Brandon Baker on Virtualization Security

With heavy server consolidation through virtualization comes some new things to thing about from the operations perspective. In many ways, you have to start thinking of a box in the same way as you used to think of a branch office or small data center. For example. now that a single box can host many VMs running critical workloads, you may have to change your view of who touches that box, for what reason, and when. Service/maintenance schedules for the host should probably be different than the schedule for patching the VMs, for example. Same for scheduled backups. If you let VM admins keep snapshots/images/backups on local disk, you may find new disk capacity management issues to get on top of with all those stored VHDs, not to mention that they will have different levels of confidentiality you must manage. Security boundaries - should you have VMs of differing admin security levels on the same host? How can you achieve role based security in Hyper-v?

Recently, I sat down to record a short 10 minute podcast with Brandon Baker on virtualization security, sparked by his blog post on Isolation of Virtual Machines, to chat about some of these issues.

Check out Brandon’s Blackhat conference presentation, including:

· Windows Server virtualization and Windows Server 2008 architecture and components

· How Windows Server virtualization virtualizes the CPU and enforces virtual machine isolation

· Best practices for Windows Server virtualization deployment

· Hardware futures [e.g., TXP from Intel, SVM from AMD, IOMMU]

· And more…

Blackhat also posted a .pdf of his Hypervisor architecture presentation