Virtualization is great. I have seen massive savings in cost; power consumption; CO2 output; reduction in software licenses; and many other advantages. Beyond the challenge of bringing these technologies online I have found numerous areas of oversight and weakness. The first is related to the blending of critical and non-critical systems, and the second is how system owners represent virtual systems with regards to IT compliance and controls.
A common mistake I find is the following: Critical and Non-Critical systems are loaded on the same ESX (or other) server and allow these hosts to share the resources of the same server. There is the possibility that an attack or activity on a non-critical host can affect the critical asset. This is due to configuration errors and oversight during deployment. I know this from several first hand experiences.
A second concern beyond the likelihood of one virtual host absorbing the resources of another virtual host is the fact that non-critical systems are given less priority on patches, security, funding, and subject to controls and procedures. The end-result is that hosting critical and non-critical virtual hosts on the same platform requires either a business acceptance of expanding the scope of security integrity safeguards, or a meaningful categorization and segmentation of these types of systems apart from each other.
A further posting will focus on my concern on how system operators are representing their virtual environments and the massive threats these actions are leading us to larger problems.
James DeLuccia IV