7.Ensure Good Isolation Across Network Segments

As enterprises go virtual, they shouldn't ignore security-related network traffic risks. But some of these risks can inadvertently be overlooked, especially if IT leaders fail to bring networking and security staffers to the table while doing virtualization planning. "A lot of organizations simply use performance as the metric of how to consolidate," Wolf says. (When evaluating which application servers to co-locate as VMs on one physical box, IT teams tend to first focus on how performance-hungry those application servers will be, since you want to avoid asking any one physical box to bear too much load.) "They forget because of security restrictions on network traffic that they shouldn't locate these VMs together," Wolf says.

For example, some CIOs are deciding not to allow any virtualized servers in the DMZ (also known as demilitarized zone, the subnetwork that houses external services to the Internet, like e-commerce servers, adding a buffer between the Net and the LAN).

If you do have some VMs in the DMZ, you may want them on physically separate network segments from some of your other systems, say a critical Oracle database server, Wolf says.

At Arch Coal, the IT team thought about the DMZ from the start, Abbene says. They've deployed virtual servers on the internal LAN but nowhere public facing. "That was a key early decision," Abbene says. For example, the company has some secure FTP servers and some servers doing lightweight electronic commerce in the DMZ; it has no plans to introduce VMs there, he says.

8.Worry About Switches

When is a switch not a switch? "Some virtual switches behave like a hub today: Every port is mirrored to all the other ports on the virtual switch," Burton Group's Wolf says. Microsoft Virtual Server, in particular today, presents this problem, Wolf says. VMware's ESX Sserver does not, nor does Citrix XenServer. "People hear the term 'switch' and think isolation exists. It really varies by vendor," Wolf says.

Microsoft has said the switch issue will be addressed in Microsoft's upcoming Viridian server virtualization software product, Wolf adds.

9.Monitor for "Rogue" VMs on Desktops and Laptops

Servers are not your only worry. "The greatest threat is on the client side - rogue VMs," Burton Group's Wolf says. What's a rogue VM? Remember, Wolf says, your users can download and use a free program like VMware Player, which lets a desktop or laptop PC user run any VM created by VMware Workstation, Server or ESX Server.

Many users now like to use VMs on a desktop or laptop to separate pieces of work, or work and home-related activities. Some people use VMware Player to run multiple OSes on the machine; say using Linux as a base OS but creating a VM for running Windows apps. (IT teams also can also use VM Player to evaluate virtual appliances - software products shipping configured as a VM.)

"Often times, those VMs are not even at the right patch level," Wolf says. "Those systems get exposed to your network. And now all of these unmanaged OSes can float around."

"There's a lot of risk you're adding there," Wolf says, noting that the machines running rogue VMs could spread viruses - or worse - to your physical network. For example, he says, it would be very easy for someone to load up a DHCP server to give out fake IP addresses. That's effectively a denial of service attack, he notes. At the very least, you're going to waste IT resources trying to track down the problem, he says. "It may even be simple user error introducing services to the production network."

How can you prevent against rogue VMs? You should have controls around who gets VMware Workstation, for starters (since it's needed to create the VMs). IT can also use a group security policy to prevent certain executables from running, such as those needed to install VM player, Wolf notes. Another option: Do periodic auditing of user hard drives. "You want to look for machines with VMs and flag them for follow-up by IT," he says.

Has this become yet another point of contention between users and IT, where savvy users want to use VMs at work the same as they're doing at home? Not yet, Wolf says. "IT departments for the most part have ignored it," Wolf says.

If you do want to allow VMs on user machines, tools such as VMware's Lab Manager and other management tools can help IT control and monitor those VMs, he says.

10.Remember Virtualization Security at Budget Planning Time

"Make sure to allocate budget for virtualization security and management," IDC's Elliott says. You may not need to break it out in your security budget, Arch Coal's Abbene notes, but your security budget overall had better have enough funds for it.

Also, be careful of security costs as you do virtualization ROI calculations. "You may not see a reduced spend in security," just by virtualizing more and more servers, Hoff says, because you will need to apply some of your existing security tools to every VM that you create. If you don't anticipate this expense, it could eat into your ROI.

According to Gartner, it's a common mistake right now. Through 2009, some 90 percent of virtualization deployments will have unanticipated costs, such as security costs, affecting ROI, according to a presentation by Gartner MacDonald at Gartner's October 2007 Symposium/ITxpo.