There are good reasons for moving to virtualization but security isn’t one of them. Virtual machines are no more or less secure than physical machines. It’s pure fantasy or what most Internetnicks call “FUD” (Fear, Uncertainty and Doubt). A good example of this misconception is an article I read a few days ago that described how to steal a virtual machine and its data.

Virtual systems have the same three major security concerns as physical systems: Users, Services and Files.

Users

Having user accounts on a computer system poses a security risk. Users who use weak or predictable passwords, write down their passwords, “loan” their passwords or have malicious intent pose the greatest threat to systems. Once an attacker compromises a user account, the effort required to crack the administrative account and gain access to the whole system has decreased significantly. In system administrative parlance, users are “a necessary evil”.

Services

System administrators will also tell you that services provide an excellent path into a system for wanton attackers. They begin by scanning your systems for listening ports (services) that may be unguarded, unpatched or wholly ignored by administrators. When an attacker locates one such service, he goes to work to glitch that service and present himself with an opening to a user account—hopefully one with elevated privileges—or at the least one with a usable shell.

Virtual machines have listening ports for their services just as physical ones do. There is absolutely no difference in the quality, security or stability of one over the other. In the virtual world, as well as the physical, administrators must prune the number of services running on a host to the minimum number possible. Turning off superfluous services decreases the exploitable footprint of the system.

Files

Every collection of bits on a *nix filesystem is a file. Directories are files. Executables are files. Scripts are files. Everything is a file. Virtual machines have filesystems as do physical ones. So, how can a simple file pose a security threat to a system? Permissions. Incorrectly set permissions can allow exploitation of vulnerabilities in programs that aren’t designed well or those that haven’t received security updates. In *nix systems, certain programs have the ability to allow you to use them with temporary elevated privileges.

System security and backups are the two highest priorities for system administrators. Good administrators will run periodic network and local vulnerability scans to check for exploitable code. They’ll also maintain a regular patch and maintenance program to secure their systems. I hope you understand from this discussion that virtual machines have no more and no fewer security concerns than physical machines. Security is a concern for all systems regardless of operating system, location or status.

Read full story.