[einhverfr]

We can do either but our default is vm's, just because for smaller businesses that is a lot more practical. Customers typically do not have root access to their VM's unless they supply their own keys/x509 certs so we can take ours off. If we are managing the box we have, for example, stored root passwords (rarely needed and only two people have access) encrypted in PostgreSQL (which means we do not log when we are not debugging and we do not allow history to be stored since manual keys must be entered when retrieving this info).

> How are you managing images? I mean, that's the thing you've gotta watch for, a backdoor in the install image.

It's not the only thing you have to watch out for. If someone can compromise the host they should be able to compromise all vm's given a little time. We do have some automated ways of checking for changes though. In general the physical hosts are much less exposed but cannot guarantee that more generally. We are always discussing ways to tighten security (I am considering setting up a rediculously tight selinux policy on the physical hosts).

> It does seem like having your own physical hardware would make... a big difference, security-wise.

The big difference is actually where the hardware is located. The big difference is really having your own physical hardware on your own premises on your own intranet vs using someone else's physical hardware in their datacenter, with their intranet. In general though if you have someone else's hardware on your intranet you can better control it than if you have your hardware somewhere else.