I have a few friends that are working virtualize almost their entire computer infrastructures. They work in large and small companies, but there is a constant push to avoid the bare metal installation of any operating system onto physical hardware, making every Windows or Unix machine a virtual machine on top of a hypervisor. I was surprised to hear that companies were being to aggressive, but the cost benefits can be huge, and when virtualization is done in a smart way, performance doesn’t suffer.
However virtualization can change security, especially when you have VMs that are allowed to move from physical host to physical host. The state of New Mexico embarked on a similar project, and were concerned over security of the virtual machines. Their department had dismissed some employees because of a security breach a few years earlier and security was on the forefront of their minds. Additional security as well as network controls were used in their project, and I hope they also implemented strong auditing procedures.
As we move to newer infrastructures that include virtualization, physical security becomes more important, and additional controls are needed. The ability for someone to potentially move a VM outside of a data center, or even to a less secure remote data center becomes a point of concern. Moving the storage itself might be an even bigger problem as virtual storage becomes more commonplace.
Ultimately, however, we can’t all have dedicated security employees, nor can we expect every DBA, sysadmin or even security officer to be able to protect against and mitigate all attack vectors. Auditing is ultimately the best way to handle breaches. We can’t prevent all of them, but responding quickly, learning, and perhaps more importantly informing the appropriate people to be ready to respond to the information disclosure.