Applying Virtualization Security Immutable Law no. 2

Chris Hoff had some tough things to say in his post about the Five Immutable Laws of Virtualization Security:

"I think that over time I’ve come to the conclusion that to me, these
aren’t so much "immutable laws" but more so derivative abstractions of
common sense that left me wondering what all the fuss was about."

and

"I don’t think it clarifies any "confusion" regarding risk and
virtualization and I’m puzzled that Burton suggests that these "laws"
will enlighten anyone and dispel any confusion relating to whether or
not deploying virtualization is more or less risky than not deploying
virtualization
"

On one hand, I am glad that he believes they are common sense, because I am getting equally as vehement feedback that they are wrong (that is how you know the topic is a good one ;-) ). On the other hand, of course I believe these simple rules shed some light on a difficult subject. They certainly help me every time I am faced with an architecture I hadn’t considered, like creating virtual network security devices all on the same box.

The laws also help address the strange but common situation where the exact same virtualized environment may have increased risk or decreased risk to the enterprise depending on what the initial architecture was prior to implementation.

Sometimes it is difficult for an expert to recognize that some of the discourse around a topic can be ambiguous and misleading, so I will use this post (and future posts) to illustrate exactly how the laws apply in various situations.

Here is the example, from Chris’ recent post, On Patch Tuesdays for Virtualization Platforms… where he writes:

I think this may come as a shock to some who have long held
the belief that bare-metal, Type 1 virtualization platforms require little or
no patching and that because of this, the "security" and availability
of virtualized hosts was greater than that of their non-virtualized
counterparts.

The average person researching virtualization security could easily read this as a comparison between vmWare and Windows as if they are two alternatives in a choice for host platform. But they are not (Chris, of course, know’s this).
This particular problem, by the way, comes up frequently. You wouldn’t say something like "Websphere is more/less secure than Windows" would you? So why do it with hypervisors?

Applying Law number two, that the hypervisor risk is additive, saves everyone the trouble of these false comparisons and clarifies the difference between the two.