What is a typical audit model now in terms of a virtualised server, where protecting the data on that server is of paramount importance. Say for example you had to identify every “avenue” that a bad guy could take to get access to the data that resides on that server, however obscure an angle of attack. What are the “avenues” that need to be considered for protection, I was thinking OS (guest) level vulnerabilities, ESXi host level vulnerabilities, VCenter vulnerabilities, Storage i.e. SAN vulnerabilities (although I am not sure if you can login to a SAN and if you could if you’d be able to copy away a host)? Would anyone care to comment on the overall threat model and avenues of attack? Have I missed any?