Here they are:
Law 1: Attacks against the OS and applications of a physical system have the exact same damage potential against a duplicate virtual system.
Law 2: A VM has higher risk than its counterpart physical system that is running the exact same OS and applications and is configured identically.
Law 3: VMs can be more secure than related physical systems providing the same functional service to an organization when they separate functionality and content that are combined on a physical system.
Law 4: A set of VMs aggregated on the same physical system can only be made more secure than its physical, separate counterparts by modifying the configurations of the VMs to offset the increased risk introduced by the hypervisor.
Law 5: A system containing a “trusted” VM on an “untrusted” host has a higher risk level than a system containing a “trusted” host with an “untrusted” VM.
I have been getting interesting reactions to these. Some say they are wrong. Some say they are common sense. Some just don't like the word "immutable." I think they serve to clarify some of the confusion that comes up when discussing virtualization by applying fairly straightforward risk management principles.
See this Burton Group blog post for more discussion. If you are a Burton client, you can also download the full report from our research library.
I would enjoy hearing about any scenarios that you think make the laws mutable, as it were ;-)