Virtualization security is coming up frequently in higher-ed security forums as folks scramble to understand best-practices before whatever path-of-least-resistance gets too entrenched to change. Unfortunately, there’s almost no intermediate-level documents on virtualization security to help us wrap our heads around the problem. There’s plenty of introductory documents rehashing the same six bullet points over and over and there’s quite a lot of deep-dive technical material on various details, but almost no technical survey material for folks looking to bootstrap themselves on the topic.
I gave a presentation on virtualization security at the Educause Security Professionals Conference in April, and there seemed to be agreement and frustration about the lack of available survey material, which gave me the motivation I needed to polish up this paper for release. It includes a basic taxonomy of virtualization technologies for security practitioners, an overview of attacks in virtualized environments, a list of best-practices with links to more detailed documents, and identifies areas where best practices haven’t yet been established.