Secure Citizen and Employee Access to Applications: Any Time, Any Where on Any Device

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Secure Citizen and Employee Access to Applications:Anytime, Anywhere on Any Device1:30 p.m. -2:10 p.m.• Jim Porell, Distinguished Engineer & Deputy CTO, Federal Sales, IBM
  • 2. Secure Citizen & Employee Access to Applications:Anywhere, Anytime, on Any Device Jim Porell IBM Distinguished Engineer Deputy CTO, US Federal
  • 3. Digital Government: The Move to BYOD Digital Government Strategy announced in 2012
  • 4. Overview Goals: Enable BYOD and other devices with secure access to Corporate or Agency data Keep data from getting lost or stolen by or from employees. What problem does are we trying to solve? Introducing STASH: Smart Terminal Architecture with Secure Hosts The benefits of STASH: The value it brings Deployment options: How does it deliver value
  • 5. Executive Summary Many new devices, both government owned and BYOD, need to be enabled foragency or external partner access Privacy, security and policies must be enforced regardless of device ownership “Traditional” VDI solutions are not enough to meet these requirements Theft, loss, virus, Trojan Horse, misuse can still put information at risk STASH – Smart Terminal Architecture with Secure Hosts introduces additionalcapabilities to further mitigate risk Government is best served when an end to end solution is deployed to ensuresecurity and resilience
  • 6. Challenge: Desktop Management Complexity and Cost Organizations are challenged by ability to manage and secure their extremely complex distributed computing environments Virtualization, although practical, has resulted in powerful desktop PCs running costly Virtual Desktop Integration (VDI) software and server farms hosting back end applications running at far less than 100% utilization The need to reduce costs and embrace green computing requirements exacerbates the problem Backup/recovery at an individual level Redundant data copied to desktops – Creates difficulty for HIPAA, Sarbanes-Oxley and other regulatory compliance Under-utilized desktop systems dedicated to end user computing Increased administration Bringing own device to work and therefore malware into the organization (security exposure) Excessive energy utilization Complex, expensive, and impossible to secure.
  • 7. “Typical” Layers of a Thin Client PC Solution Virtualizing Desktops with a Server-hosted Architecture 4. Virtualization 6. Systems Software Management1. Thin Client 3. User Management Front-end Microsoft ActiveOutsourced Directory / LDAP or Branch 2. Network (Manages Users) Office PCs,Call Centers Ethernet/ Wireless Connection Server Developer Desktops Fault & security isolated Shared Storage Remote / Laptop Users Virtual Center (Assigns VMs) 5. Data CenterHardware x3650 System x Servers DS3400/4700 x3850 BladeCenter Blades IBM System Storage BC or BC-H x3755 HS21 LS21 x3950 LS41
  • 8. Will the End to End solution be protected and resilient? Theft Loss VirusOutsourced or Branch Trojan Horse Transactions, Office PCs, Call Misuse Applications, Centers DataDeveloperDesktopsRemote / Laptop Users Shared Storage Puts corporate and agency data at risk. Are you managing end to end?
  • 9. What is STASH? Smart Terminal Architecture with Secure Hosts STASH is a new computing environment that offers a military grade security from the desktop/end user device to the back end. STASH challenges the traditional assumption that greater security and increased performance utilization comes with increased costs. STASH is made up of a multi-functional team across IBM, Raytheon Trusted Computer Solutions, CSL International, Intellinx Software, Virtual Bridges, CDS and Vicom Infinity. STASH brings security, resilience and workload management qualities of service to the desktop/end user device environment. STASH is a means of simplifying the IT environment, saving money, and dramatically increasing security.
