Apr 20 ’12

Sneaking Through the Skunkworks: A Secret Mainframe/Thin Client Project

by Joe Clabby in Enterprise Executive

“Skunkworks” is an industry term used in business, engineering, and technical fields to describe advanced, sometimes secret, projects conducted by individuals who operate under the radar—unconstrained by corporate bureaucracy and executive interference. These projects can be annoying (e.g., developers are working on building intelligent routers when the market has already standardized on three suppliers) or highly innovative, such as the mainframe/thin client project described herein.

Security Considerations

This mainframe/thin client project involves Jim Porell, an IBM distinguished engineer, who was formerly chief architect of IBM’s System z software, and is now working in a sales capacity, spending most of his time in Washington, DC. There, he often speaks with high-level IT executives at government agencies who tell him, as might be expected, that they’re constantly concerned about security breaches. To deal with security leakage, some of the executives have installed thin client architectures. Thin client architectures are desktop environments that don’t allow data to be stored locally and don’t allow for the use of removable media. Other executives have workers who use PCs, but they’ve mandated that PC hard disk drives be removed at the end of every day to ensure secure data doesn’t suddenly “walk away” during the night. Still others lament that they’re relying on software to monitor security—software that makes it laborious to find security breaches.

Now think about this further. You have IBM prospects telling an IBM distinguished engineer who knows all the ins and outs of the most advanced commercial server environment in the world—the IBM System z mainframe—that their systems design (usually a PC-centric design) can’t necessarily be trusted. Telling a distinguished engineer like Jim stories such as these is like waving a red flag at a bull; eventually, you’re going to get the bull to charge.

To help address client and prospect needs for more secure computing environments, Jim could have sought ways to improve existing thin client products based on Microsoft and Citrix thin client software on x86 architecture (many of his customers use this approach today). But he knew that an even better solution would be to design an environment where an IBM mainframe—with its Evaluation Assurance Level (EAL) Level 5 security ranking—could act as a centralized hub, providing virtual desktop services for various thin clients (including Wyse terminals, Sun, Apple iPhones and iPads, Google Android devices, etc.).

Jim knew instinctively that designing a secure, trusted System z environment for his clients would involve a lot of engineering work, placing new demands on IBM’s research and development organization. He wasn’t certain they would be able to respond quickly to the needs of his government clients in the timeframe necessary to compete for several large contracts. But Jim knew that, with the assistance of several third-party vendors, he could create a solution that could solve his prospective clients’ security problems while supporting many different client types. And so his Smart Terminal Architecture in a Secure Hosting Environment (STASH) was born.

Project STASH

With more than 20 years of experience at the IBM Poughkeepsie labs, Jim knew where he could find unused mainframe computing power for “special projects.” He needed to determine which third-party suppliers he would like to work with to build a trusted thin client mainframe environment; he needed to find a way to provide them with access to mainframe environments for developmental purposes. Further, he needed to line up a distributor that could help structure distribution agreements with these vendors, making it possible to sell a turnkey, packaged, trusted thin client computing solution.

The initial design goal was to build an environment that could provide for the secure, resilient and flexible management of a highly scalable thin client operation. Jim found trusted thin client software available from Raytheon’s Trusted Computer Solutions (RTCS) division; guest management software available from Computer Services Limited (CSL); and interesting user fraud software from a company called Intellinx. The user fraud detection software functions like a digital video recorder for user activity. It tracks who accessed what and is easier than pouring through security log information. Jim even found an x86 emulator environment being developed by Mantissa to run on an IBM System z—this product lets a mainframe run Windows-based applications natively!

The next step was to enlist these vendors to tweak their products for use on a mainframe. Jim needed to get the vendors to communicate with one another in the design process to ensure the products could work together in an integrated fashion. To facilitate this inter-vendor communications, Jim created his “STASH” consortium.

With his plan in place, Jim was ready to bring his STASH project to management’s attention. His manager in Washington immediately saw the immense value that Jim’s project could deliver and approved his integration work.

