(This is the fourth article in a five-part series.)

Like management, security is a topic that newcomers to virtualization often neglect. “Most organizations tend to overlook some of the specific nuances of virtualization and ultimately end up being less secure than they think they are,” says Neil MacDonald, a vice president at research firm Gartner Inc. of Stamford, Conn.

MacDonald cites several potentially dangerous security-related issues as examples:

Hypervisor vulnerabilities: Hypervisors are no less susceptible to attack than other software applications. “Compromise of that layer is a worst-case security scenario, because it puts every workload on that server at risk,” MacDonald observes. Hypervisor makers generally patch vulnerabilities in their software quickly, but IT departments are often lax about applying those patches. Including your hypervisor in your company’s regular patch management routine is critical, MacDonald argues.

Internal traffic monitoring: Traditional network-based firewalls and intrusion prevention systems scrutinize traffic between physical devices, but are incapable of observing traffic between virtual machines inside a host server. To monitor those communications you’ll need specialized firewall and intrusion prevention applications designed for use in virtual environments. Reflex Security Inc. and Blue Lane Technologies Inc. are two of many vendors that offer such products.

Root administrative control: In conventional infrastructures, servers typically perform one function apiece. In a virtual environment, however, a single physical server usually contains a wide variety of virtual machines—and anyone with root administrative permissions for that host device can potentially weaken all of them. That means IT departments introducing virtualization must also introduce tighter controls over who receives root access privileges.

Offline patch management: One of virtualization’s top benefits is its ability to streamline disaster recovery. Virtual machines are basically just big computer files, so organizations can easily make copies at various points in time and store them as backups. Should a virtual machine become unavailable, a backup server—along with all of its software, configurations settings, and data—can be ready for use in seconds. However, unless you’re careful, a restored backup server can easily reintroduce security vulnerabilities that you patched earlier on your production servers. Therefore, IT departments must be as diligent about patching backup virtual machines as they are about patching production machines.

None of these issues is cause for panic, MacDonald emphasizes, provided you address them proactively. The time to think through virtualization’s security implications is before your virtual infrastructure goes into operation, not after.

Rich Freeman is a Seattle, Wash.-based freelance writer who covers business and technology.

Other articles in this series:

Mastering basic virtualization challenges, part one: Budgeting

Mastering basic virtualization challenges, part two: Planning

Mastering basic virtualization challenges, part three: Management

Mastering basic virtualization challenges, part five: Organizational readiness