CIS Releases Virtual Machine Security Guidelines
The Center for Internet Security has released their v1.0 guidelines for generic virtual machine security. I will say that this is a basic, concise and generally helpful overview to practical things one might consider when deploying, configuring and beginning to secure a virtual machine.
It also does a good job of describing general threat classes and mitigation considerations.
CIS’ summary and representation of this document, its scope and audience are accurately represented by this paragraph from the text:
Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices.
Proper use of the Recommendations requires careful analysis and adaptation to specific
user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone’s information security needs.
This first effort is focused on non-vendor specific virtualization platforms, and CIS is planning on releasing a similar set of documents that speak specifically to securing VMware ESX’s virtualization platforms. They suggest they will also consider other virtualization platforms such as XenSource.
You can read more on the background of this work on the Computerworld Blog.
/Hoff
It is a good start, but I do have to say that the majority of it is "well, duh!".
As a vendor neutral paper, it's a resource that will be generically useful. As they add in more information pertaining to specific threat vectors (as they emerge), it will be a great reference.