"Think about how you will run," Moyle advises. Even as IP addresses becoming less valuable, segregation remains an important part of a robust security plan. In virtualized environments, rather than segregating by IP address, put in logical partitions that isolate functional points into segregated groupings. Servers handling online business functions, for example, may be isolated from those handling accounting.

"It's a basic security maxim," Moyle says. "Don't keep the gunpowder in the same room as the fuses." He recommends developing security controls for each grouping, but adds, "There's no reason why security controls can't be virtualized in their own right."

Asierus took that approach when it virtualized its entire computing environment, end to end, all the way down to the desktops.  It now deploys thousands of virtual machines on the XenSource platform, segregated into functional groups and secured with Fortinet's FortiGateTM system.

 In addition to its own systems, Asierus also serves more than 300 clients who use its "anyWare" modular virtualization support platform for servers, networks, desktops, storage, support and security. "Security virtualization is one of the most critical pieces," in the overall system, insists Jeremy Simmons, CEO.

"With virtualization there's a new opportunity to manage security service providers so you can have multiple customers on one box," James notes, thus eliminating a serious risk for hosting companies. Asierus virtualized security for its own operations as well as for its customers, developing SECURE AnyWhereTM to offer multi-layered network security and unified threat management for the virtual environment. Virtualizing security provides an umbrella, ensuring that each instance under that umbrella has strong network-level security. And, it streamlines the process of ensure that each instance receives the relevant patches and security updates in a timely fashion, with the least amount of administrative time. As Simmons notes, it's far more efficient to provision one or a few virtual machines than the scores of physical servers and the approximately 140,000 applications running in their previous system.

Fortinet places multiple security engines on a single platform to protect multiple vulnerabilities.  Protecting up to 20 ports, Fortinet's solution is server independent and platform agnostic, James says, and sits in the space between the device and the consumer. From that position, "it doesn't matter what (platform) customers put behind it," James says.

A robust firewall is the key to the system's effectiveness, but not all firewalls are created - are deployed - equally. Fortinet's system places the firewall between the virtualization layer and the physical machines, and then routes all traffic through the firewalls. Therefore, even network traffic between virtual machines always passes through the firewall and back in to minimize risks. That approach eliminates the problem of cross-contamination, James says, through thorough screening.  "In a virtual environment, you need a foolproof system," he insists.

Automation is a key component. Many systems offer automatic, continuous traffic monitoring and quarantining to identify and thwart malicious traffic.  Monitoring also should occur before systems are virtualized, to provide administrators with the data they need to effectively deploy a security solution for their own particular systems. Catbird, for example, provides an end-to-end security assessment based upon monitoring traffic for 30 days to identify gaps in the computing environment. The result, Newberger says, is a "comprehensive, actionable report" that helps clients comprehend their needs. In Berman's experience, monitoring typically uncovers several previously unidentified vulnerabilities in addition to those expected by the clients.

Monitoring solutions may be system-wide or application specific. For databases, Secerno launched the Secerno SQL database activity monitoring and blocking solution last July on the VMware platform.  Moyle says this offers virtualized databases the same protection available through hardware, but with the benefits of virtualization. Particularly, this puts the defense as close as possible to the asset, and provides a comprehensive map of data utilization and then developing security policies that govern the type of traffic allowed between any two servers.

One of the hallmarks of robust, comprehensive security solutions is the reliance upon multiple defenses.  James advises searching out security applications boasting layered security features such as networked antivirus applications, intrusion protection, and virtual private networks.  A policy engine -- a Fortinet feature -- also monitors the state of each item under its protection, checking on established connections and dis-connections.  The reason, James says, is that "an attacker can initiate a connection request without a server participating in the request."

Ensuring security in a virtual environment, however, isn't strictly a technological endeavor. Cooperation and communications among functional groups within IT is as important as the security application itself. As Berman explains, IT functional groups today often are siloed, blind to activities in other functional units. "It's hard to be an expert in virtualization, and security, and Oracle, etc. - impossible, actually," Berman adds, so by communicating with each group, a virtualization plan can be developed that has as few holes as possible.

The Edge of Chaos: Virtualization in a Multivendor Environment ,  Secerno , Fortinet