  • 10. Typical Industry Use Cases State, Local, Federal Agencies • Leaders, Staff, Service Agents, Case workers, Analysts Manufacturing Banks • Casual users in manufacturing plants •Tellers, supervisors, advisers in the front • Contact center representatives office, contact center representatives, back- • Travelling salespeople and executives office users Healthcare • Doctors, nurses, administrators Retail • Patients in hospitals, assisted living and •Store workers, contact center health centers representatives, back-office users Education Professional and IT services • Students, Teachers, Staff, Administrators •Accountants, advisers, law firms, global • K-12, Universities, Training Centers delivery center employees © 2012 STASH Consortium
  • 11. Target Customer: Breaking down organizational barriers Risk across organizations Desktops, Thin Windows, Linux, V Mainfram Unix Client, mobile DI mgt e Reduced risk when managed end to endDesktop to Thin Client Thin Client to Trusted Thin Client X86 vs Enterprise Server VDI mgt Reduce deskside support  Military grade security Similar to desktop/VDI mgt +: 90%  Up to 8:1 desktop consolidation  Fewer management servers Share processing capacity;  Reduces network cabling,  Add IDAA/Neteeza for desktop fewer processors electricity, noise analytics but also for z/OS analytics Standardize on software  DVR-like capability to watch for  Desktops that access mainframe and central change fraud and provide forensics apps and data have direct management  But: interconnect But:  Many servers may be required  Reduces intranet bandwidth Device can be  Disaster recovery adds  Coordinated DR and security for lost/stolen/misused complexity end to end workloads Multiple desktops may be  Inconsistent security across required departments Typical x86 VDI STASH Value add System z Value add
  • 12. Deployment PossibilitiesSupporting End User Computing Traditional PCs and Laptops Thin Client PCs with x86 Virtualization (IBM SmartCloud offering) Trusted Thin Client (TTC) with x86 Virtualization (IBM SmartCloud with STASH value add) TTC with PureSystem Virtualization and System z Management (IBM SmartCloud with System z value add)
  • 13. Deployment PossibilitiesSupporting End User Computing Traditional PCs and Laptops Thin Client PCs with x86 Virtualization (IBM SmartCloud offering) Reduce cost Trusted Thin Client (TTC) with x86 Virtualization (IBM SmartCloud with STASH value add) More secure end device TTC with PureSystem Virtualization and System z Management (IBM SmartCloud with System z value add) End to end management, security and resilience
  • 14. User Segmentation Task Knowledge Power • Call Center • Office • High Performance Desktop Workloads • Transactional • LOB • Multimedia • Lite Desktop User • Design • Repurposed Desktops • Desktops • High-end Desktops / • Thin Clients • iPads Workstations Access • Kiosks • Laptops • Power Laptops End Point • Remote branch VDI, • Station Access Points (e.g. Nurses • High Mobility (exec travel) Online VDI Workstations) • Integrated offline VDI, remote Device • Remote branch VDI, integrated branch VDI, Online VDI offline VDI, Online VDI Scaling • Up to ~16 Concurrent • Up to ~12 Concurrent Virtual • Up to ~8 Concurrent Virtual Virtual Desktops / Server Desktops / Server Processor Core Desktops / Server ProcessorConsiderations Processor Core Core Memory • Per Desktop: • Per Desktop: • Per Desktop: • Linux: 512MB • Linux: 512MB • Linux: 1GBConfigurations • Win7 / XP: 512MB • Win7 / XP: 1GB • Win7 / XP: 1-2GB+Remote Protocol • RDP, Nx • RDP, Nx, SPICE • SPICEConsiderations © 2012 STASH Consortium
  • 15. IBM Smartcloud Desktop Infrastructure Secure Hosts: Simplifying Security and Resilience UNIQUE to STASH 3. User Management 1. Trusted Thin Client Front-end 6. Systems Management 7. Fraud AnalyticsOutsourced or Branch Applications Office PCs,Call Centers 2. Network Pure and Ethernet/ Wireless DataDeveloperDesktops 8. Multiple SecureRemote / Networks Laptop Users 4. Virtualization Software Shared Storage Fault & security isolated 5. Data CenterHardware IBM System z IBM zEnterprise Servers IBM System Storage 9. Virtual Tape Server z/VM
  • 16. End Users Freedom of choice for access device: Existing PC, Thin Client, Smartphone, Tablet Same end user application experience as before migration to Virtual Desktop Reduced administration of desktop by end user. Software updates; anti-virus and firewall management is done by IT organization. Improved productivity by not having to wait for “system functions” that tie up personal and computer time: anti virus; software updates; data backups. Connect from anywhere, at the point you left off: office; conference room; home Avoid hard disk failures of your desktop – storage is now centralized and recovery is faster Less down time if your end device breaks or is lost. You simply get another device and recovery is much faster Avoid putting corporate data on your personal device – it’s a window to the corporation, not a disk drive Provides opportunities to use new smart phone and tablet capabilities, in addition to legacy PC operations. Have some fun while getting your work done
