Secure Citizen and Employee Access to Applications: Any Time, Any Where on Any DevicePresentation Transcript
Secure Citizen and Employee Access to Applications:Anytime, Anywhere on Any Device1:30 p.m. -2:10 p.m.• Jim Porell, Distinguished Engineer & Deputy CTO, Federal Sales, IBM
Secure Citizen & Employee Access to Applications:Anywhere, Anytime, on Any Device Jim Porell IBM Distinguished Engineer Deputy CTO, US Federal
Digital Government: The Move to BYOD Digital Government Strategy announced in 2012
Overview Goals: Enable BYOD and other devices with secure access to Corporate or Agency data Keep data from getting lost or stolen by or from employees. What problem does are we trying to solve? Introducing STASH: Smart Terminal Architecture with Secure Hosts The benefits of STASH: The value it brings Deployment options: How does it deliver value
Executive Summary Many new devices, both government owned and BYOD, need to be enabled foragency or external partner access Privacy, security and policies must be enforced regardless of device ownership “Traditional” VDI solutions are not enough to meet these requirements Theft, loss, virus, Trojan Horse, misuse can still put information at risk STASH – Smart Terminal Architecture with Secure Hosts introduces additionalcapabilities to further mitigate risk Government is best served when an end to end solution is deployed to ensuresecurity and resilience
Challenge: Desktop Management Complexity and Cost Organizations are challenged by ability to manage and secure their extremely complex distributed computing environments Virtualization, although practical, has resulted in powerful desktop PCs running costly Virtual Desktop Integration (VDI) software and server farms hosting back end applications running at far less than 100% utilization The need to reduce costs and embrace green computing requirements exacerbates the problem Backup/recovery at an individual level Redundant data copied to desktops – Creates difficulty for HIPAA, Sarbanes-Oxley and other regulatory compliance Under-utilized desktop systems dedicated to end user computing Increased administration Bringing own device to work and therefore malware into the organization (security exposure) Excessive energy utilization Complex, expensive, and impossible to secure.
“Typical” Layers of a Thin Client PC Solution Virtualizing Desktops with a Server-hosted Architecture 4. Virtualization 6. Systems Software Management1. Thin Client 3. User Management Front-end Microsoft ActiveOutsourced Directory / LDAP or Branch 2. Network (Manages Users) Office PCs,Call Centers Ethernet/ Wireless Connection Server Developer Desktops Fault & security isolated Shared Storage Remote / Laptop Users Virtual Center (Assigns VMs) 5. Data CenterHardware x3650 System x Servers DS3400/4700 x3850 BladeCenter Blades IBM System Storage BC or BC-H x3755 HS21 LS21 x3950 LS41
Will the End to End solution be protected and resilient? Theft Loss VirusOutsourced or Branch Trojan Horse Transactions, Office PCs, Call Misuse Applications, Centers DataDeveloperDesktopsRemote / Laptop Users Shared Storage Puts corporate and agency data at risk. Are you managing end to end?
What is STASH? Smart Terminal Architecture with Secure Hosts STASH is a new computing environment that offers a military grade security from the desktop/end user device to the back end. STASH challenges the traditional assumption that greater security and increased performance utilization comes with increased costs. STASH is made up of a multi-functional team across IBM, Raytheon Trusted Computer Solutions, CSL International, Intellinx Software, Virtual Bridges, CDS and Vicom Infinity. STASH brings security, resilience and workload management qualities of service to the desktop/end user device environment. STASH is a means of simplifying the IT environment, saving money, and dramatically increasing security.
Target Customer: Breaking down organizational barriers Risk across organizations Desktops, Thin Windows, Linux, V Mainfram Unix Client, mobile DI mgt e Reduced risk when managed end to endDesktop to Thin Client Thin Client to Trusted Thin Client X86 vs Enterprise Server VDI mgt Reduce deskside support Military grade security Similar to desktop/VDI mgt +: 90% Up to 8:1 desktop consolidation Fewer management servers Share processing capacity; Reduces network cabling, Add IDAA/Neteeza for desktop fewer processors electricity, noise analytics but also for z/OS analytics Standardize on software DVR-like capability to watch for Desktops that access mainframe and central change fraud and provide forensics apps and data have direct management But: interconnect But: Many servers may be required Reduces intranet bandwidth Device can be Disaster recovery adds Coordinated DR and security for lost/stolen/misused complexity end to end workloads Multiple desktops may be Inconsistent security across required departments Typical x86 VDI STASH Value add System z Value add
Deployment PossibilitiesSupporting End User Computing Traditional PCs and Laptops Thin Client PCs with x86 Virtualization (IBM SmartCloud offering) Trusted Thin Client (TTC) with x86 Virtualization (IBM SmartCloud with STASH value add) TTC with PureSystem Virtualization and System z Management (IBM SmartCloud with System z value add)
Deployment PossibilitiesSupporting End User Computing Traditional PCs and Laptops Thin Client PCs with x86 Virtualization (IBM SmartCloud offering) Reduce cost Trusted Thin Client (TTC) with x86 Virtualization (IBM SmartCloud with STASH value add) More secure end device TTC with PureSystem Virtualization and System z Management (IBM SmartCloud with System z value add) End to end management, security and resilience
IBM Smartcloud Desktop Infrastructure Secure Hosts: Simplifying Security and Resilience UNIQUE to STASH 3. User Management 1. Trusted Thin Client Front-end 6. Systems Management 7. Fraud AnalyticsOutsourced or Branch Applications Office PCs,Call Centers 2. Network Pure and Ethernet/ Wireless DataDeveloperDesktops 8. Multiple SecureRemote / Networks Laptop Users 4. Virtualization Software Shared Storage Fault & security isolated 5. Data CenterHardware IBM System z IBM zEnterprise Servers IBM System Storage 9. Virtual Tape Server z/VM
