A virtual machine is a software implementation of a computer that executes programs in the same way as a physical machine, and is hosted (i.e. as a guest) by physical computing equipment that may be unseen by and unknown to the user or provider of the VM software. Cloud computing is a concept that provides for the delivery of computer services including computation resources, software, data access, and storage services without requiring end-user knowledge of the physical location and configuration of the computing machines that deliver the services. The services are provided to computers and other devices over a network such as the Internet. From the user's viewpoint, the services can be considered as being provided by one or more VMs.
The National Institute of Standards and Technology (NIST) defines certain characteristics of cloud computing, including:                Elastic;        On-demand;        Broad network access (i.e. you should be able to access the cloud through any technology (Cellular, fixed broadband, etc);        Resource pooling;        Measure service (“the cloud” should be able to measure the consumption of resources, such as disk space, CPU/cycles, etc—for making charging possible).        
Note that, in accordance with these general definitions, cloud computing does not necessarily imply the use of virtual machines, or a virtualization platform. However, for the purposes of the current disclosure it should be assumed that references to a cloud or to cloud computing do imply a virtualized computing environment unless indicated otherwise.
For the purposes of this discussion, the term “user” is intended to refer to any entity (individual, company, organisation, etc.) that operates or uses equipment, such as a mobile telephone or other mobile device, or a pc, laptop or other computing device, that is enabled to access a 3G or 4G network (including machine-to-machine, M2M, devices). A “subscriber” is an entity that has entered an agreement with a mobile network operator (MNO) for the provision of services—more particularly (unless stated otherwise) a subscriber referred to below is an entity that has entered an agreement for services to be provided from a VM on the subscriber's behalf. The “owner” of a VM is the entity that provides the VM software, and which may or may not be the same as the subscriber.
Mobile telecommunications network operators at present do not have an established way to manage the provision of cloud computing resources to subscribers, and in particular how to make use of the 3G and 4G technologies and standards defined by the 3rd Generation Partnership Project (3GPP), such as the Evolved Packet System (EPS) networks, and those that relate to the Systems Architecture Evolution (SAE) and Long-Term Evolution (LTE). These are referred to hereafter as 3GPP networks.
3GPP subscriber credentials are stored on Universal Integrated Circuit Cards (UICCs or Subscriber Identification Module, SIM, cards) and are used for identifying the subscriber whose card is in 3GPP device and for establishing and securing communication between the device and the 3GPP network. The installed infrastructure for 3GPP subscriber management and the standardized technology used for it are key resources of the 3GPP operators. Increasingly, the operators are becoming bit-pipe providers for third party services, which does not provide a business model that has a high added-value potential. Instead, the operators would prefer to be involved providing services. The installed identity management system is one thing that can be used for providing new services in the form of Identity and Access Management (IAM) and security for various services. Virtualized computing does require federated identity management, for the virtual machines (VMs), and thus presents an opportunity for the network operators.
The key resources of the operators include the customer base (i.e. the potential subscribers) and the identity management for the customers, as well as the installed infrastructure. The business is based on standardized 3GPP mechanisms for charging, Quality of Service (QoS), security, roaming, interoperability, and Service Level Agreements (SLAs) etc. However, similar kinds of standards have not been established for cloud computing technologies. This makes it difficult for operators to integrate their key resources with cloud platforms in order to benefit from the cloud-computing paradigm and enter into new business fields. In summary, the problem is how to enable operators to benefit from their existing key resources with cloud computing. This can be broken down into three key areas:                How to utilize operators' existing EPS (e.g. 3GPP/Long Term Evolution (LTE)) infrastructures in a virtualized computing environment;        How to seamlessly integrate virtualized services running in a data-center with an EPS (e.g. 3GPP/LTE) infrastructure;        How to bind virtual machines running in a cloud with an EPS (e.g. 3GPP/LTE) network in a secure way.        
Some further background is presented below on the concept of the MCIM, as well as features of virtualized computing platforms.
MCIM is a recent concept studied by the 3GPP (see 3GPP TR 33.812, “Feasibility study on the security aspects of remote provisioning and change of subscription for Machine-to-Machine (M2M) equipment”, version 9.2.0, 2010-06-22). The solution, which is targeted at M2M communication scenarios, replaces the UICC card with a software based Universal Subscriber Identification Module (USIM) that can be downloaded into the device. The object is to provide a mechanism by which devices can download their network credentials from the device's selected home operator (SHO)—i.e. the operator with whom the owner of the device has established a Service Level Agreement (SLA). The current scope of MCIM is for use with sensor-like devices that the owner usually does not have physical access to and needs to manage remotely.
