IT Management

“Skunkworks” is an industry term used in business, engineering, and technical fields to describe advanced, sometimes secret, projects conducted by individuals who operate under the radar—unconstrained by corporate bureaucracy and executive interference. These projects can be annoying (e.g., developers are working on building intelligent routers when the market has already standardized on three suppliers) or highly innovative, such as the mainframe/thin client project described herein.

Security Considerations

This mainframe/thin client project involves Jim Porell, an IBM distinguished engineer, who was formerly chief architect of IBM’s System z software, and is now working in a sales capacity, spending most of his time in Washington, DC. There, he often speaks with high-level IT executives at government agencies who tell him, as might be expected, that they’re constantly concerned about security breaches. To deal with security leakage, some of the executives have installed thin client architectures. Thin client architectures are desktop environments that don’t allow data to be stored locally and don’t allow for the use of removable media. Other executives have workers who use PCs, but they’ve mandated that PC hard disk drives be removed at the end of every day to ensure secure data doesn’t suddenly “walk away” during the night. Still others lament that they’re relying on software to monitor security—software that makes it laborious to find security breaches.

Now think about this further. You have IBM prospects telling an IBM distinguished engineer who knows all the ins and outs of the most advanced commercial server environment in the world—the IBM System z mainframe—that their systems design (usually a PC-centric design) can’t necessarily be trusted. Telling a distinguished engineer like Jim stories such as these is like waving a red flag at a bull; eventually, you’re going to get the bull to charge.

To help address client and prospect needs for more secure computing environments, Jim could have sought ways to improve existing thin client products based on Microsoft and Citrix thin client software on x86 architecture (many of his customers use this approach today). But he knew that an even better solution would be to design an environment where an IBM mainframe—with its Evaluation Assurance Level (EAL) Level 5 security ranking—could act as a centralized hub, providing virtual desktop services for various thin clients (including Wyse terminals, Sun, Apple iPhones and iPads, Google Android devices, etc.).

Jim knew instinctively that designing a secure, trusted System z environment for his clients would involve a lot of engineering work, placing new demands on IBM’s research and development organization. He wasn’t certain they would be able to respond quickly to the needs of his government clients in the timeframe necessary to compete for several large contracts. But Jim knew that, with the assistance of several third-party vendors, he could create a solution that could solve his prospective clients’ security problems while supporting many different client types. And so his Smart Terminal Architecture in a Secure Hosting Environment (STASH) was born.

Project STASH

With more than 20 years of experience at the IBM Poughkeepsie labs, Jim knew where he could find unused mainframe computing power for “special projects.” He needed to determine which third-party suppliers he would like to work with to build a trusted thin client mainframe environment; he needed to find a way to provide them with access to mainframe environments for developmental purposes. Further, he needed to line up a distributor that could help structure distribution agreements with these vendors, making it possible to sell a turnkey, packaged, trusted thin client computing solution.

The initial design goal was to build an environment that could provide for the secure, resilient and flexible management of a highly scalable thin client operation. Jim found trusted thin client software available from Raytheon’s Trusted Computer Solutions (RTCS) division; guest management software available from Computer Services Limited (CSL); and interesting user fraud software from a company called Intellinx. The user fraud detection software functions like a digital video recorder for user activity. It tracks who accessed what and is easier than pouring through security log information. Jim even found an x86 emulator environment being developed by Mantissa to run on an IBM System z—this product lets a mainframe run Windows-based applications natively!

The next step was to enlist these vendors to tweak their products for use on a mainframe. Jim needed to get the vendors to communicate with one another in the design process to ensure the products could work together in an integrated fashion. To facilitate this inter-vendor communications, Jim created his “STASH” consortium.

2 Pages