Trusted Virtual Domains
links<! -- ========================== GROUP PEOPLE ========================== -> <! -- ========================== GROUP PAGES/TABS ========================== ->
Trusted Virtual Domains - overview<! -- ========================== PAGE CONTENT ========================== ->
Trusted Virtual Domains (TVDs) represent a new model for achieving IT and business security. TVDs are designed to satisfy business-level goals by simplifying management and providing explicit infrastructure-level containment and trust guarantees:
- Containment. TVDs use virtualization and overlay technologies to form a protection layer around each of the computing entities used to perform a service, regardless of the physical machine or network topology configuration of those entities. The resulting workload execution environments are contained in several desirable ways: Their internal execution is isolated from any unintentional or malicious side-effects of external applications. External applications are protected from damage due to a misbehaving internal application. Moreover, communications among internal components are automatically protected from interception or interference by an external entity.
- Trust. Trust is the quality leading to the belief that a remote system will behave as expected. An inherent property in TVDs is the codification of trust among computing entities that potentially are composed of heterogeneous hardware and software components, are geographically and physically widely separated, and are not centrally administered or controlled. By leveraging artifacts of the traditional security infrastructure (such as digital signatures, certificates, and assurance statements) and building upon emerging trusted computing technologies, TVDs convey trust evaluations and guarantees for each entity within the domain.
- Simplification. In a TVD, security policy statements are initially specified at an abstract level on the basis of the service to be performed. These statements are methodically decomposed, and uniformly enforced and verified across the layers of decentralized hardware and software resources in the TVD. Measurable properties are drawn together and analyzed as part of an explicit global security measurement. The result is a security perspective of business and IT services that is coherent and manageable-and greatly simplified for the user and administrator-that addresses the scalability and composability requirements of the on demand operating environment.
The TVD model is designed to be independently and concurrently implementable using a variety of underlying technologies and mechanisms. Under different configurations, the functionality of the TVD remains constant--i.e., it continues to support a unified secure operational policy across all members--while the levels of containment and trust offered by the TVD change. For example, using hypervisor-based isolation coupled with TCG-based verification provides strong levels of containment and trust. Using Java-based isolation is weaker, but its use allows rapid TVD deployment on current IT infrastructure and provides a migration path to stronger mechanisms.
Several papers are available that describe our ongoing work toward TVDs:
- Trusted Virtual Domains: Secure Foundations For Business and IT Services (Published as Research Report RC23792, November 9, 2005).
- Trusted Virtual Domains: Toward Secure Distributed Services. (Presented at the First Workshop on Hot Topics in System Dependability, June 30, 2005).
Other projects at IBM Research that are related to TVDs or tie in with TVDs include:
- The sHype hypervisor security architecture and other projects in the Secure Systems Department.
This project is a joint collaboration between the T. J. Watson Research Center, the Tokyo Research Lab, and the Zurich Research Lab.