Trusted Virtual Domains: Secure Foundations for Business and IT Services

Trusted Virtual Domains (TVDs) represent a new model for achieving IT and business security. TVDs address critical heterogeneity and complexity issues in existing models, they provide quantifiable security and operational management for business and IT services, and they simplify overall containment and trust management in large distributed systems.

The key innovation in TVDs is a focus on overall security goals required within service domains—collections of complete systems that work together to provide a service—as opposed to point hardware and software solutions. This emphasis on satisfying service-oriented goals is a step toward enabling the flexible deployment of secure services in on demand environments.

Within a TVD, high-level security and operational policy statements are systematically mapped into the configuration of the individual hardware and software components that together perform a service. For example, a TVD for a payroll-processing service would transform business-level policy statements such as “Employees’ personal information in HR records must only be disclosed to authorized parties” into platform-specific directives for information flow and access control. These directives are then used to configure the protected execution environments that host the HR information service.

The TVD model represents a departure from the design of many conventional secure operational models. For example, TVDs are designed to provide an explicit and autonomously measurable quantification of whether the overall security goals are achieved, prior to (or during) the processing of a service. The application developer is relieved from the burden of implementing and verifying security-related functions for service processing, such as the creation of protected communication channels, as such functions are provided by the TVD infrastructure. Also, the specification of security goals in TVDs proceeds according to the requirements of the application or service to be run, instead of being individually specified on a per-user or per-system basis.

This white paper discusses the high-level design of TVDs from the point of view of our customers. The paper also describes two case studies for TVD deployment.

By: Anthony Bussani; John Linwood Griffin; Bernhard Jansen; Klaus Julisch; Guenter Karjoth; Hiroshi Maruyama; Megumi Nakamura; Ronald Perez; Matthias Schunter; Axel Tanner; Leendert Van Doorn; Els A. Van Herreweghen; Michael Waidner; Sachiko Yoshihama

Published in: RC23792 in 2005


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .