ISO/IEC 27070

Information technology — Security techniques — Criteria for establishing virtualized roots of trust [Draft]

Introduction

In trusted computing, a Hardware Security Module provides various cryptographic functions in a physically secure enclosure, however, this architecture is not well suited for cloud computing. System virtualization, mobility, and scalability in the cloud mean that systems cannot readily access and rely on fixed hardware like HSMs.

Scope and objectives

As part of the standard, information security controls will be specified that will enable and protect such a ‘virtualized root of trust.’

The content

There are two main sections in the draft standard: a functional view and an activity view.

The standard’s status

Currently, in Draft International Standard status, this standard is likely to be released by the end of this year.

Commentary

Typically, the term ‘trusted computing’ refers to secure systems intended for use by governments or militaries for processing highly confidential data.

Trusted computing environments are created in the cloud by leveraging dynamically created virtual machines, a concept called “virtualized roots of trust.” The implications for trust, risk and security are so vast that I am unable to imagine them.