Virtualization security – no shared memory?

Caught this snippet in an article over at GCN:


In addition, security is enhanced because no memory is shared between
virtual servers, and there is no sharing of virtualized devices.

This statement seems reasonable enough on its surface, but it is actually a much more complex statement than you might imagine. First, in order for security to be "enhanced" in this situation assumes that the existing scenario (the one you are moving from) *does* have servers with shared memory. I know of no instances where multiple physical servers would ever share memory, so this immediately limits the potential benefits to multi-function servers where you split up the server resources.

Second, the idea of "no shared memory" does not quite ring true with me, though I understand the point. At the very least, at the hardware level the memory allocations are all shared. So the point is that the processes are separate for virtual servers, but keep in mind that the memory used by the hypervisor actually is shared – that is why the biggest security issue revolves around hypervisor security and the "vm escape".

Net result: security is enhanced when you have same-server resources that are separated into their own virtual servers. Security may not be enhanced if you are aggregating the resources of multiple physical servers all onto a single box. This latter case is much more popular these days.