A couple of weeks ago I used the abbreviation IaaS for "Identity as a Service". Some people (including my editor) wondered about the alternative IdaaS. I said I'd stick with IaaS, but a paper I just read leads me to change that. In this paper, "Towards Trusted Cloud Computing," IaaS is used to reference "Infrastructure as a Service".

I usually think of infrastructure as very much hardware oriented, but the paper refines the term: "In Infrastructure as a Service (IaaS) cloud services such as Amazon's EC2, the provider hosts virtual machines (VMs) on behalf of its customers, who can do arbitrary computations." So it is, indeed, "virtual hardware."

The authors go on to say, "In these systems, anyone with privileged access to the host can read or manipulate a customer's data. Consequently, customers cannot protect their VMs on their own." And that is a security, and by extension an identity, problem. Privileged account management has been discussed here on occasion (see, for example, "Why eliminate administrator rights?") and is a worry to enterprise identity managers. Now, evidently, they also need to worry about privileged accounts that are beyond their control.

The paper has an answer to this seemingly unsolvable problem: "We propose the design of a trusted cloud computing platform (TCCP). TCCP enables Infrastructure as a Service (IaaS) providers such as Amazon EC2 to provide a closed box execution environment that guarantees confidential execution of guest virtual machines. Moreover, it allows users to attest to the IaaS provider and determine whether or not the service is secure before they launch their virtual machines."

While the paper is short (five pages), it is dense with information and I couldn't hope to do more than gloss over it's concepts, which involve two components: a trusted virtual machine monitor (TVMM), and a trusted coordinator (TC). I suggest that anyone even considering moving valuable data resources into the cloud should become familiar with these concepts.

The cloud is fast approaching all of us. I know that when I'm in my yard and a cloud approaches I'm suddenly enveloped in the fog. Sometimes I think cloud computing should be re-labeled "fog computing", but if we stay on top of the challenges and the solutions then we can lift that fog.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.