Upload
ferdinand-miles
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Smart Terminal Architecture with Secure Hosts
A New Evolution in Smart Computing for an Enterprise
System z Virtual Desktop Infrastructure:VDI on Steroids
What problems does STASH solve?
Originally intended to secure Enterprise servers, by having a more secure end to end connection Security of “target servers” is only as good as the “weakest link” which is typically the end
user computing interface. Experience has shown that desktop weakness can impact server security. Reduce end user role as Systems Programmer of their device to further reduce risk
In the process, we learned that this was a cost competitive alternative to any virtual desktop solution Improves security, resilience and utilization Can save money on TCO and TCA A simpler solution to deploy than alternatives
Helps a business/agency look at organizational inefficiencies (separate IT operational units based on server type) and reconsider infrastructure based on business needs End to end computing – human/machine to target applications and data Address services levels of workloads (e.g. security, resilience, utilization)
9/14/12© 2012 STASH Consortium 2
Creating Stateless devices for business
Personal Computers
Business Computer Thin/Zero Client
Re-use existing PC with stateless operating system
Bring your own device Bootable USB image that
keeps state off PC
Secure Virtual Machine
Support multiple networks to single device
Smart Phones/Tablets
Remote PC access application (e.g. RDP, SPICE, Nx)
Remote presentation API on device (e.g. Amazon browser)
Bluetooth or USB device for remote access in a stateful way (e.g. ME4SURE)
9/14/12© 2012 STASH Consortium 3
Target Customer: Breaking down organizational barriers
9/14/12© 2012 STASH Consortium
4
X86 vs Enterprise Server VDI mgtSimilar to desktop/VDI mgt +: Leverage z/OS or Linux for z
security servers Add engines to existing z vs.
installing new Enterprise Linux servers; faster/easier C&A
Add IDAA/Neteeza for desktop analytics but also for z/OS analytics
Desktops that access mainframe apps and data have direct interconnect Reduces intranet bandwidth
Coordinated DR and security for end to end workloads
Windows, Linux, VDI mgt
Desktops, Thin Client, mobile
Unix
Mainframe Pure
System
sS
erver of E
nterprise
Desktop to Thin Client Reduce deskside support
90% Share processing
capacity; fewer processors
Standardize on software and central change management
Reduce data leakage at end user; Centralize security mgt
Improve availability to end users
Thin Client to Trusted Thin Client Military grade security Up to 8 desktops consolidated
to single thin client Reduces network cabling Reduces electricity, noise
Pushes “firmware” to desktops; reduces end user risks
Options to re-use existing PCs or leverage Secure USB in existing PCs for secure connections
Reduces mainframe security risk due to poor desktop security
RiskAcrossorganizations
Internet
ReducedRisk
Pure SystemsSTASH Value add System z Value add
Deployment Possibilities Supporting End User Computing
Traditional PCs and Laptops
Thin Client PCs with x86 Virtualization (SmartCloud offering)
Trusted Thin Client (TTC) with x86 Virtualization (SmartCloud with STASH Value Add)
TTC with PureSystem Virtualization and System z Management (SmartCloud with z Value Add)
9/14/12© 2012 STASH Consortium 5
“Typical” Layers of a Thin Client PC SolutionVirtualizing Desktops with a Server-hosted Architecture
9/14/12© 2012 STASH Consortium 6
Ethernet/ Wireless
Shared Storage
Developer Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
Microsoft Active Directory / LDAP (Manages Users)
BC or BC-HHS21 LS21
LS41
x3650 x3850DS3400/4700
x3755 x3950
Virtual Center (Assigns VMs)
