Enterprise IT managers have to realize that approaches to securing known environments still can fail, so virtualization presents more opportunity for attackers.
"Despite a decade of experience in securing IT, it is still possible, for example, to directly modify DLL files critical to the Windows operating system environment. Hooks into the platform for adding on security is not the same as building it in," Crawford says.
7. Don't set it and forget it.
A large part of virtualization's appeal is that it's dynamic by nature. But that also means the technology demands more care and feeding than physical machines.
IT can't configure virtual infrastructure and assume it will work as expected for lengthy period of time, Nielsen Mobile's Portolese says. IT managers must plan for virtual-machine life-cycle management from the outset, he says. Products from vendors like Embotics and Fortisphere offer features to deprovision virtual resources that are no longer needed, and audit the environment to rediscover underutilized resources.
"Having a mechanism to audit and decommission [virtual machines] is useful because there is no point in having a system consuming precious ESX resources," Portolese explains. "It is a bit of a no-no if you don't have some type of life-cycle management tools in place to assist here."
Essentially, the homework that Portolese suggests IT managers do at the start of a virtualization project must be an ongoing process to maximize the return on virtual resources and prevent wasting time correcting errors left untouched for too long in the environment. "If one does not take the majority of time developing and planning the initial deployment or ongoing expansion, they will spend a lot more time and effort maintaining and correcting past mistakes."