EnimyMyne writes "The University of Minnesota security group has declared that vmware and other server virtualization tools not be used to host sensitive data:
"As a general rule, using Virtual Machines (VMWare, Virtual PC, etc) for
servers that hold protected or private data is not acceptable.
Protected and private data include grades, credit card numbers, social
security numbers, Private Health Information (PHI), HIPAA and FERPA data,
The following rationale was given:
"The main concern is the risk of a low-security VM being compromised, and
the hackers breaking out of the VM into the host OS. If the same physical
hardware also is running high security VMs holding protected data, it
could be compromised. And given the consequences of breaches these days
(massive fines, losing grants, legal action, etc.) we need to be
particularly careful about this.
There are an infinite number of scenerios here, with VMs of the same
security level on the same hardware, or different security levels."
How valid is this claim given the great advantages of virtualization and the fact that large enterprises are increasing their use of products such as vmware? I haven't seen any articles on slashdot discussing particular vulnerabilities of vmware over standard server hardware."