Server virtualization is sweeping the data center, but the cold, hard truth is that few of these initiatives have incorporated security during design, testing, or deployment. That's a problem, because you can't just transfer traditional security policies and practices used in the physical world.

Physical-world security is often tied to "physical" attributes--such as MAC addresses, server identities, and IP addresses--that aren't relevant in the fluid world of virtual machines. To make matters worse, security pros and VM admins alike can find themselves sniping from opposing camps rather than working together to design and implement an efficient, secure virtualization infrastructure.

Meanwhile, hypervisors and the virtualization layer eventually will be compromised. Despite the best efforts of PR teams to convince us otherwise, hypervisors aren't magical constructs. They're just software, and no code is free of errors or vulnerabilities.

Organizations also may introduce their own vulnerabilities. Virtual machines can communicate with one another on the same physical host without that traffic ever passing through--or being inspected by--firewalls and intrusion-detection systems. If an attacker compromises one VM, he can use it as a base of operations to probe and invade others on the same server without the security or operations team ever knowing.

The danger is inadvertently putting sensitive or regulated data at risk: An administrator might reconfigure host network interface cards for performance reasons and end up placing a customer database and Web-facing server on the same card. Automated VM transfers, in which a virtual machine hops from one physical server to another, may violate security policies or compliance rules if a VM moves outside a secure domain. A virtual instance of a Web server that was deployed for a quick test may sit, unpatched and unmonitored, on the same virtual LAN as critical production VMs, just waiting to be infiltrated by attackers.

That's a long list of issues for security professionals and virtualization administrators to tackle. The industry, recognizing that major security disruptions could choke the growth of virtualization, are taking steps to make virtual machines and inter-VM traffic more visible and better secured.

The most prominent effort comes from VMware, whose ESX hypervisors dominate the server virtualization market. The company announced the VMsafe program in spring 2008. VMsafe provides a set of APIs that vendors can use to extend security and monitoring capabilities into the virtual realm--or at least, into VMware's realm.

The VMsafe security APIs run at the hypervisor and machine monitoring layer, allowing security vendors to hook into all activity occurring in your virtualized world to monitor traffic, enforce policies, and watch for suspicious activities on the hypervisor and virtual machine guests. Arguably, VMsafe and APIs from other hypervisor vendors will, in the long run, allow insight and monitoring capabilities beyond what can be done with physical servers.