the IT environment, saving money, and dramatically increasing security.
Manufacturing• Casual users in manufacturing plants• Contact center representatives• Travelling salespeople and executives
Healthcare• Doctors, nurses, administrators• Patients in hospitals, assisted living and
health centers
Education• Students, Teachers, Staff, Administrators• K-12, Universities, Training Centers
Banks•Tellers, supervisors, advisers in the front office, contact center representatives, back-office users
Retail•Store workers, contact center representatives, back-office users
Professional and IT services•Accountants, advisers, law firms, global delivery center employees
© 2012 STASH Consortium
Typical Industry Use Cases
State, Local, Federal Agencies• Leaders, Staff, Service Agents, Case workers, Analysts
Target Customer: Breaking down organizational barriers
X86 vs Enterprise Server VDI mgtSimilar to desktop/VDI mgt +: Fewer management servers Add IDAA/Neteeza for desktop
analytics but also for z/OS analytics Desktops that access mainframe
apps and data have direct interconnect Reduces intranet bandwidth
Coordinated DR and security for end to end workloads
Windows, Linux, VDI mgt
Desktops, Thin Client, mobile Unix
Mainframe
Desktop to Thin Client Reduce deskside support
90% Share processing capacity;
fewer processors Standardize on software
and central change management
But: Device can be
lost/stolen/misused Multiple desktops may be
required
Thin Client to Trusted Thin Client Military grade security Up to 8:1 desktop consolidation
Reduces network cabling, electricity, noise
DVR-like capability to watch for fraud and provide forensics
But: Many servers may be required Disaster recovery adds
complexity Inconsistent security across
departments
Risk across organizations
Reduced risk when managed end to end
Typical x86 VDI STASH Value add System z Value add
Deployment Possibilities Supporting End User Computing
Traditional PCs and Laptops
Thin Client PCs with x86 Virtualization (IBM SmartCloud offering)
Trusted Thin Client (TTC) with x86 Virtualization (IBM SmartCloud with STASH value add)
TTC with PureSystem Virtualization and System z Management (IBM SmartCloud with System z value add)
Deployment Possibilities Supporting End User Computing
Traditional PCs and Laptops
Thin Client PCs with x86 Virtualization (IBM SmartCloud offering)
- Reduce cost
Trusted Thin Client (TTC) with x86 Virtualization (IBM SmartCloud with STASH value add)
- More secure end device
TTC with PureSystem Virtualization and System z Management (IBM SmartCloud with System z value add)
- End to end management, security and resilience
Task Knowledge Power
Workloads• Call Center• Transactional• Lite Desktop User
• Office• LOB
• High Performance Desktop• Multimedia• Design
AccessEnd Point
Device
• Repurposed Desktops• Thin Clients• Kiosks• Remote branch VDI,
Online VDI
• Desktops• iPads• Laptops• Station Access Points (e.g. Nurses
Workstations)• Remote branch VDI, integrated
offline VDI, Online VDI
• High-end Desktops / Workstations
• Power Laptops• High Mobility (exec travel)• Integrated offline VDI, remote
branch VDI, Online VDI
ScalingConsiderations
• Up to ~16 Concurrent Virtual Desktops / Server Processor Core
• Up to ~12 Concurrent Virtual Desktops / Server Processor Core
• Up to ~8 Concurrent Virtual Desktops / Server Processor Core
MemoryConfigurations
• Per Desktop:• Linux: 512MB• Win7 / XP: 512MB
• Per Desktop:• Linux: 512MB• Win7 / XP: 1GB
• Per Desktop:• Linux: 1GB• Win7 / XP: 1-2GB+
Remote ProtocolConsiderations
• RDP, Nx • RDP, Nx, SPICE • SPICE
© 2012 STASH Consortium
User Segmentation
ApplicationsandData
IBM Smartcloud Desktop Infrastructure Secure Hosts: Simplifying Security and Resilience
Ethernet/ WirelessDevelope
r Desktops
Outsourced or Branch
Office PCs, Call
Centers
Remote /
Laptop Users
3. User Management
IBM zEnterprise Servers
IBM System Storage
5. Data CenterHardware
2. Network
6. Systems Management
IBM System z
z/VM
Serv
er M
gt
Serv
er
Frau
d A
naly
tics S
erv
er
Secu
rity S
erv
er
Linux on System z
7. Fraud Analytics
Shared Storage
1. Trusted Thin Client Front-end
Distrib
utio
n C
on
sole
PureLinux on x86
Windows
VDI layer
SPICE
SPICE
RDP
Nx
Inte
llinx S
niff
er
9. Virtual Tape Server
VE
RD
E g
old
en
8. Multiple Secure
Networks 4. Virtualization Software
Fault & security isolated
UNIQUE to STASH
End Users Freedom of choice for access device: Existing PC, Thin Client, Smartphone, Tablet Same end user application experience as before migration to Virtual Desktop Reduced administration of desktop by end user. Software updates; anti-virus and
firewall management is done by IT organization. Improved productivity by not having to wait for “system functions” that tie up
personal and computer time: anti virus; software updates; data backups. Connect from anywhere, at the point you left off: office; conference room; home Avoid hard disk failures of your desktop – storage is now centralized and recovery is
faster Less down time if your end device breaks or is lost. You simply get another device
and recovery is much faster Avoid putting corporate data on your personal device – it’s a window to the
corporation, not a disk drive Provides opportunities to use new smart phone and tablet capabilities, in addition to
legacy PC operations. Have some fun while getting your work done
Security Introduction of the DVR-like end user and systems manager monitoring:
Simplifies forensics and reduces effect of insider theftMonitors outsourcers’ activities on corporate networksReduces brand exposure of data loss to track end user activity
Patch management is done on central “golden master” images and will help reduce the risk and impact of viruses, Trojan horses, and worms from being introduced to PC systems.
