At WorkflowOne, a provider of marketing services, the IT department realized it had to play catch-up to address new security risks. The potential for a sudden appearance of several virtual servers caused confusion and alarm among the security team, says John Dattalo, an information security analyst with the company. One feared scenario: That the team would come back from lunch to 10 new servers and not know where they came from or what they were for.

So, where should you start? The answer is more simple than you might think: exactly where you would in a conventional environment. "Having a strong [security] policy and adhering to and enforcing that policy are the first steps," Dattalo says. Making sure your processes are up to date is also important, says Natalie Lambert, an analyst with Forrester Research. When virtualization first became popular, few companies included security in their assessments of whether to deploy the technology. But now IT managers are seeing the risks and taking the steps to correct the oversight, Dattalo adds.

Remember the Basics

Access control stands as one of virtualization's greatest risks, says Dattalo, because someone with access to a physical server running many virtual machines "could potentially take down the entire set." Forrester's Lambert agrees: "Virtual machines have all the attributes of an entire file, and the physical server would not," she says, so employees would have access to more data than the company might want them to. In order to resolve this issue, Dattalo suggests putting a senior manager in charge of determining an access list, clearly spelling out which physical servers each employee needs to work with and which they don't.

Tracking and maintaining the virtual servers—and what's on them—is also key, says Dave Templeton, CIO with Kelley Blue Book, which provides car sales information. Templeton has added 225 virtual servers in the past 18 months. "There are the same security concerns" as with dedicated servers, he says, "but the provisioning is so much faster that you need to be more on top of things."

Currently, Templeton and his director of IT, Grant Leathers, are looking at a tool that maps every virtual machine and physical server in their data centers. With the speed virtualization offers, the need for this visibility is more important than ever. It's much harder to map what's on your virtual systems after you deploy them when you have hundreds of machines to look after, he says. Templeton suggests having an infrastructure team tightly managing the installation and support of the devices both on the rack and in the cloud, instead of trying to figure out the mapping later.