Smart Terminal Architecture with Secure Hosts A New Evolution in Smart Computing for an Enterprise System z Virtual Desktop Infrastructure: VDI on Steroids

Smart Terminal Architecture with Secure Hosts

A New Evolution in Smart Computing for an Enterprise

System z Virtual Desktop Infrastructure:VDI on Steroids

What problems does STASH solve?

Originally intended to secure Enterprise servers, by having a more secure end to end connection Security of “target servers” is only as good as the “weakest link” which is typically the end

user computing interface. Experience has shown that desktop weakness can impact server security. Reduce end user role as Systems Programmer of their device to further reduce risk

In the process, we learned that this was a cost competitive alternative to any virtual desktop solution Improves security, resilience and utilization Can save money on TCO and TCA A simpler solution to deploy than alternatives

Helps a business/agency look at organizational inefficiencies (separate IT operational units based on server type) and reconsider infrastructure based on business needs End to end computing – human/machine to target applications and data Address services levels of workloads (e.g. security, resilience, utilization)

9/14/12© 2012 STASH Consortium 2

Creating Stateless devices for business

Personal Computers

Business Computer Thin/Zero Client

Re-use existing PC with stateless operating system

Bring your own device Bootable USB image that

keeps state off PC

Secure Virtual Machine

Support multiple networks to single device

Smart Phones/Tablets

Remote PC access application (e.g. RDP, SPICE, Nx)

Remote presentation API on device (e.g. Amazon browser)

Bluetooth or USB device for remote access in a stateful way (e.g. ME4SURE)


Target Customer: Breaking down organizational barriers

9/14/12© 2012 STASH Consortium

4

X86 vs Enterprise Server VDI mgtSimilar to desktop/VDI mgt +: Leverage z/OS or Linux for z

security servers Add engines to existing z vs.

installing new Enterprise Linux servers; faster/easier C&A

Add IDAA/Neteeza for desktop analytics but also for z/OS analytics

Desktops that access mainframe apps and data have direct interconnect Reduces intranet bandwidth

Coordinated DR and security for end to end workloads

Windows, Linux, VDI mgt

Desktops, Thin Client, mobile

Unix

Mainframe Pure

System

sS

erver of E

nterprise

Desktop to Thin Client Reduce deskside support

90% Share processing

capacity; fewer processors

Standardize on software and central change management

Reduce data leakage at end user; Centralize security mgt

Improve availability to end users

Thin Client to Trusted Thin Client Military grade security Up to 8 desktops consolidated

to single thin client Reduces network cabling Reduces electricity, noise

Pushes “firmware” to desktops; reduces end user risks

Options to re-use existing PCs or leverage Secure USB in existing PCs for secure connections

Reduces mainframe security risk due to poor desktop security

RiskAcrossorganizations

Internet

ReducedRisk

Pure SystemsSTASH Value add System z Value add

Deployment Possibilities Supporting End User Computing

Traditional PCs and Laptops

Thin Client PCs with x86 Virtualization (SmartCloud offering)

Trusted Thin Client (TTC) with x86 Virtualization (SmartCloud with STASH Value Add)

TTC with PureSystem Virtualization and System z Management (SmartCloud with z Value Add)


“Typical” Layers of a Thin Client PC SolutionVirtualizing Desktops with a Server-hosted Architecture


Ethernet/ Wireless

Shared Storage

Developer Desktops

Outsourced or Branch

Office PCs, Call Centers

Remote / Laptop Users

Microsoft Active Directory / LDAP (Manages Users)

BC or BC-HHS21 LS21

LS41

x3650 x3850DS3400/4700

x3755 x3950

Virtual Center (Assigns VMs)

System x Servers BladeCenter Blades IBM System Storage

Fault & security isolated

1. Thin Client Front-end 3. User Management

4. Virtualization Software

5. Data CenterHardware

2. Network

6. Systems Management

Connection Server

Virtual Bridges Architecture

Home

Branch Office

SmartSync™

StorageOptimizer

Shared Datastore(NAS/SAN)

Directory / AuthenticationService

LAN

Contractor

Employee

Persistent User Data

Application Management

Gold Master Technology

WAN/INTERNETCLOUD

DATA CENTER

Hypervisor + Distributed Connection Broker+ Direct Attached Storage

(One or More Servers)

SmartSync™

Managed EndpointTrue Offline VDI

Legacy EndpointRepurpose Older PCs

Zero EndpointNo Install, Boot to VDI

LAN / WAN

LAN

9/14/12 7© 2012 STASH Consortium

User SegmentationTask Knowledge Power

Workloads

• Call Center• Transactional• Lite Desktop User

• Office• LOB

• High Performance Desktop

• Multimedia• Design

Access End Point Device

• Repurposed Desktops• Thin Clients• Kiosks• Remote branch VDI,

Online VDI

• Desktops• iPads• Laptops• Station Access Points

(e.g. Nurses Workstations)