System x Servers BladeCenter Blades IBM System Storage
Fault & security isolated
1. Thin Client Front-end 3. User Management
4. Virtualization Software
5. Data CenterHardware
2. Network
6. Systems Management
Connection Server
Virtual Bridges Architecture
Home
Branch Office
SmartSync™
StorageOptimizer
Shared Datastore(NAS/SAN)
Directory / AuthenticationService
LAN
Contractor
Employee
Persistent User Data
Application Management
Gold Master Technology
WAN/INTERNETCLOUD
DATA CENTER
Hypervisor + Distributed Connection Broker+ Direct Attached Storage
(One or More Servers)
SmartSync™
Managed EndpointTrue Offline VDI
Legacy EndpointRepurpose Older PCs
Zero EndpointNo Install, Boot to VDI
LAN / WAN
LAN
9/14/12 7© 2012 STASH Consortium
User SegmentationTask Knowledge Power
Workloads
• Call Center• Transactional• Lite Desktop User
• Office• LOB
• High Performance Desktop
• Multimedia• Design
Access End Point Device
• Repurposed Desktops• Thin Clients• Kiosks• Remote branch VDI,
Online VDI
• Desktops• iPads• Laptops• Station Access Points
(e.g. Nurses Workstations)
• Remote branch VDI, integrated offline VDI, Online VDI
• High-end Desktops / Workstations
• Power Laptops• High Mobility (exec
travel)• Integrated offline VDI,
remote branch VDI, Online VDI
Scaling Considerations• Up to ~16 Concurrent
Virtual Desktops / Server Processor Core
• Up to ~12 Concurrent Virtual Desktops / Server Processor Core
• Up to ~8 Concurrent Virtual Desktops / Server Processor Core
Memory Configurations
• Per Desktop:• Linux: 512MB• Win7 / XP: 512MB
• Per Desktop:• Linux: 512MB• Win7 / XP: 1GB
• Per Desktop:• Linux: 1GB• Win7 / XP: 1-2GB+
Remote Protocol Considerations
• RDP, Nx • RDP, Nx, SPICE • SPICE
9/14/12 8© 2012 STASH Consortium
Trusted Thin Client SolutionSmart Terminal: Simplification of Networking and Collaboration
9/14/12© 2012 STASH Consortium 9
Shared Storage
Microsoft Active Directory / LDAP (Manages Users)
BC or BC-HHS21 LS21
LS41
x3650 x3850DS3400/4700
x3755 x3950
Virtual Center (Assigns VMs)
System x Servers BladeCenter Blades IBM System Storage
Fault & security isolated
3. User Management4. Virtualization Software
5. Data CenterHardware
6. Systems Management
Secure Connection
ServerEthernet/ WirelessDeveloper
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
1. Trusted Thin Client Front-end
8. Multiple Secure Networks
2. Network
A “Controlled Access Device” for cloud computing.
TTC software utilizes a trusted operating system to enforce security policy at DCID 6/3 PL4 and CCEVS EAL4+ levels. – Only platform from edge to cloud that meets these criteria.
TTC software runs on at the desktop and on a server console providing separation of any number of networks, applications, or systems.
Trusted Thin Client The last workstation you will ever need
9/14/12
• Multiple user deployment options
• Provides accredited system separation
• Protects internal systems from external intrusion
• Protects mission critical data
• No “cut and paste” from one system to another
• Security policy enforcement via a Trusted OS
• Trusted operating system maintains lock down at the desktop
• No intentional or unintentional data leakage
• Protection from APTs
• Dynamic allocation of user access
© 2012 STASH Consortium 10
System z Managementx86 Virtualization – Reducing Control Points
9/14/12© 2012 STASH Consortium 11
Virtual Center (Assigns VMs)
3. User Management
System z196 Server System x Servers IBM
System Storage
5. Data CenterHardware
2A. N
etwo
rk
6. Systems Management
IBM System z
z/VM
z/OS
Wo
rkloa
d M
gt
Se
rver
Fra
ud
An
alytics
Se
rver
Co
nn
ectio
n S
erve
r
Se
curity S
erve
r
Lin
ux o
n S
ystem
z
7. Fraud Analytics
4. Virtualization Software
IBM System x
Lin
ux o
n x8
6
Win
do
ws
Ra
tion
al D
ev
Win