With developmental efforts under way, Jim turned his attention to sales and distribution. He made IBM marketing aware of what he was doing, but chose to use a trusted IBM distribution partner (Vicom Infinity) to help package and sell this trusted thin client mainframe solution. Vicom Infinity’s approach is to combine proven technology with innovative thinking. The results are powerful systems, based on IBM System zEnterprise servers that fully integrate with strategic business applications.

Impact for IBM and Customers

What Jim, a select group of compatriots at IBM, and the STASH project members are creating is a highly secure, trusted thin client mainframe environment. This kind of environment could be highly useful in secure government environments as well as in banking and finance, healthcare, retail, and most businesses that have thin client needs.

Especially noteworthy about the STASH design is that it capitalizes on IBM’s System z virtualization, security and reliability features, including global mirroring. The goal is to provide a desktop hosting environment on the recently introduced System z BladeCenter Extension (zBX) that leverages mainframe management capabilities and reduces the number of servers and cost to deploy trusted thin clients. Ultimately, through use of the z86VM product from Mantissa, a complete reduction in servers necessary to host PCs may be possible. Perhaps 50,000 desktops could be supported across four mainframes instead of 500 virtualized x86 servers. You’ll have to wait until the second half of 2012 to see if that becomes possible.

This design enables clients who use the CSL guest management software to do their normal business activities by day, then tap the unused mainframe computing power at night to perform other functions such as executing analytics queries. This could reduce an entire tier of servers that might otherwise have been deployed. That’s not possible with today’s x86-based virtualization solutions.

For IT buyers who use traditional x86-based thin client solutions, using the STASH mainframe approach greatly simplifies management and reduces costs, especially for labor. Centralized management with advanced management tools makes it possible:

By using RTCS Trusted Thin Client (TTC) software, along with standard “off the shelf” thin client hardware, users benefit from a secure operating environment that mitigates advanced persistent threats and inhibits data leakage. TTC also provides for network segmentation or separation. Users have access only to data on authorized networks and can’t cut and paste from one network to another. Traditionally, this required use of multiple desktop machines, but TTC eliminates that need. Users can access multiple networks, securely, from a single desktop device. TTC greatly reduces administration by not requiring administrators to patch and maintain embedded thin client device software such as Windows CE. There’s also a reduction in power use since thin clients use more than 70 percent less power than PCs.

For clients that must have a highly available environment, this STASH architectural design essentially makes it possible to provide fault-tolerant desktops (because a failed virtual desktop can automatically failover to another virtual desktop image) and the “traditional” mainframe resilience can provide global mirroring of desktop resources. Enterprises seeking a resilient desktop environment should be particularly interested in this feature.

Finally, this environment should burn far less electricity than a PC server environment because a mainframe can perform the work of hundreds of servers and desktops using only 20 percent or less the amount of energy.

There’s a hidden jewel, too. Project STASH can help bring IT organizations back together. Instead of compartmentalized organizations that manage PCs independently from x86 servers, UNIX servers and mainframes, use of the STASH approach fosters greater IT collaboration to reduce costs and risks, improve security and resilience, and protect investments for the future. Application developers who might have thought solely of deploying new workloads on x86 servers can now consider the best fit of all these architectures toward meeting their business objectives.


For those who have been in the computing industry for a few decades, this may sound similar to the initial mainframe/dumb 3270 tube design (aka master/slave or timesharing architecture), but what STASH is doing with its new smarter terminal design (what Jim calls his thin clients) is extending mainframe virtualization management, security, and governance to a variety of underlying virtual terminal types, including x86-based thin clients, Advanced RISC Machine (ARM)-based mobile devices such as the Android, iPads, iPhones, and more. When STASH comes to fruition during the first half of 2012, mainframe customers will be able to take advantage of all the strengths of a mainframe (security, virtualization, resilience) to build highly secure, trusted virtual desktop environments.