Smart Terminal Architecture with Secure Hosts A New

Smart Terminal Architecture with Secure Hosts A New Evolution in Smart Computing for an Enterprise System z Virtual Desktop Infrastructure: VDI on Steroids

What problems does STASH solve? Originally intended to secure Enterprise servers, by having a more secure end to end connection Security of “target servers” is only as good as the “weakest link” which is typically the end user computing interface. Experience has shown that desktop weakness can impact server security. Reduce end user role as Systems Programmer of their device to further reduce risk In the process, we learned that this was a cost competitive alternative to any virtual desktop solution Improves security, resilience and utilization Can save money on TCO and TCA A simpler solution to deploy than alternatives Helps a business/agency look at organizational inefficiencies (separate IT operational units based on server type) and reconsider infrastructure based on business needs End to end computing – human/machine to target applications and data Address services levels of workloads (e. g. security, resilience, utilization) © 2012 STASH Consortium 9/14/12 2

Creating Stateless devices for business Personal Computers Smart Phones/Tablets Business Computer Remote PC access Thin/Zero Client Re-use existing PC with application (e. g. RDP, SPICE, Nx) stateless operating system Remote presentation API on Bring your own device (e. g. Amazon browser) Bootable USB image that keeps state off PC Secure Virtual Machine Bluetooth or USB device for remote access in a stateful way (e. g. ME 4 SURE) Support multiple networks to single device © 2012 STASH Consortium 9/14/12 3

Target Customer: Breaking down organizational barriers Risk Across organizations Unix Windows, Linux, VDI mgt Desktops, Thin Client, mobile Internet Desktop to Thin Client to Trusted Thin Client Reduce deskside support Military grade security 90% Up to 8 desktops consolidated Share processing to single thin client capacity; fewer processors Reduces network cabling Standardize on software Reduces electricity, noise and central change Pushes “firmware” to desktops; management reduces end user risks Reduce data leakage at Options to re-use existing PCs end user; Centralize or leverage Secure USB in security mgt existing PCs for secure Improve availability to end connections users Reduces mainframe security Pure Systems risk due to poor desktop security STASH Value add © 2012 STASH Consortium 9/14/12 Pure. Systems Server of Enterprise Mainframe Reduced Risk X 86 vs Enterprise Server VDI mgt Similar to desktop/VDI mgt +: Leverage z/OS or Linux for z security servers Add engines to existing z vs. installing new Enterprise Linux servers; faster/easier C&A Add IDAA/Neteeza for desktop analytics but also for z/OS analytics Desktops that access mainframe apps and data have direct interconnect Reduces intranet bandwidth Coordinated DR and security for end to end workloads System z Value add 4

Deployment Possibilities Supporting End User Computing Traditional PCs and Laptops Thin Client PCs with x 86 Virtualization (Smart. Cloud offering) Trusted Thin Client (TTC) with x 86 Virtualization (Smart. Cloud with STASH Value Add) TTC with Pure. System Virtualization and System z Management (Smart. Cloud with z Value Add) © 2012 STASH Consortium 9/14/12 5

“Typical” Layers of a Thin Client PC Solution Virtualizing Desktops with a Server-hosted Architecture 4. Virtualization Software 1. Thin Client Front-end Outsourced or Branch Office PCs, Call Centers 3. User Management 2. Network Ethernet/ Wireless 6. Systems Management Microsoft Active Directory / LDAP (Manages Users) Connection Server Developer Desktops Fault & security isolated Shared Storage Remote / Laptop Users Virtual Center (Assigns VMs) 5. Data Center. Hardware System x Servers Blade. Center Blades IBM System Storage x 3650 x 3755 © 2012 STASH Consortium 9/14/12 x 3850 x 3950 DS 3400/4700 BC or BC-H HS 21 LS 41 6

Virtual Bridges Architecture Managed Endpoint True Offline VDI Zero Endpoint Home No Install, Boot to VDI Smart. Sync™ Legacy Endpoint Repurpose Older PCs N WAN/INTERNET CLOUD N LA Branch Office N LA A /W Gold Master Technology Storage Optimizer Application Management Employee LAN Shared Datastore (NAS/SAN) Persistent User Data (One or More Servers) Hypervisor + Distributed Connection Broker + Direct Attached Storage Contractor DATA CENTER Directory / Authentication Service © 2012 STASH Consortium 9/14/12 7

User Segmentation Task Workloads Access End Point Device • • Remote Protocol Considerations © 2012 STASH Consortium Transactional • • Office Thin Clients Kiosks Remote branch VDI, Online VDI • High Performance Desktop • • Multimedia • High-end Desktops / Workstations • • Power Laptops LOB Lite Desktop User Repurposed Desktops Power Design • • Desktops • Remote branch VDI, integrated offline VDI, Online VDI • Integrated offline VDI, remote branch VDI, Online VDI i. Pads Laptops Station Access Points (e. g. Nurses Workstations) High Mobility (exec travel) • Up to ~16 Concurrent Virtual Desktops / Server Processor Core • Up to ~12 Concurrent Virtual Desktops / Server Processor Core • Up to ~8 Concurrent Virtual Desktops / Server Processor Core • • • Per Desktop: Win 7 / XP: 1 GB • • • Per Desktop: Win 7 / XP: 512 MB • • RDP, Nx, SPICE • SPICE Scaling Considerations Memory Configurations Call Center Knowledge Linux: 512 MB 9/14/12 Linux: 512 MB Linux: 1 GB Win 7 / XP: 1 -2 GB+ 8

