And, he said, it's important that IT managers have a good understanding of the business import of every application running within a company's virtual environment, and that they map out any interdependencies that may exist between them.
He also said that companies should set up separate patching processes for virtual machines, and create strict change management policies and controls to restrict access to the virtual environment.
"We are in the process of trying to mature some practices in this area ourselves through process, change controls and through technology." Lorenc said.
Lloyd Hession, chief security officer at BT Radianz in New York, said that virtualization also opens up a slew of potential network access control issues.
Virtualization tools allow multiple application servers with different access requirements to run on a host with a single IP address, he noted.
Therefore, IT managers should take proper access control measures to ensure that a network admission control policy for one virtual server on a host doesn't end up getting applied to all the virtual servers on a corporate network, Hession added.
Today, he noted, most networks and network admission control technologies "are not virtualization aware. Many network admission control technologies that are making 'Go' and 'No Go' decisions don't know if a server is a virtual machine or not."
Security experts also noted that expanded use of packaged virtualization tools from major vendors is giving hackers and white hat security researchers a whole stack of relatively unexplored code in which to look for new security flaws and attack methods.
Just this month, Microsoft issued a patch to fix a vulnerability in its virtualization software that could let users with administrative permission to access only one specific guest operating system run others without permission, the company said.
Microsoft rated the flaw "important," but not "critical."
Kris Lamb, director of IBM's Internet security system's group X-Force team, contended that the spread of virtualization technologies is giving hackers and white hat security researchers a whole stack of relatively unexplored code in which to search for new security flaws and for methods to attack them.
Lamb cited virtual machine monitoring tools, which manage virtualization functions in a system, as a strong potential platform for launching hacker attacks on virtual machines.
Virtual machine monitors use consoles to manage the resources of the hardware hosting the virtual machines and to act as an interface between the hardware and the various virtual machines hosted on it.
The monitoring software usually sits just one level above the hardware and can be used to launch virtually undetectable attacks against the operating system and application software layers above it, security experts said.
In fact, security researchers have said that they have already demonstrated proof of concept code that shows just how attacks on virtual machines can be carried out from the monitoring software.
For example, researchers at Microsoft and the University of Michigan earlier this year devised SubVirt, which uses a rootkit to install a virtual machine monitor under an operating system. The effort allowed the researchers to gain complete control of multiple virtual machines.
A similar attack method, called Blue Pill, was developed by Joanne Rutkowska, a malware researcher at Singapore-based IT security firm Coseinc, who demonstrated it at the BlackHat security conference earlier this month in Las Vegas.
Rutkowska's rootkit is based on AMD's secure virtual machine, code-named Pacifica, and allows a virtualized system to be hijacked much like the SubVirt attack method, while remaining completely undetectable.
"You have this big command and control monitoring software that has become a central piece of the infrastructure and holds the keys to the kingdom," at many companies, Lamb noted.
For hackers, such software provides an increasingly high impact target to go after, he added.
"Companies are increasingly embracing virtualization to simplify IT management and cut infrastructure costs," said Tom Cross, another X-Force researcher at IBM.