3. Start With Your Existing Security Tools, But Be Critical

Do you need a whole new suite of security and management tools for your virtualized environment? No. Starting with your existing set of security tools for the physical server and network world and applying them to the virtual environment makes sense, says Hoff. But do press your vendors to tell you how they're keeping up with virtualization risks, and how they'll integrate with other products going forward.

"There's a false sense of security in relation to adopting physical tools for the virtual environment," IDC's Elliott says. At the same time, he adds: "It's very early in the market," for new security tools designed with virtualization in mind. That means you must press your legacy and potential startup vendors a little harder than usual.

"Don't assume the platform-level tools (such as VMware's tools) are good enough for you," Elliott says. "Look at the startups and the legacy management vendors. Press those legacy vendors to do more, and provide guidance for them."

Jim DiMarzio, CIO at Mazda North America, follows this strategy in his enterprise. Like Arch Coal, Mazda NA runs VMware's ESX Server 3 software at the core of its virtualized servers and has been ramping up its number of VMs recently. DiMarzio says he expects to have about 150 production VMs running by March 2008. He's using the virtualized servers for Active Directory servers, print servers, CRM application servers and Web servers—the last being a mission-critical app since Mazda uses these Web apps to serve information to all its dealers, DiMarzio says.

To secure these VMs, DiMarzio decided to continue with his existing firewall and security products, including IBM'sTivoli Access Manager, Cisco firewall tools, and Symantec's IDS monitoring tools.

At Arch Coal, Abbene and his team are sticking with the security tools they're already using, while also investigating tools from startups BlueLane and Reflex Security. "The [legacy] security and change vendors are trying to work hard to catch up and they're behind," Abbene says.

BlueLane's VirtualShield product for VMware, for instance, claims that it can protect virtual machines even in cases where certain patches are out of date, as well as automatically scanning for possible problems, updating problem areas, and protecting against some remote threats.

Reflex Security's Virtual Security Appliance (VSA), which Hoff describes along with BlueLane's software as one of the few emerging products worth attention right now, essentially serves a virtual intrusion detection system (IDS), adding a layer of security policies inside the physical boxes where the VMs live. It could help block a hypervisor attack, among other possible future troubles, Abbene's team figures.

Abbene says his IT group has also discussed adding a second internal firewall to further isolate the VMs, but he's concerned there might be a performance impact on the virtualized applications.

IDC's Elliott cites a few other virtualization security tools worth examining: PlateSpin, known for physical-to-virtual workload conversion tools and workload management tools; Vizioncore, known for file-level backup tools; Akorri, known for performance management and workload balancing tools; and storage firm EqualLogic, recently acquired by Dell and known for iSCSI storage-area network (SAN) products optimized for virtualization.