Last fall, RSA, the security division of VMware's parent EMC, issued a security brief titled "Security Compliance in a Virtual World." Here are excerpts from it:

1. Platform hardening: Take steps to minimize security vulnerabilities through correct configuration, removing unused components and keeping patches up to date. Follow strict guidelines from vendors, the Center for Internet Security, and the Defense Information Systems Agency.

2. Configuration and Change Management: Virtualization makes it fast and easy to deploy a standard configuration on servers. But that speed becomes a liability if the servers being deployed are misconfigured or insecure. Extend existing configuration and change management processes to all elements—physical and virtual—of the virtual infrastructure. Make sure all components are up to date on the latest security patches.

3. Administrative Access Control: With virtualization, servers and virtual networking are controlled through the same interface as the hypervisor. Separate out the duties and permissions for each of the functions so that someone with administrative access to an application server doesn't wind up with permission to change the hypervisor protocols.

4. Network Security and Segmentation: In addition to the physical networks, virtualized systems include virtual switches and software implementations that allow the virtual machines on a host server to communicate with each other. As is done with physical networks, the virtual networks should be isolated from each other to prevent access to secure information. The virtual networks should use the same security protocols as the physical networks and change management tools used to ensure proper configuration.

5. Audit Logging: To secure the entire IT infrastructure, the logs from individual components cannot be viewed in isolation, but as part of the complete system. The virtualization software will provide event logs, and these should be imported into the Security Information and Event Management (SIEM) solution so they can be analyzed together with the logs from the physical assets.

Look for a detailed article on virtual security in the Nov/Dec issue of Data Center Management magazine (DCM).