do
ws
So
laris x8
6
Windows with graphic accelerator
Developer
x3650 x3850
x3755 x3950
Ethernet/ WirelessDeveloper
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
1. Trusted Thin Client Front-end
8. Multiple Secure Networks
2. Network
4a. Virtualization Software
Shared Storage
12
©Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved
9/14/12© 2012 STASH Consortium
System z Virtualization valuex86 Virtualization Mainframe Virtualization
Security Guests/Clients can be compartmentalized on individual virtualized x86 servers
Alleviates issues with hardware and critical data theft ;reduces viruses
Centralized Desktop
Hosted desktops has the potential to significantly impact the performance, availability, and cost of the client solutions
1000’s of virtual images on far fewer server instances
Manageability Manage remotely, alleviating issues around software upgrades or fixes, tracking hardware assets, moving users’ hardware, support call transit time, reduces user down time
Change management is reduced; SLA’s by user groups
Operating Cost
Centralization minimizes install & config issues; speeds time for moves, user changes; lowers time to problem resolution by eliminating trips to the user workspace
Less hardware; Rapid deployment; fewer points of failure; built in redundancy
End User Adoption
Better end user experience with better ‘fat’ client features
Same as x86 Virtualization
Improved Productivity
Infrastructure standardization, common service levels for all device types
Same as x86 Virtualization
Access latest technology
Ease of upgrading HW and SW Easier and faster deployment of new tech.
Capital Cost Share resources across multiple users; Single application classification per server
‘Client by day, Enterprise by night’
9/14/12© 2012 STASH Consortium 13
GUI: Rich and intuitive graphic environment with dynamic views of the server farm as the workplace
CSL-WAVE Foundation
1) Simplification
2) Automation
3) Provisioning
4) Graphical Control
5) Auto-Detection
6) Enhanced Server Farm Administration
7) Network Support
8) Extended Security
9/14/12 14© 2012 STASH Consortium
IBM Smartcloud Desktop Infrastructure Objective
Secure Hosts: Simplifying Security and Resilience
9/14/12© 2012 STASH Consortium 15
Ethernet/ WirelessDeveloper
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
3. User Management
IBM zEnterprise Servers
IBM System Storage
5. Data CenterHardware
2. Network
6. Systems Management
IBM System z
z/VM
Se
rver M
gt
Se
rver
Fra
ud
An
alytics
Se
rver
Se
curity S
erve
r
Linux on System z
7. Fraud Analytics
8. Multiple Secure Networks
Shared Storage
Fault & security isolated4. Virtualization Software
1. Trusted Thin Client Front-end
Distrib
utio
n C
on
sole
Pure
Linux on x86
Windows
VDI layer
SPICE
SPICE
RDP
Nx
Inte
llinx S
niffe
r
9. Virtual Tape Server
ApplicationsandData
VE
RD
E g
old
en
iOS
Android
IBM Smartcloud Desktop Infrastructure RealitySecure Hosts: Simplifying Security and Resilience
9/14/12© 2012 STASH Consortium 16
Ethernet/ WirelessDeveloper
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
3. User Management
IBM zEnterprise Servers
IBM System Storage
5. Data CenterHardware
2. Network
6. Systems Management
IBM System z
z/VM
Se
rver M
gt
Se
rver
Fra
ud
An
alytics
Se
rver
Se
curity S
erve
r
Linux on System z
7. Fraud Analytics
8. Multiple Secure Networks
Shared Storage
Fault & security isolated4. Virtualization Software
1. Trusted Thin Client Front-end
Distrib
utio
n C
on
sole
Pure
Linux on x86
Windows
VDI layer
SPICE
RDP
Nx
Inte
llinx S
niffe
r
9. Virtual Tape Server
VE
RD
E g
old
en
SPICE
Pure
Linux on x86
Windows
VDI layer
SPICE
RDP
Nx
Inte
llinx S
niffe
r
SPICE
8. Single Network
VE
RD
E
iOS
Android
Why use a mainframe to manage infrastructure?