The commonly agreed operating procedure is currently:    1 The owner of the device enters a SLA with a mobile network operator, to be referred to hereafter as the Selected Home Operator (SHO), and registers his/her device.    2 The Discovery and Registration Function (DRF) handling the mobile device (i.e. providing preliminary credentials to the device) is informed of the Selected Home Operator (SHO) of the device and stores this mapping.    3 The mobile device is powered on and scans for available mobile networks to try to connect to a 3GPP Visited Network Operator (VNO)/Initial Connectivity Function (ICF). The preliminary credentials stored in the machine to Machine Equipment (M2ME) are used for connecting to the network and they point to the DRF of the current home network of the device.    4 The DRF informs the M2ME about the SHO registered to it and redirects the device to the SHO/MCIM Download and Provisioning Function (DPF) operated by the SHO.    5 Next, the mobile device connects to the SHO/DRF, and downloads the proper credentials that enable the device to start using the SHO subscription as per the service agreement between the owner of the device and the mobile network operator.
Note that the term MCIM as used hereafter is intended to refer to any software based solution for providing the subscriber identification information normally found on a UICC card, and should not be considered as necessarily limited to what is specified in 3GPP TR 33.812.
Virtualized Computing provides an abstraction of a potentially unlimited amount of networking, computing and storage resources for clients. The abstraction is achieved by virtualization of the infrastructure, platform and software in data centers. There are many solutions available for providing the virtualization platform for virtual machines, for example Xen, discussed further below. In these systems multiple virtual machines can be run on one physical machine. The abstraction of unlimited and dynamically allocated resources is called a cloud platform or just a cloud. The virtual machines are run in isolated run-time environments (in Xen terminology, domUs) while the control mechanism of the virtualization platform runs in a specific run-time environment, or management domain (called dom0).
At the infrastructure level, the virtualization is implemented by means of a Virtual Machine Manager (VMM), otherwise referred to as a hypervisor. A hypervisor employs hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. Xen is a well-known and widely used example of a hypervisor. Xen systems are arranged in a conceptual layered structure, as depicted schematically in FIG. 1, with the Xen hypervisor 100 as the lowest and most privileged layer residing on the hardware 102. In the layer above this are one or more guest operating systems 104, 106, 108, which the hypervisor 100 schedules across the physical CPUs of the computer machines in the data centre. The first guest operating system 104, called in Xen terminology “domain 0” (dom0), boots automatically when the hypervisor 100 boots and receives special management privileges as well as direct access to all physical hardware. Thus, dom0 can be considered as a virtual management domain. The system administrator can log in to dom0 in order to manage the other guest operating systems 106, 108, called “domain U” (domU) in Xen terminology. (See “What is Xen Hypervisor?” http://xen.org/files/Marketing/WhatisXen.pdf, as archived on web.archive.org on 22.07.2011). Any references to these Xen terms in the description below or accompanying drawings should not be considered as being limited only to a Xen system, and should be considered as equivalent to the general definition of these terms as explained above.
A virtual switch (vSwitch) 110 is implemented in software and integrated with the hypervisor 100. Open vSwitch (OVS—see http://openvswitch.org/ as archived on web.archive.org on 02.02.2011) is an example of a popular software switch that allows network configuration between virtual machines using OpenFlow (see http://www.openflow.org/ as archived on web.archive.org on 13.05.2011). In addition, the hypervisor implements one or more virtual Network Interface Cards (vNICs) 112, 114 with each guest operating system (domU) 106, 108.
A cloud operating system (Cloud OS) manages the hypervisors, domain guests (VMs), virtual switches and other resources in the data-centres and is responsible for the orchestration of the resources in a data-centre. Typically, a Cloud OS consists of multiple server instances that manage the resources (network, storage, computing). The management domain (dom0) is a part of the Cloud OS that manages the resources on one hypervisor. OpenStack is one well-known Cloud OS (see http://www.openstack.org/ as archived on web.archive.org on 23.07.2011).
Note also that the term MNO indicates the network operator of the network to which the device is connected. This may be the SHO, or it might be another network operated by a Visited Network Operator (VNO) which then communicates with the SHO.