4.Understand the Value of an Embedded Hypervisor

Maybe you've read about "embedded" hypervisors already, but if you haven't, it's a term that IT leaders should understand. The hypervisor layer on a server serves as a foundation for housing the VMs. VMware's recently-announced ESX Server 3i hypervisor, designed to be very slim (32MB) for security reasons, uniquely does not include a general purpose OS. (And no OS means no OS maintenance chores.)

Some hardware vendors such as Dell and HP have recently said that they'll ship embedded versions of this VMware hypervisor on their physical servers. In basic terms, an embedded hypervisor is safer because it's smaller, says IDC's Elliott. "The larger the code base, the larger the opportunity for breaches," he says. "This becomes part of your architecture decision."

Embedded hypervisors will be a big trend going forward, Elliott says, and you can expect to see them from most server vendors, as well as some companies that haven't played in this space before. Phoenix Technologies, a market leader in the BIOS software field, recently announced that it's getting into the hypervisor game, starting with a product called HyperCore: It's a hypervisor for desktop and laptop PCs that will let users turn on the machine and use a basic Web browser and e-mail client without waiting to boot Windows. (HyperCore will be embedded in the machine BIOS.)

Competition and innovation in the hypervisor market would be good for enterprises, Hoff says. The end result could be companies slugging it out to deliver the slimmest, smartest hypervisor software.

"Whether it's Phoenix or someone else, there's a very interesting battle of these hypervisors becoming the next great OS," Hoff says.

A smaller attack surface isn't the only benefit of an embedded hypervisor. Mazda's IT group is looking forward to upcoming Dell servers with embedded hypervisors for VMware ESX server, says Kai Sookwongse, IT systems manager, LAN/Server for DiMarzio at Mazda. "One of the features we're waiting for with Dell's embedded ESX is all the VM images can be on the SAN," Sookwongse says. "When we start up the server, it can boot up from the image on the SAN." This centralized administration and security and also means Mazda could order a server without a disk if it wants, for physical security concerns, he notes.

5. Don't Over-Assign Rights to VMs

Remember that when you give admin-level access to a VM, you give access to all the data on that VM. Think critically about what kind of accounts and access your staffers in charge of backup tasks need, Burton Group's Wolf advises. Compounding the problem, some third-party vendors will actually give outdated advice with regard to VM security around storage and backup issues, Wolf adds. "Some vendors are not even following VMware's best practices for VMware Consolidated Backup themselves," he says.

Arch Coal makes it a point to limit admin access to its VMs overall, says Paul Telle, information security administrator, noting that his security colleague Tom Carter and Carter's boss are among a very small group with those rights.

Application developers get minimal access. "Our application people have access to a share, or the minimum access . . . not access to the OS," Carter says. This helps control VM sprawl while increasing security.

6.Watch How You Provision Storage

Some enterprises are over-provisioning storage on SANs today, says Wolf. It's not that you're provisioning too much storage overall; it's that you may be letting the wrong VM's share a part of the SAN, he says.

If you're working with VMotion, VMware's tool for moving VMs around, you're assigning some zoned storage in SANs. But you may want to make that storage assignment more granular, as you would in the physical world, Wolf advises. Looking forward, N-port ID virtualization - a technique that lets IT assign storage to just one VM - is an option worth investigating, Wolf says.