• Remote branch VDI, integrated offline VDI, Online VDI

• High-end Desktops / Workstations

• Power Laptops• High Mobility (exec

travel)• Integrated offline VDI,

remote branch VDI, Online VDI

Scaling Considerations• Up to ~16 Concurrent

Virtual Desktops / Server Processor Core

• Up to ~12 Concurrent Virtual Desktops / Server Processor Core

• Up to ~8 Concurrent Virtual Desktops / Server Processor Core

Memory Configurations

• Per Desktop:• Linux: 512MB• Win7 / XP: 512MB

• Per Desktop:• Linux: 512MB• Win7 / XP: 1GB

• Per Desktop:• Linux: 1GB• Win7 / XP: 1-2GB+

Remote Protocol Considerations

• RDP, Nx • RDP, Nx, SPICE • SPICE


Trusted Thin Client SolutionSmart Terminal: Simplification of Networking and Collaboration


Shared Storage

Microsoft Active Directory / LDAP (Manages Users)

BC or BC-HHS21 LS21

LS41

x3650 x3850DS3400/4700

x3755 x3950


System x Servers BladeCenter Blades IBM System Storage

Fault & security isolated

3. User Management4. Virtualization Software



Secure Connection

ServerEthernet/ WirelessDeveloper

Desktops




1. Trusted Thin Client Front-end

8. Multiple Secure Networks

2. Network

A “Controlled Access Device” for cloud computing.

TTC software utilizes a trusted operating system to enforce security policy at DCID 6/3 PL4 and CCEVS EAL4+ levels. – Only platform from edge to cloud that meets these criteria.

TTC software runs on at the desktop and on a server console providing separation of any number of networks, applications, or systems.

Trusted Thin Client The last workstation you will ever need

9/14/12

• Multiple user deployment options

• Provides accredited system separation

• Protects internal systems from external intrusion

• Protects mission critical data

• No “cut and paste” from one system to another

• Security policy enforcement via a Trusted OS

• Trusted operating system maintains lock down at the desktop

• No intentional or unintentional data leakage

• Protection from APTs

• Dynamic allocation of user access

© 2012 STASH Consortium 10

System z Managementx86 Virtualization – Reducing Control Points



3. User Management

System z196 Server System x Servers IBM

System Storage


2A. N

etwo

rk


IBM System z

z/VM

z/OS

Wo

rkloa

d M

gt

Se

rver

Fra

ud

An

alytics

Se

rver

Co

nn

ectio

n S

erve

r

Se

curity S

erve

r

Lin

ux o

n S

ystem

z

7. Fraud Analytics

4. Virtualization Software

IBM System x

Lin

ux o

n x8

6

Win

do

ws

Ra

tion

al D

ev

Win

do

ws

So

laris x8

6

Windows with graphic accelerator

Developer

x3650 x3850

x3755 x3950

Ethernet/ WirelessDeveloper

Desktops






2. Network

4a. Virtualization Software

Shared Storage

12

©Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

9/14/12© 2012 STASH Consortium

System z Virtualization valuex86 Virtualization Mainframe Virtualization

Security Guests/Clients can be compartmentalized on individual virtualized x86 servers

Alleviates issues with hardware and critical data theft ;reduces viruses

Centralized Desktop

Hosted desktops has the potential to significantly impact the performance, availability, and cost of the client solutions

1000’s of virtual images on far fewer server instances

Manageability Manage remotely, alleviating issues around software upgrades or fixes, tracking hardware assets, moving users’ hardware, support call transit time, reduces user down time

Change management is reduced; SLA’s by user groups

Operating Cost

Centralization minimizes install & config issues; speeds time for moves, user changes; lowers time to problem resolution by eliminating trips to the user workspace

Less hardware; Rapid deployment; fewer points of failure; built in redundancy

End User Adoption

Better end user experience with better ‘fat’ client features

Same as x86 Virtualization

Improved Productivity

Infrastructure standardization, common service levels for all device types

Same as x86 Virtualization

Access latest technology

Ease of upgrading HW and SW Easier and faster deployment of new tech.

Capital Cost Share resources across multiple users; Single application classification per server

‘Client by day, Enterprise by night’


GUI: Rich and intuitive graphic environment with dynamic views of the server farm as the workplace

CSL-WAVE Foundation

1) Simplification

2) Automation

3) Provisioning

4) Graphical Control

5) Auto-Detection

6) Enhanced Server Farm Administration

7) Network Support

8) Extended Security


IBM Smartcloud Desktop Infrastructure Objective

Secure Hosts: Simplifying Security and Resilience



Desktops




3. User Management

IBM zEnterprise Servers

IBM System Storage


2. Network


IBM System z

z/VM

Se

rver M

gt

Se

rver

Fra

ud

An

alytics

Se

rver

Se

curity S

erve

r

Linux on System z

7. Fraud Analytics


Shared Storage

Fault & security isolated4. Virtualization Software


Distrib

utio

n C

on

sole

Pure

Linux on x86

Windows

VDI layer

SPICE

SPICE

RDP

Nx

Inte

llinx S

niffe

r

9. Virtual Tape Server

ApplicationsandData

VE

RD

E g

old

en

iOS

Android

IBM Smartcloud Desktop Infrastructure RealitySecure Hosts: Simplifying Security and Resilience



