Just reading up on a very good set of survey data about virtualization vulnerabilities.
More than forty per cent of IT directors and managers that have implemented server virtualization may have left their IT networks open to attack because they wrongly believe that security was built in.
No surprise that faulty assumptions and faulty implementations are the leading cause of vulnerabilities, is it?
In addition to good data, the article contains some solid recommendations from the survey source “Clavister”:
1. Re-define the security policy to include the virtualization aspect
2. Use virtual security gateways which run inside the virtual infrastructure
3. Protect the virtual administration center and only allow access to this from a separate network
4. Limit the number of administrators who have access to the virtualization administration tools to a minimum
5. Evaluate and test the security level on a regular basis. Replicating the production environment to a test environment is easy with virtualization and this should be utilized.
I very much agree with this list, as it mirrors my own thinking (and I like my own ideas, of course). The key is to define what “acceptable and expected” means in your organization (for virtualization and everything else), then audit regularly so you can hold people accountable for doing what they should be doing to keep the business out of trouble.