Is virtualisation a viable alternative to MAC ?

I believe that to properly assess the advantages of virtualization and determine how appropriate it is for a orginization it's extremely important to have the correct attitude and approach to it.

Virtualization should be mostly thought of as a cost saving mechanism and that is about it. It's a abstraction you can to use to accomplish something cheaply that otherwise would take more resources, be more difficult, or cost more.

And actually you end up sacrificing security for that lower 'TCO'.

For example:

You want to isolate network services so that if one is hacked the other will still be secure. Traditionally you would simply have to purchase multiple machines to run each service. However that is expensive and uses lots of space... so what you can do is use virtualization to isolate each service on one machine while saving money.

In that case I am sure that everybody here would agree that running multiple services on multiple physical machines is going to provide higher security then running multiple services in multiple VMs on a single machine.

So hence your trading some security for lower cost.

So it's all about proper perspective and it makes it much easier to judge the proper use of virtualization then if you get sidetracked and start thinking about security advantages. Virtualization vendors need to concentrate on promoting their products through the discussion of cost saving measures, not sort of any illusionary security advantage.

------------

Similar problems happen when people start discussing file systems, raid, and backups.