I feel much better about virtualization security now that I've read this story. It turns out that virtualized environments are exactly the same as all other things IT from a security perspective.
Says Nand Mulchanandi, security marketer for VMware:
"Data centers are very tightly locked down, and virtual environments
are no less tightly locked down than physical ones," he said. "It's
really about policies on the hosts and machines themselves; the
dynamism of virtualization as a security risk has been overblown."
I suppose this is better than their previous message that virtual is more secure than real. Of course, I don't get why VMware's founder, Mendel Rosenblum, would suggest that "virtual is harder than real" from a security perspective.
This is a really tough area for me, because I love the benefits of virtualization. But when I hear or read something like "everything is okay" I can't help but want to scream. It is inappropriate to be a FUDmonger, but trying to have a rational discussion about risk seems to be out of the question. I know, I've tried this and been labeled an "alarmist". I guess the problem is that I am used to living with risk and am okay with accepting it under the right conditions; many other folks aren't.
The reality is that security simply needs to align with the risk, and following the five immutable laws is a first step in understanding virtualization security.
[By the way, perhaps the best single source for virtualization security documents is here: http://www.cs.uiuc.edu/homes/kingst/spring2007/cs598stk/reading_list.html.]