So Tarry Singh posted today on the VMware security advisiories. While that’s been covered here, and elsewhere, I did find a few of his points interesting:
Ask yourself the following:
* Do you know that such malicious attacks are not taking place in your environment?
* Do you know if there is some sort of control in your environments?
* How many of you have successfully deployed a CCP that makes your ESX compliant or at least anywhere close to being SOX/PCI DSS 1.x standards? You must be able to control, authorize and demonstrate on your sense of control on these environments, can you do it?
* Are you doing any sort of assessments in your environments, especially Virtual Infrastructures be it Oracle VM, VMware ESX, Citrix Xen, Xen or whatever?
* Are some or any of your virtual platforms registered within your centralized directory, any LDAP v3 variants such as ADS etc?
Can you answer these for your environment? Just because it’s virtual doesn’t mean you should forget about security.