9. Monitor for "Rogue" VMs on Desktops and Laptops

Servers are not your only worry. "The greatest threat is on the client side—rogue VMs," Burton Group's Wolf says. What's a rogue VM? Remember, Wolf says, your users can download and use a free program like VMware Player, which lets a desktop or laptop PC user run any VM created by VMware Workstation, Server or ESX Server.

Many users now like to use VMs on a desktop or laptop to separate pieces of work, or work and home-related activities. Some people use VMware Player to run multiple OSes on the machine; say using Linux as a base OS but creating a VM for running Windows apps. (IT teams also can also use VM Player to evaluate virtual appliances—software products shipping configured as a VM.)

"Often times, those VMs are not even at the right patch level," Wolf says. "Those systems get exposed to your network. And now all of these unmanaged OSes can float around."

"There's a lot of risk you're adding there," Wolf says, noting that the machines running rogue VMs could spread viruses—or worse—to your physical network. For example, he says, it would be very easy for someone to load up a DHCP server to give out fake IP addresses. That's effectively a denial of service attack, he notes. At the very least, you're going to waste IT resources trying to track down the problem, he says. "It may even be simple user error introducing services to the production network."

How can you prevent against rogue VMs? You should have controls around who gets VMware Workstation, for starters (since it's needed to create the VMs). IT can also use a group security policy to prevent certain executables from running, such as those needed to install VM player, Wolf notes. Another option: Do periodic auditing of user hard drives. "You want to look for machines with VMs and flag them for follow up by IT," he says.

Has this become yet another point of contention between users and IT, where savvy users want to use VMs at work the same as they're doing at home? Not yet, Wolf says. "IT departments for the most part have ignored it," Wolf says.

If you do want to allow VMs on user machines, tools such as VMware's Lab Manager and other management tools can help IT control and monitor those VMs, he notes.

10. Remember Virtualization Security at Budget Planning Time

"Make sure to allocate budget for virtualization security and management," IDC's Elliott says. You may not need to break it out in your security budget, Arch Coal's Abbene notes, but your security budget overall had better have enough funds for it.

Also, be careful of security costs as you do virtualization ROI calculations. "You may not see a reduced spend in security," just by virtualizing more and more servers, Hoff notes, because you will need to apply some of your existing security tools to every VM that you create. If you don't anticipate this expense, it could eat into your ROI.

According to Gartner, it's a common mistake right now. Through 2009, some 90 percent of virtualization deployments will have unanticipated costs, such as security costs, affecting ROI, according to a presentation by Gartner VP Neil MacDonald at Gartner's October 2007 Symposium/ITxpo.