A virtual machine (VM) is a software implementation of a computer that executes programs in the same way as a physical machine, and is hosted (i.e. as a guest) by physical computing equipment that may be unseen by and unknown to the user or provider of the programs running in the VM. Cloud computing is a concept that provides for the delivery of computer services including computation resources, software, data access, and storage services without requiring end-user knowledge of the physical location and configuration of the computing machines that deliver the services. The services are provided to computers and other devices over a network such as the Internet. From the user's viewpoint, the services can be considered as being provided by one or more virtual machines (VMs).
Cloud Computing provides an abstraction of a potentially unlimited amount of networking, computing and storage resources for clients. The abstraction may be achieved by virtualization of the infrastructure, platform and software in data centers. There are many solutions available for providing the virtualization platform for virtual machines, for example Xen. In these systems multiple virtual machines can be run on one physical machine. The abstraction of unlimited and dynamically allocated resources may be referred to as a cloud platform or just a cloud. The virtual machines are run in isolated run-time environments, or domains (in Xen terminology, domUs) while the control mechanism of the virtualization platform runs in a specific run-time environment, or management domain (in Xen terminology, dom0). Note that, in general, cloud computing does not necessarily imply the use of virtual machines, or a virtualization platform. However, for the purposes of the current disclosure it should be assumed that references to a cloud or to cloud computing do imply a virtualized computing environment unless indicated otherwise.
For the purposes of this discussion, the term “user” is intended to refer to any entity (individual, company, organisation, etc.) that operates or uses equipment, such as a mobile telephone or other mobile device, or a pc, laptop or other computing device, that is enabled to access a 3G or 4G network (including machine-to-machine, M2M, devices). A “subscriber” is an entity that has entered an agreement with a mobile network operator (MNO) for the provision of services—more particularly (unless stated otherwise) a subscriber, or M2M subscriber, referred to below is an entity that has entered an agreement for the provision of services provided from a VM. The “owner” of a VM is the entity that provides the VM software, and which may or may not be the same as the subscriber.
At the infrastructure level, the virtualization is implemented by means of a Virtual Machine Manager (VMM), otherwise referred to as a hypervisor. A hypervisor employs hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer.
Mobile telecommunications network operators (MNOs) at present do not have an established way to manage the provisioning of cloud computing resources to subscribers, and how to make use of the 3G and 4G technologies and standards defined by the 3rd Generation Partnership Project (3GPP) such as the Evolved Packet System (EPS) networks, and those that relate to the Systems Architecture Evolution (SAE) and Long-Term Evolution (LTE). These are referred to hereafter as 3GPP networks.
3GPP subscriber credentials are stored on Universal Integrated Circuit Cards (UICCs or Subscriber Identification Module, SIM, cards) and are used for identifying the subscriber whose card is in a 3GPP device and for establishing and securing communication between the device and the 3GPP network. The installed infrastructure for 3GPP subscriber management and the standardized technology used for it are key resources of the 3GPP operators. Increasingly, the operators are becoming bit-pipe providers for third party services, which does not provide a business model that has a high added-value potential. Instead, the operators would prefer to be involved providing services. The installed identity management system is one thing that can be used for providing new services in the form of Identity and Access Management (IAM) and security for various services. Cloud computing does require federated identity management for the virtual machines (VMs) and thus presents an opportunity for the network operators.
The key resources of the operators are the customer base (i.e. the potential subscribers) and the identity management for the subscribers, as well as the installed infrastructure. The business is based on standardized 3GPP mechanisms for charging, Quality of Service (QoS), security, roaming, interoperability, and Service Level Agreements (SLAs) etc. However, similar kinds of standards have not been established for cloud computing technologies. This makes it difficult for operators to integrate their key resources with cloud platforms in order to benefit from the cloud-computing paradigm and enter into new business fields. In summary, the problem is how to enable operators to benefit from their existing key resources with cloud computing. This can be broken down in to three key areas:                How to utilize operators' existing EPS (e.g. 3GPP/Long Term Evolution (LTE)) infrastructures in a cloud computing environment;        How to seamlessly integrate virtualized services running in a data-center with an EPS (e.g. 3GPP/LTE) infrastructure;        How to bind virtual machines running in a cloud with an EPS (e.g. 3GPP/LTE) network in a secure way.        
It is currently proposed to make use of the 3GPP Machine Communication Identity Module (MCIM) concept for managing VMs (providing identities, security etc.). MCIM is a recent concept studied by the 3GPP (see 3GPP TR 33.812, version 9.2.0, 22.06.2010), “Feasibility study on the security aspects of remote provisioning and change of subscription for Machine-to-Machine (M2M) equipment”). The concept, which is targeted at M2M communication scenarios, replaces the UICC card with a software based Universal Subscriber Identification Module (USIM) that can be downloaded into the device. The object is to provide a mechanism by which devices can download their network credentials from the device's selected home operator (SHO)—i.e. the operator with whom the owner of the device has established a service agreement. The current scope of MCIM is for use with sensor-like devices that the owner usually does not have physical access to and needs to manage remotely.
The commonly agreed operating procedure is currently:    1 The owner of the device enters a service agreement with a mobile network operator (MNO), to be referred to hereafter as the Selected Home Operator (SHO) and registers his/her device.    2 The Discovery and Registration Function (DRF) handling the mobile device (i.e. providing preliminary credentials to the device) is informed of the SHO of the device and stores this mapping.    3 The mobile device is powered on and scans for available mobile networks to try to connect to a 3GPP Network Initial Connectivity Function (ICF). The preliminary credentials stored in the Machine to Machine Equipment (M2ME) are used for connecting to the network and they point to the DRF of the current home network (operated by the SHO) of the device.    4 The DRF informs the M2ME about the SHO registered to it and redirects the device to the SHO/MCIM Download and Provisioning Function (DPF) operated by the SHO.    5 Next, the mobile device connects to the SHO/DRF, and downloads the proper credentials that enable the device to start using the SHO subscription as per the service agreement between the owner of the device and the mobile network operator.
For the purposes of the present discussion, the term “MCIM” should be understood as referring to any downloadable Subscriber Identity Modules (SIMs), not only to sensor-like devices or other M2M devices as known today, and not limited to the MCIM that is specified in 3GPP TR 33.812 referenced above. The present disclosure is concerned with how the MCIM credentials of a client who is a subscriber to the 3GPP network can be provided to enable services to be provided from a VM on behalf of the subscriber/client. This provisioning of the MCIMs to the VMs focuses on the bootstrapping of the VMs together with the associated MCIM(s). For the purposes of the present disclosure, the subscriber is an entity (individual, group, company or other organization) that has entered into an agreement with the SHO for the provision of computer-based applications or services on the subscriber's behalf. These applications/services are provided over the SHO's 3GPP network from one or more VMs in a virtualized computing environment. For example, the subscriber might be a company that is selling a computer-based service to its customers over the internet; as another example, the subscriber might be an organization whose member or employees are the operators of a computer based data/processing system that makes use of applications or services that are to be provided by the SHO from one or more VMs operating in a virtualized computing environment; as another example, the subscriber could be a private individual using a computer-based service for private use.
Note also that the term MNO indicates the network operator of the network to which the device is connected. This may be the SHO, or it might be another network operated by a Visited Network Operator (VNO) which then communicates with the SHO. For the purposes of this discussion it matters not which is the case, as the important functions involve the SHO.