(This is the fourth article in a five-part series.)

Like management, security is a topic that newcomers to virtualization often neglect. “Most organizations tend to overlook some of the specific nuances of virtualization and ultimately end up being less secure than they think they are,” says Neil MacDonald, a vice president at research firm Gartner Inc. of Stamford, Conn.

MacDonald cites several potentially dangerous security-related issues as examples:

Hypervisor vulnerabilities: Hypervisors are no less susceptible to attack than other software applications. “Compromise of that layer is a worst-case security scenario, because it puts every workload on that server at risk,” MacDonald observes. Hypervisor makers generally patch vulnerabilities in their software quickly, but IT departments are often lax about applying those patches. Including your hypervisor in your company’s regular patch management routine is critical, MacDonald argues.

Internal traffic monitoring: Traditional network-based firewalls and intrusion prevention systems scrutinize traffic between physical devices, but are incapable of observing traffic between virtual machines inside a host server. To monitor those communications you’ll need specialized firewall and intrusion prevention applications designed for use in virtual environments. Reflex Security Inc. and Blue Lane Technologies Inc. are two of many vendors that offer such products.

Root administrative control: In conventional infrastructures, servers typically perform one function apiece. In a virtual environment, however, a single physical server usually contains a wide variety of virtual machines—and anyone with root administrative permissions for that host device can potentially weaken all of them. That means IT departments introducing virtualization must also introduce tighter controls over who receives root access privileges.