Data Risk Mitigation “Fault Tolerant PC” bring resilience by leveraging central servers and storage. This enables faster and easier recovery of desktop computing resources.
Raytheon Trusted Thin Client and Distribution Console provides EAL4+ security:Compliant with Department of Defense specification for securityConsolidates up to 8 PC’s to a single thin client while maintaining
separationReduces the number of devices, environmental and wiring
More security with less costFewer servers and desktops, fewer points of control, simpler security
management
Technical Solutions Reduced permutations on number of desktop configurations required.
Desktop Application Layers allow for smaller base package management.
Provisioning new computers become adding new users, rather than moving and building PC workstations.
Downtime on users' PCs become depot maintenance and sparing rather than data recovery.
Core density is the number of machines that can be run 'per core'. STASH runs at 13.1 expected density. The more per core, the cheaper the solution will be. The lower the number, the more powerful each VDI machine is.
Memory over commit: Memory that can be 're-used' by each machine from the server's standpoint.
CPU Utilization: The amount of CPU on the server that can run at. The competitors will run at 50% to create a 'fault tolerant' solution, but don’t use all of their CPU power. STASH management runs at 100% - decreasing the cost of servers and licenses by 50%.
Less Infrastructure to manage: Fewer management servers and desktop consolidation reduces environmental and people management costs
Cost Savings Support Labor:
Competitors: 1 technician per every 50 PCs STASH: 1 technician per at least every 300 PCs
Software Updates:- Competitors: require updates to individual servers & each desktop- STASH: less cost and time to deploy centralized updates
• Technology Refresh:- Competitors: requires complete replacement for all hardware- STASH: saves cost by repurposing existing desktops as thin clients- STASH: updating management servers in a fraction of the time
• Cost per seat:- Competitors: Many include only the VDI server function in per seat pricing- STASH: end to end value and more: End user device, secure connection
broker, DVR-like capability for end user and system manager actions, intuitive graphic interface for management, storage, servers, tape archive
Cost can be as little as $700 per user, including three years of service
Competitive Price Analysis
Competitive Price Analysis
Integration Solutions
Deliver High Availability Solutions in Phases
Take out existing costs to make this self funding: Change ELAs for desktop software to cover only what you use vs. what you may use
Change maintenance subscriptions to reduce costs
Identify the existing user base and needs
Implement the transition to VDI, whether hosted or purchased
Provide ongoing support through the entire life cycle of the solution
Develop custom applications if needed for optimizing productivity
Support/leverage Legacy equipment – both desktops and servers
Provide single point of contact support with pre-emptive support for larger server systems.
The STASH “Consortium”Smart Terminal Raytheon Trusted Computer Solutions delivers proven Trusted Thin Client software that is widely
deployed across hundreds of thousands of U.S. military , intelligence agencies, and other government desktops
Secure Hosts IBM provides secure and resilient hosting environment for desktops within its zEnterprise BladeCenter
Extension (zBX) and z/VM CSL International provides customer-proven CSL-WAVE to easily manage server instances using
intuitive graphical interface which makes the mainframe consumable to “non-mainframe” skills Virtual Bridges provides VDI management of desktop images and provisioning Intellinx’s zWatch provides user activity monitoring for fraud management CDS provides managed services for hosting virtual desktop infrastructure Vicom Infinity brings a variety of simplification software and experience with many of the world’s
largest financial organizations
Delivery Models
Do this on your ownLeverage a services engagement to get this up and running faster
-Get this delivered via “cloud” as a managed service
Executive Summary
Many new devices, both enterprise and BYOD, need to be enabled for agency or partner accessPrivacy, Security and Policies must be enforced regardless of device
ownership“Traditional” VDI solutions are not enough to meet these requirements
-Theft, loss, virus, Trojan Horse, misuse can still put information at riskSTASH – Smart Terminal Architecture with Secure Hosts introduces
additional capabilities to further mitigate riskGovernment is best served when an end to end solution is deployed to
ensure security and resilience
Thank You !