Security and resilience of virtual machines and hosted data
Cost per virtual machine: CapEx, OpEx, energy
Scale of solution: on demand, no outage necessary
Speed of provisioning
Simplicity of management through intuitive GUI
Co-location with other applications and data for enhanced end to end operations benefit
Manage “Desktops by day, enterprise servers by night”
9/14/12© 2012 STASH Consortium 17
Delivery Models
Do this on your own If so, delete the services cost
Leverage a services engagement to get this up and running faster
Get this delivered via “cloud” as a managed serviceAssume 2x the capital costs
9/14/12© 2012 STASH Consortium 18
The “Consortium”Smart Terminal Raytheon Trusted Computer Solutions delivers its proven Trusted Thin Client
software that is widely deployed across hundreds of thousands of U.S. military , intelligence agencies, and other government desktops.
Empennage/Mantissa – z86VM to leverage Desktop on the mainframe and later zARMvm to enable Android, iOS, Windows RT and Linux on zVM STASH V2-V4 only
Secure Hosts IBM provides a secure and resilient hosting environment for desktops within its
PureSystems and z/VM. CSL International provides customer-proven CSL-WAVE to easily manage
server instances using an intuitive graphical interface which makes the mainframe consumable to “non-mainframe” skills.
Virtual Bridges provides VDI management of desktop images and provisioning Intellinx’s zWatch provides user activity monitoring for fraud management. Vicom Infinity brings a variety of simplification software and experience with
many of the world’s largest financial organizations. CDS – managed desktop clouds using STASH
9/14/12 19© 2012 STASH Consortium
STASH VirtualizationSecure Hosts: Simplifying Security and Resilience
9/14/12© 2012 STASH Consortium 20
Ethernet/ WirelessDeveloper
Desktops
Outsourced or Branch
Office PCs, Call Centers
Remote / Laptop Users
3. User Management
IBM zEnterprise Servers
IBM System Storage
5. Data Center Hardware
2. Network
6. Systems Management
IBM System z
z/VM
Se
rver M
gt
Se
rver
Fra
ud
An
alytics
Se
rver
Se
curity S
erve
r
Linux on System z
7. Fraud Analytics
8. Multiple Secure Networks
Shared Storage
Fault & security isolated4. Virtualization Software
1. Trusted Thin Client Front-end
Distrib
utio
n C
on
sole
zbx
Linux on x86
Windows
VDI layer
SPICE
SPICE
RDP
Nx
Inte
llinx S
niffe
r
STASH Value Added functionality
9. Virtual Tape Server
Complimentary Sales for STASHSimplify, Save, Secure……..Smart
IBM System z
z86VM
LPAR
z/VMW
orklo
ad
Mg
t S
erve
r
Fra
ud
An
alytics
Se
rver
VE
RD
E G
old
en
Se
curity S
erve
r
Linux on System z
Lin
ux o
n x8
6
Win
do
ws 3
2 b
it
So
laris 3
2 b
it
9/14/12 21© 2012 STASH Consortium
VDI layer
SPICE
RDP
Nx
SPICEV
ER
DE
Distrib
Co
nso
le
Lin
ux
Win
do
ws R
T
An
dro
id
iOS
zARMvm
z/OS
Developer
Ra
tion
al D
ev
+ W
orklig
ht
LPAR
z/OS
Ap
plica
tion
s
Da
ta
Application Sandbox Less expensixe
z/OS build
Build for any platform
Co-Locate with other apps and data on z Change resilience
and security
System utilization
Ultimate Cloud Server Sell to ISPs for
mobile computing hosting
Analytics One server
applied to desktops and enterprise applications
Start today – save tomorrow Deployment goals:
Take out cost Reduce risk Improve Security and Resilience Meet or exceed service level needs Provide investment protection for the future
Identify immediate ROI potential. For example: Infrastructure as a service
Desktop computing in a Cloud Linux server instances
Database consolidation Smart Analytics via data sharing Software as a Service
Java virtual machines Mail and Collaboration
Security Services Development environment
Designate and execute pilot projects to validate/quantify ROI benefit Joint Agency/IBM effort Identify who will solicit other workloads for this model
Provide results back within three months
9/14/12 22© 2012 STASH Consortium