Trusted Thin Client Solution Smart Terminal: Simplification of Networking and Collaboration 3. User Management 1. Trusted Thin Client Front-end Outsourced or Branch Office PCs, Call Centers Developer Desktops Remote / Laptop Users 4. Virtualization Software 6. Systems Management Microsoft Active Directory / LDAP (Manages Users) 2. Network Ethernet/ Wireless Secure Connection Server Fault & security isolated Shared Storage 8. Multiple Secure Networks A “Controlled Access Device” for cloud computing. TTC software utilizes a trusted operating system to enforce security policy at DCID 6/3 PL 4 and CCEVS EAL 4+ levels. – Only platform from edge to cloud that meets these criteria. TTC software runs on at the desktop and on a server console providing separation of any number of networks, applications, or systems. © 2012 STASH Consortium Virtual Center (Assigns VMs) 5. Data Center. Hardware System x Servers Blade. Center Blades IBM System Storage x 3650 x 3755 9/14/12 x 3850 x 3950 DS 3400/4700 BC or BC-H HS 21 LS 41 9

Trusted Thin Client The last workstation you will ever need • Multiple user deployment options • Provides accredited system separation • Protects internal systems from external intrusion • Protects mission critical data • No “cut and paste” from one system to another • Security policy enforcement via a Trusted OS • Trusted operating system maintains lock down at the desktop • No intentional or unintentional data leakage • Protection from APTs • Dynamic allocation of user access © 2012 STASH Consortium 9/14/12 10

System z Management x 86 Virtualization – Reducing Control Points 3. User Management 6. Systems Management 7. Fraud Analytics 1. Trusted Thin Client Front-end Outsourced or Branch Office PCs, Call Centers Virtual Center (Assigns VMs) 2. Network Developer IBM System x Shared Storage System z 196 Server System x Servers IBM System Storage © 2012 STASH Consortium Windows with graphic accelerator 4. Virtualization Software 4 a. Virtualization Software 5. Data Center. Hardware Solaris x 86 z/VM Windows Linux on x 86 Rational Dev Windows 2 A. Network z/OS Linux on System z Fraud Analytics Server Workload Mgt Server Remote / Laptop Users 8. Multiple Secure Networks Security Server Developer Desktops IBM System z Connection Server Ethernet/ Wireless 9/14/12 x 3650 x 3850 x 3755 x 3950 11

© 2012 STASH Consortium © Intellinx Ltd. All Rights Reserved 9/14/12 12

System z Virtualization value x 86 Virtualization Mainframe Virtualization Security Guests/Clients can be compartmentalized on individual virtualized x 86 servers Alleviates issues with hardware and critical data theft ; reduces viruses Centralized Desktop Hosted desktops has the potential to significantly impact the performance, availability, and cost of the client solutions 1000’s of virtual images on far fewer server instances Manageability Manage remotely, alleviating issues around software upgrades or fixes, tracking hardware assets, moving users’ hardware, support call transit time, reduces user down time Change management is reduced; SLA’s by user groups Operating Cost Centralization minimizes install & config issues; speeds time for moves, user changes; lowers time to problem resolution by eliminating trips to the user workspace Less hardware; Rapid deployment; fewer points of failure; built in redundancy End User Adoption Better end user experience with better ‘fat’ client features Same as x 86 Virtualization Improved Productivity Infrastructure standardization, common service levels for all device types Same as x 86 Virtualization Access latest technology Ease of upgrading HW and SW Easier and faster deployment of new tech. Capital Cost Share resources across multiple users; Single application classification per server ‘Client by day, Enterprise by night’ © 2012 STASH Consortium 9/14/12 13

CSL-WAVE Foundation GUI: Rich and intuitive graphic environment with dynamic views of the server farm as the workplace 1) 2) 3) 4) 5) 6) 7) 8) © 2012 STASH Consortium 9/14/12 Simplification Automation Provisioning Graphical Control Auto-Detection Enhanced Server Farm Administration Network Support Extended Security 14

IBM Smartcloud Desktop Infrastructure Objective Secure Hosts: Simplifying Security and Resilience 3. User Management 6. Systems Management 7. Fraud Analytics 1. Trusted Thin Client Front-end Ethernet/ Wireless Developer Desktops 8. Multiple Secure Networks Remote / Laptop Users VDI layer Nx SPICE RDP SPICE Pure Linux on x 86 Windows 4. Virtualization Software Fault & security isolated IBM System z Fraud Analytics Server Mgt Server Security Server Android VERDE golden i. OS Intellinx Sniffer 2. Network Distribution Console Outsourced or Branch Office PCs, Call Centers Applications and Data Shared Storage 5. Data Center. Hardware IBM z. Enterprise Servers IBM System Storage Linux on System z z/VM © 2012 STASH Consortium 9/14/12 9. Virtual Tape Server 15

