Of course, for every security benefit a virtual machine provides, a new security threat or risk emerges. Tom Yager started this discussion a few weeks ago, but I want to add some other scenarios to consider.
First, because new virtual machines are so easy to create, administrators and operators aren’t treating them with the same security thoroughness as they do real metal and wire servers. It's as if they aren’t considered real servers: Virtual servers and workstations are many times more likely to be unpatched, contain weak passwords, and be used more recklessly.
Second, if attackers break out of a VM into the host, they can immediately impact every other supported host on the server. The attacker could infect or exploit the base image, leading to immediate exploitation of all the other cloned servers and workstations.
Third, anti-virus software and other scanners on the outside can’t easily scan inside virtual workstation images for worms, bots, and other threats. To an external scanner running in host memory, a virtual machine image is just one big file. End-users are already using unauthorized virtual machines to run software that they don’t want the network administrators discovering, which opens up a whole new can of worms.
Last, there are no comprehensive studies to prove how well a virtual machine protects against running malware. For example, can a keylogging Trojan capture keystrokes or screenshots from a virtual session? My guess is that, yes, some can, but I haven’t seen any definitive studies to prove or disprove the protection a virtual session provides. At this point, it’s mostly guess work and speculation.
Like instant messaging and USB thumb drives, the virtual revolution is coming whether you like it or not. Embrace the technology where it makes sense and be proactive about management. Discuss the impact virtual machines will have on your environment, especially on security, with vendors and your technical staff. Better to make a plan now than have to scramble later.