< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27070:2021 — Information technology — Security techniques — Requirements for establishing virtualized roots of trust (first edition)
Abstract
“This document specifies requirements for establishing virtualized roots of trust.” [!!] [Source: ISO/IEC 27070:2021]
Introduction
The integrity and hence value of some security functions and subsystems (particularly those relating to cryptography) relies on their being based on trustworthy foundations known as the Root of Trust. Special RoT security arrangements are necessary to negate threats involving low-level exploitation of data-processing chips, devices or systems, in turn compromising the higher-level firmware, device drivers, operating system and application software that build upon the RoT.
Whereas trusted computing generally involves some form of Hardware Security Module (e.g. an ISO/IEC 11889 Trusted Platform Module) providing various cryptographic functions and key storage in a physically secure tamper-resistant enclosure, that architecture is not well suited to cloud computing. In the cloud, systems are virtualised, hence they cannot readily access and rely directly upon hardware-based RoT in the conventional manner.
Scope and purpose
The standard specifies functional requirements and information security controls supporting the provision of trustworthy foundations for cloud computing environments, where Virtual Machines are dynamically created to provide cloud services.
Contents
The standard has two main sections:
- The ‘functional view’ describes the architecture in functional/modular terms.
- The ‘activity view’ describes how the functional modules deliver the desired level of trusted computing.
Status
The first edition was published in 2021.
Personal comments
The trust, risk and security implications of this are, frankly, above my pay grade. As my withered little old brain understands it, the standard aims to establish a rock-solid foundation on which to build the house of cards delivering cloud computing services. Regardless of all the information risks and security controls at higher levels (of which there are many), providing a sound, trustworthy platform makes RoT a fundamental security requirement. Otherwise, we’re erecting skyscrapers in the marshlands.
< Previous standard ^ Up a level ^ Next standard >
|