IBM Smartcloud Desktop Infrastructure Reality Secure Hosts: Simplifying Security and Resilience 3. User Management 6. Systems Management 7. Fraud Analytics 1. Trusted Thin Client Front-end Ethernet/ Wireless Developer Desktops SPICE Windows 4. Virtualization Software Shared Storage Fault & security isolated Fraud Analytics Server SPICE IBM System z Server Mgt Server RDP Linux on x 86 Security Server Remote / Laptop Users Nx Pure VERDE golden 8. Multiple Secure Networks VDI layer Intellinx Sniffer 2. Network Distribution Console Outsourced or Branch Office PCs, Call Centers Linux on System z 8. Single Network VERDE Android Nx SPICE RDP SPICE Pure Linux on x 86 Windows Intellinx Sniffer VDI layer i. OS z/VM 5. Data Center. Hardware IBM z. Enterprise Servers IBM System Storage 9. Virtual Tape Server © 2012 STASH Consortium 9/14/12 16

Why use a mainframe to manage infrastructure? Security and resilience of virtual machines and hosted data Cost per virtual machine: Cap. Ex, Op. Ex, energy Scale of solution: on demand, no outage necessary Speed of provisioning Simplicity of management through intuitive GUI Co-location with other applications and data for enhanced end to end operations benefit Manage “Desktops by day, enterprise servers by night” © 2012 STASH Consortium 9/14/12 17

Delivery Models Do this on your own If so, delete the services cost Leverage a services engagement to get this up and running faster Get this delivered via “cloud” as a managed service Assume 2 x the capital costs © 2012 STASH Consortium 9/14/12 18

The “Consortium” Smart Terminal Raytheon Trusted Computer Solutions delivers its proven Trusted Thin Client software that is widely deployed across hundreds of thousands of U. S. military , intelligence agencies, and other government desktops. Empennage/Mantissa – z 86 VM to leverage Desktop on the mainframe and later z. ARMvm to enable Android, i. OS, Windows RT and Linux on z. VM STASH V 2 -V 4 only Secure Hosts IBM provides a secure and resilient hosting environment for desktops within its Pure. Systems and z/VM. CSL International provides customer-proven CSL-WAVE to easily manage server instances using an intuitive graphical interface which makes the mainframe consumable to “non-mainframe” skills. Virtual Bridges provides VDI management of desktop images and provisioning Intellinx’s z. Watch provides user activity monitoring for fraud management. Vicom Infinity brings a variety of simplification software and experience with many of the world’s largest financial organizations. CDS – managed desktop clouds using STASH © 2012 STASH Consortium 9/14/12 19

STASH Virtualization Secure Hosts: Simplifying Security and Resilience 3. User Management 6. Systems Management 7. Fraud Analytics 1. Trusted Thin Client Front-end Ethernet/ Wireless Developer Desktops Remote / Laptop Users 8. Multiple Secure Networks VDI layer zbx Nx SPICE Linux on x 86 RDP SPICE Windows 4. Virtualization Software Fault & security isolated IBM System z Fraud Analytics Server Mgt Server Security Server STASH Value Added functionality Shared Storage 5. Data Center Hardware IBM z. Enterprise Servers IBM System Storage Linux on System z z/VM © 2012 STASH Consortium Intellinx Sniffer 2. Network Distribution Console Outsourced or Branch Office PCs, Call Centers 9/14/12 9. Virtual Tape Server 20

Complimentary Sales for STASH Simplify, Save, Secure……. . Smart Application Sandbox Less expensixe z/OS build Build for any platform Co-Locate with other apps and data on z z. ARMvm z/VM LPAR 9/14/12 i. OS Android Windows RT Linux Distrib Console z 86 VM Solaris 32 bit © 2012 STASH Consortium RDP Windows 32 bit One server applied to desktops and enterprise applications SPICE Linux on System z z/OS Nx Linux on x 86 VDI layer VERDE Analytics Rational Dev + Worklight Sell to ISPs for mobile computing hosting Developer z/OS Fraud Analytics Server Workload Mgt Server Ultimate Cloud Security Server System utilization VERDE Golden Data Change resilience and security Applications IBM System z 21

Start today – save tomorrow Deployment goals: Take out cost Reduce risk Improve Security and Resilience Meet or exceed service level needs Provide investment protection for the future Identify immediate ROI potential. For example: Infrastructure as a service Desktop computing in a Cloud Linux server instances Database consolidation Smart Analytics via data sharing Software as a Service Java virtual machines Mail and Collaboration Security Services Development environment Designate and execute pilot projects to validate/quantify ROI benefit Joint Agency/IBM effort Identify who will solicit other workloads for this model Provide results back within three months © 2012 STASH Consortium 9/14/12 22