I’ve had discussions with a number of organizations that I think are living in a fantasy world when it comes to virtualization. Actually, that’s not entirely true – I think their fantasy world spans both the physical and vitual worlds (and possibly extends into the spiritual realm…)
What I mean is they are seeking “magic bullet” technology to overcome their unwillingness to address weaknesses in their IT controls, processes, policies, and practices. This recipe doesn’t work very well, but none of them is experiencing any ‘pain’ that will cause them to change things; there’s no compelling event since their industries are not subject to any regulatory scrutiny.
This applies to virtualization security, as well – people do the easiest thing they think they can get away with. The problem is that variance in practices creates variance in infrastructure, which increases risk and decreases stability.
One guy I spoke with said it was the vendor’s responsibility to sell him a secure virtualization platform. I agree, but that’s not a full solution – the vendor can’t protect you from yourself. (Volvo is an example I use – they can make the safest cars in the world, but that won’t stop a careless driver from crashing his car).
Selecting good technology is important, but make sure they are surrounded by solid policies, processes, and properly trained staff or you’re headed for a train wreck.
Don’t know where to start? One resource: go to the CSO web site and pick up Gene Kim’s Practical Steps To Mitigate Virtualization Security Risks – it’s based on the IT Process Institute’s “Security Visible Ops” book which is aligned with ITIL.