  • 17. Security Introduction of the DVR-like end user and systems manager monitoring:  Simplifies forensics and reduces effect of insider theft  Monitors outsourcers’ activities on corporate networks  Reduces brand exposure of data loss to track end user activity Patch management is done on central “golden master” images and will help reduce the risk and impact of viruses, Trojan horses, and worms from being introduced to PC systems. Data Risk Mitigation “Fault Tolerant PC” bring resilience by leveraging central servers and storage. This enables faster and easier recovery of desktop computing resources. Raytheon Trusted Thin Client and Distribution Console provides EAL4+ security:  Compliant with Department of Defense specification for security  Consolidates up to 8 PC’s to a single thin client while maintaining separation  Reduces the number of devices, environmental and wiring More security with less cost  Fewer servers and desktops, fewer points of control, simpler security management
  • 18. Technical Solutions Reduced permutations on number of desktop configurations required. Desktop Application Layers allow for smaller base package management. Provisioning new computers become adding new users, rather than moving and building PC workstations. Downtime on users PCs become depot maintenance and sparing rather than data recovery. Core density is the number of machines that can be run per core. STASH runs at 13.1 expected density. The more per core, the cheaper the solution will be. The lower the number, the more powerful each VDI machine is. Memory over commit: Memory that can be re-used by each machine from the servers standpoint. CPU Utilization: The amount of CPU on the server that can run at. The competitors will run at 50% to create a fault tolerant solution, but don’t use all of their CPU power. STASH management runs at 100% - decreasing the cost of servers and licenses by 50%. Less Infrastructure to manage: Fewer management servers and desktop consolidation reduces environmental and people management costs
  • 19. Cost Savings Support Labor:  Competitors: 1 technician per every 50 PCs  STASH: 1 technician per at least every 300 PCs Software Updates: - Competitors: require updates to individual servers & each desktop - STASH: less cost and time to deploy centralized updates • Technology Refresh: - Competitors: requires complete replacement for all hardware - STASH: saves cost by repurposing existing desktops as thin clients - STASH: updating management servers in a fraction of the time • Cost per seat: - Competitors: Many include only the VDI server function in per seat pricing - STASH: end to end value and more: End user device, secure connection broker, DVR-like capability for end user and system manager actions, intuitive graphic interface for management, storage, servers, tape archive Cost can be as little as $700 per user, including three years of service
  • 20. Competitive Price Analysis
  • 21. Competitive Price Analysis
  • 22. Integration SolutionsDeliver High Availability Solutions in PhasesTake out existing costs to make this self funding:  Change ELAs for desktop software to cover only what you use vs. what you may use  Change maintenance subscriptions to reduce costsIdentify the existing user base and needsImplement the transition to VDI, whether hosted or purchasedProvide ongoing support through the entire life cycle of the solutionDevelop custom applications if needed for optimizing productivitySupport/leverage Legacy equipment – both desktops and serversProvide single point of contact support with pre-emptive support for larger server systems.
  • 23. The STASH “Consortium”Smart Terminal Raytheon Trusted Computer Solutions delivers proven Trusted Thin Client software that is widely deployed across hundreds of thousands of U.S. military , intelligence agencies, and other government desktopsSecure Hosts IBM provides secure and resilient hosting environment for desktops within its zEnterprise BladeCenter Extension (zBX) and z/VM CSL International provides customer-proven CSL-WAVE to easily manage server instances using intuitive graphical interface which makes the mainframe consumable to “non-mainframe” skills Virtual Bridges provides VDI management of desktop images and provisioning Intellinx’s zWatch provides user activity monitoring for fraud management CDS provides managed services for hosting virtual desktop infrastructure Vicom Infinity brings a variety of simplification software and experience with many of the world’s largest financial organizations
  • 24. Delivery Models Do this on your own Leverage a services engagement to get this up and running faster Get this delivered via “cloud” as a managed service
  • 25. Executive Summary Many new devices, both enterprise and BYOD, need to be enabled for agency orpartner access Privacy, Security and Policies must be enforced regardless of device ownership “Traditional” VDI solutions are not enough to meet these requirements Theft, loss, virus, Trojan Horse, misuse can still put information at risk STASH – Smart Terminal Architecture with Secure Hosts introduces additionalcapabilities to further mitigate risk Government is best served when an end to end solution is deployed to ensuresecurity and resilience
  • 26. Thank You !