Desktops




3. User Management


IBM System Storage


2. Network


IBM System z

z/VM

Se

rver M

gt

Se

rver

Fra

ud

An

alytics

Se

rver

Se

curity S

erve

r

Linux on System z

7. Fraud Analytics


Shared Storage



Distrib

utio

n C

on

sole

Pure

Linux on x86

Windows

VDI layer

SPICE

RDP

Nx

Inte

llinx S

niffe

r


VE

RD

E g

old

en

SPICE

Pure

Linux on x86

Windows

VDI layer

SPICE

RDP

Nx

Inte

llinx S

niffe

r

SPICE

8. Single Network

VE

RD

E

iOS

Android

Why use a mainframe to manage infrastructure?

Security and resilience of virtual machines and hosted data

Cost per virtual machine: CapEx, OpEx, energy

Scale of solution: on demand, no outage necessary

Speed of provisioning

Simplicity of management through intuitive GUI

Co-location with other applications and data for enhanced end to end operations benefit

Manage “Desktops by day, enterprise servers by night”


Delivery Models

Do this on your own If so, delete the services cost

Leverage a services engagement to get this up and running faster

Get this delivered via “cloud” as a managed serviceAssume 2x the capital costs


The “Consortium”Smart Terminal Raytheon Trusted Computer Solutions delivers its proven Trusted Thin Client

software that is widely deployed across hundreds of thousands of U.S. military , intelligence agencies, and other government desktops.

Empennage/Mantissa – z86VM to leverage Desktop on the mainframe and later zARMvm to enable Android, iOS, Windows RT and Linux on zVM STASH V2-V4 only

Secure Hosts IBM provides a secure and resilient hosting environment for desktops within its

PureSystems and z/VM. CSL International provides customer-proven CSL-WAVE to easily manage

server instances using an intuitive graphical interface which makes the mainframe consumable to “non-mainframe” skills.

Virtual Bridges provides VDI management of desktop images and provisioning Intellinx’s zWatch provides user activity monitoring for fraud management. Vicom Infinity brings a variety of simplification software and experience with

many of the world’s largest financial organizations. CDS – managed desktop clouds using STASH


STASH VirtualizationSecure Hosts: Simplifying Security and Resilience



Desktops




3. User Management


IBM System Storage

5. Data Center Hardware

2. Network


IBM System z

z/VM

Se

rver M

gt

Se

rver

Fra

ud

An

alytics

Se

rver

Se

curity S

erve

r

Linux on System z

7. Fraud Analytics


Shared Storage



Distrib

utio

n C

on

sole

zbx

Linux on x86

Windows

VDI layer

SPICE

SPICE

RDP

Nx

Inte

llinx S

niffe

r

STASH Value Added functionality


Complimentary Sales for STASHSimplify, Save, Secure……..Smart

IBM System z

z86VM

LPAR

z/VMW

orklo

ad

Mg

t S

erve

r

Fra

ud

An

alytics

Se

rver

VE

RD

E G

old

en

Se

curity S

erve

r

Linux on System z

Lin

ux o

n x8

6

Win

do

ws 3

2 b

it

So

laris 3

2 b

it


VDI layer

SPICE

RDP

Nx

SPICEV

ER

DE

Distrib

Co

nso

le

Lin

ux

Win

do

ws R

T

An

dro

id

iOS

zARMvm

z/OS

Developer

Ra

tion

al D

ev

+ W

orklig

ht

LPAR

z/OS

Ap

plica

tion

s

Da

ta

Application Sandbox Less expensixe

z/OS build

Build for any platform

Co-Locate with other apps and data on z Change resilience

and security

System utilization

Ultimate Cloud Server Sell to ISPs for

mobile computing hosting

Analytics One server

applied to desktops and enterprise applications

Start today – save tomorrow Deployment goals:

Take out cost Reduce risk Improve Security and Resilience Meet or exceed service level needs Provide investment protection for the future

Identify immediate ROI potential. For example: Infrastructure as a service

Desktop computing in a Cloud Linux server instances

Database consolidation Smart Analytics via data sharing Software as a Service

Java virtual machines Mail and Collaboration

Security Services Development environment

Designate and execute pilot projects to validate/quantify ROI benefit Joint Agency/IBM effort Identify who will solicit other workloads for this model

Provide results back within three months


Documents

Smart Terminal Architecture with Secure Hosts A New Evolution in Smart Computing for an Enterprise System z Virtual Desktop Infrastructure: VDI on Steroids