Joe Herrick has written a very interesting article about security in a virtualized environment: Virtualization security heats up in which he states that 43% of the readers of iTnews have completely disregarded the issue. This article reviews current thoughts about virtualization security and puts virtualization security best practices into print: “Defense in depth and proper virtual machine layout and design, including not mixing VMs with different security postures and requirements on the same host system, are crucial.” (A more detailed list is included later in the article.) This article also carries the meme that open source is more secure: “The million-dollar question here: Is it safer to rely on the open source community to vet and test Xen, or are VMware and other vendors of proprietary hypervisors the best path to secure hosts?” An interesting bit of news that I somehow completely missed: “XenEnterprise has endured the pokes and prods of the open source community, earning a Common Criteria Level 5 rating.” Wow! Congratulations to them! Buried in the middle of the article is how Trusted Computing can help secure this environment. It was nice to see the topic discussed without all of the usual political rhetoric and just the technical features analyzed for their enterprise applicability. Very interesting and educational article. Thanks!
UPDATE: I can’t find any independent verification that XenSource completed an evaluation at EAL5 unfortunately.