I often get asked about PCI compliance and multi-mode or mixed-mode or multi-tennant systems. I generally find it easy to explain how the measure of controls in the virtual environment is really not far from traditional IT.

When you have a firewall, which can host virtual firewalls, what is the highest security level possible for that firewall? Is it the least common denominator — the most secure virtual instance only can be given a trust level of the least secure virtual instance on the same base system or hypervisor? The answer is that you can have different levels of trust on the same hypervisor, provided that you apply appropriate controls.

Yes, I am giving the diaper answer — it depends — but that is better than just saying no way, no virtualization.

Although you could take my word for it, an excellent example comes from the NSA who worked with VMware to create a Trusted Virtual Environment (TVE) to address this issue. It allows two mixed modes: unclassified through secret and secret through top secret/SCI.