One fact strikes me pretty often: Companies have the problem that they have legacy software running on legacy operating systems (e.g. NT4) running on legacy hardware. This is a severe problem as you all know. Now, these companies look into virtualization so solve this problem. From all the three "legacy" up there, only the hardware problem can be addressed by the use of virtualization – definitely not the OS and the application piece (obvious). Now, there are still a lot of people thinking that if they embed the legacy machine in a state-of-the-art virtual environment that the machine itself might be more secure. This can be true – if you do not connect it to the network. Otherwise, the OS and the application are as vulnerable as before.
This is all clear and in the meantime known to a lot of people. Virtualization gives us a lot. I think, it is a great technology to address quite some challenges (especially the challenge of having servers that are mainly "idlein" in the computer room) – but it does not address the challenge above. On the contrary, it adds additional risks.
I just read a very good article on that on Information Week: Virtualization Has A Security Blind Spot. In there, they mention five laws published by Burton Group:
So, manage the risks and have fun with virtualization!
As far as the risks considered here is concerned, the LivePCs available by MokaFive can work to much extent and help in solving many of these issues. You may check the technology at their website:
Help me understanding this: This technology to me seems similar to VMVare or VirtualPC. At the end of the day, if the virtualization software has vulnerability, this might impact the guest as well