End Users Freedom of choice for access device: Existing PC, Thin Client, Smartphone, Tablet Same end user application experience as before migration to Virtual Desktop Reduced administration of desktop by end user. Software updates; anti-virus and firewall management is done by IT organization. Improved productivity by not having to wait for “system functions” that tie up personal and computer time: anti virus; software updates; data backups. Connect from anywhere, at the point you left off: office; conference room; home Avoid hard disk failures of your desktop – storage is now centralized and recovery is faster Less down time if your end device breaks or is lost. You simply get another device and recovery is much faster Avoid putting corporate data on your personal device – it’s a window to the corporation, not a disk drive Provides opportunities to use new smart phone and tablet capabilities, in addition to legacy PC operations. Have some fun while getting your work done
Security Introduction of the DVR-like end user and systems manager monitoring: Simplifies forensics and reduces effect of insider theft Monitors outsourcers’ activities on corporate networks Reduces brand exposure of data loss to track end user activity Patch management is done on central “golden master” images and will help reduce the risk and impact of viruses, Trojan horses, and worms from being introduced to PC systems. Data Risk Mitigation “Fault Tolerant PC” bring resilience by leveraging central servers and storage. This enables faster and easier recovery of desktop computing resources. Raytheon Trusted Thin Client and Distribution Console provides EAL4+ security: Compliant with Department of Defense specification for security Consolidates up to 8 PC’s to a single thin client while maintaining separation Reduces the number of devices, environmental and wiring More security with less cost Fewer servers and desktops, fewer points of control, simpler security management
Technical Solutions Reduced permutations on number of desktop configurations required. Desktop Application Layers allow for smaller base package management. Provisioning new computers become adding new users, rather than moving and building PC workstations. Downtime on users PCs become depot maintenance and sparing rather than data recovery. Core density is the number of machines that can be run per core. STASH runs at 13.1 expected density. The more per core, the cheaper the solution will be. The lower the number, the more powerful each VDI machine is. Memory over commit: Memory that can be re-used by each machine from the servers standpoint. CPU Utilization: The amount of CPU on the server that can run at. The competitors will run at 50% to create a fault tolerant solution, but don’t use all of their CPU power. STASH management runs at 100% - decreasing the cost of servers and licenses by 50%. Less Infrastructure to manage: Fewer management servers and desktop consolidation reduces environmental and people management costs
Cost Savings Support Labor: Competitors: 1 technician per every 50 PCs STASH: 1 technician per at least every 300 PCs Software Updates: - Competitors: require updates to individual servers & each desktop - STASH: less cost and time to deploy centralized updates • Technology Refresh: - Competitors: requires complete replacement for all hardware - STASH: saves cost by repurposing existing desktops as thin clients - STASH: updating management servers in a fraction of the time • Cost per seat: - Competitors: Many include only the VDI server function in per seat pricing - STASH: end to end value and more: End user device, secure connection broker, DVR-like capability for end user and system manager actions, intuitive graphic interface for management, storage, servers, tape archive Cost can be as little as $700 per user, including three years of service
Competitive Price Analysis
Competitive Price Analysis
Integration SolutionsDeliver High Availability Solutions in PhasesTake out existing costs to make this self funding: Change ELAs for desktop software to cover only what you use vs. what you may use Change maintenance subscriptions to reduce costsIdentify the existing user base and needsImplement the transition to VDI, whether hosted or purchasedProvide ongoing support through the entire life cycle of the solutionDevelop custom applications if needed for optimizing productivitySupport/leverage Legacy equipment – both desktops and serversProvide single point of contact support with pre-emptive support for larger server systems.
The STASH “Consortium”Smart Terminal Raytheon Trusted Computer Solutions delivers proven Trusted Thin Client software that is widely deployed across hundreds of thousands of U.S. military , intelligence agencies, and other government desktopsSecure Hosts IBM provides secure and resilient hosting environment for desktops within its zEnterprise BladeCenter Extension (zBX) and z/VM CSL International provides customer-proven CSL-WAVE to easily manage server instances using intuitive graphical interface which makes the mainframe consumable to “non-mainframe” skills Virtual Bridges provides VDI management of desktop images and provisioning Intellinx’s zWatch provides user activity monitoring for fraud management CDS provides managed services for hosting virtual desktop infrastructure Vicom Infinity brings a variety of simplification software and experience with many of the world’s largest financial organizations
Delivery Models Do this on your own Leverage a services engagement to get this up and running faster Get this delivered via “cloud” as a managed service
Executive Summary Many new devices, both enterprise and BYOD, need to be enabled for agency orpartner access Privacy, Security and Policies must be enforced regardless of device ownership “Traditional” VDI solutions are not enough to meet these requirements Theft, loss, virus, Trojan Horse, misuse can still put information at risk STASH – Smart Terminal Architecture with Secure Hosts introduces additionalcapabilities to further mitigate risk Government is best served when an end to end solution is deployed to ensuresecurity and resilience