1. Get VM Sprawl Under Control

CIOs such as Michael Abbene, who runs IT for Arch Coal, understand the problem of VM sprawl full well: VMs take minutes to create. They're great for isolating certain computing jobs. But the more VMs you have, the more security risk you have. And you'd better be able to keep track of all those VMs.

"We started by virtualizing very low-profile test and development boxes," Abbene says. "Then we moved some low-profile application servers. We've been moving up as we've been successful. We understand we're increasing our risk profile as we do that." The company currently has about 45 production VMs, he notes, including Active Directory servers, and some application and web servers.

How do you control server sprawl? One approach: Make creating virtualized servers and VMs as disciplined as creating physical ones. At Arch Coal, the IT team is rigorous about allowing new VMs: "People have to go through the same process to get a server, whether it's physical or virtual," says Tom Carter, Arch Coal's Microsoft Systems Administrator, who works for Abbene.

For this purpose, Arch Coal IT uses a change control board (made up of a cross-section of IT staffers from disciplines like servers and storage, serving on a rotating basis) to say yes or no to new virtualized server requests. This means, for example, that people in the applications group can't just build a VMware server and start creating VMs, Abbene says—though he's had developers ask to do just that.

VMware's VirtualCenter management tools as well as tools from Vizioncore can also help manage VM sprawl.

Ignore VM sprawl at your own peril, says IDC's Elliott: "VM sprawl is a huge problem, causing lag times in the ability to manage, maintain performance and provision," he says. Also, unexpected management costs will arise if your number of VMs gets out of hand, he adds.

2. Apply Your Existing Processes to the Virtual Machines

Perhaps the sexiest aspect of virtualization is its speed: You can create VMs in minutes, move them around easily, and deliver new computing power to the business side in a day instead of weeks. It's fun to drive fast. But slow down long enough to think about making virtualization part of your existing IT processes, and you will prevent security problems in the first place, says IDC's Elliott. You will also save some management headaches later.

"Process is important," he says. "Think about virtualization not just from a technology standpoint but from a process one." If you're using ITIL to guide your IT processes, for example, think about how virtualization fits into that process framework, Elliott advises. If you're using other IT best practices, look at how virtualization fits into those processes.

One example: "If you have a server-hardening document (prescribing a standard set of security and setup rules for a new server)," Hoff says, "you should do the same set of things to a virtual server as to a physical one."

At Arch Coal, Abbene's IT team does just that: "We take our best practices for securing a physical server and apply those to every VM on the box," Abbene says. Steps like hardening the OS, running antivirus on every VM and ensuring patch management, keep those virtual boxes in tune with the same procedures used on physical ones, he says.