This eWeek article is another instance where hypervisor security is being compared to operating system security:
This new server technology also brings a dramatically reduced
footprint, down to 32MB, a fraction of the size of a general-purpose
operating system, which results in a smaller attack surface while
minimizing the effort required for tasks such as security hardening,
user access control, anti-virus and backup.
Once again, I’ll note that the hypervisor attack surface is ADDITIVE to the risk profile of the server. I see no reason to compare attack surfaces between products unless one is a replacement for the other, otherwise, this is like saying that Google has a smaller attack surface than Vista and implying this means everyone should use Google as their operating system. What they should be doing is comparing their attack surface to Hyper-V’s attack surface, not the operating system (this seems pretty obvious to me – I wonder why they don’t do this).
The thing that worries me is that VMware knows this. They have very sharp security folks there. I suppose that eWeek blurb could be a misattribution (or, I may just be misreading it)…. I would hate to see they were succumbing to market pressures…
I suppose there could be something I’m missing in this comparison. I think I’ll ask them.
That’s a really ambiguous quote. The way I read it, they’re saying “smaller attack surface” versus previous VMWare hypervisors.
@Tyler -
I have heard them make statements like “it has a smaller attack surface” without qualifying the “smaller than what?” question, and when I asked them about it, they responded exactly as you describe it.
In this case, however, I think that the phrase “fraction of the size of a general-purpose operating system” is pretty specific about what it is being compared to.