For now, Rein is using PlateSpin's PowerRecon management tool to get a look into what's happening inside his virtual environments. Part of PlateSpin's popular virtualization-deployment platform, this component supports such management functions as resource allocation and chargeback capability.

Monitoring a guest machine is not as easy as tweaking host and application security to handle all things virtual, says Chris Farrow, director of product management at Fortisphere, which uses a tagging technology to track virtual guests and block untagged machines from going live on the host.

"Guests have their own challenges. A guest in the virtual world could be live on the network, live but in a host-only mode waiting for its host's command, or in suspend mode waiting to be spun up at any moment. Version control is a big point because you need to know what condition they're in before they go live," he says. "You also have the hypervisor. Is it patched and configured correctly? Is it running securely in its activities and communications?"

Such are the layers of security addressing the layers of risk brought about by virtualization: Virtualization-specific point products that run separately, traditional network and system management products tooled to cover some VMM issues (without looking into the virtual machine activity itself), and problem-specific security tools reset for virtualization.

Note that none of the products mentioned so far does anything to cut down on virtual machine creep outside of the controlled data-center environment.For example, many mobile Mac users are running virtual machine images of Windows computers so they can access their Windows data on their Macs, Novell's Reed notes. "You'll need to further integrate your endpoint security to protect against rogue virtual machines installing on your endpoint devices," he says.

Those virtual desktops also will need management. The easiest fix would be using virtualization itself to control the builds and protect the operations of mobile computers, Mercy Medical's Rein says.

"We can virtualize desktop images into small, inexpensive portable devices, encrypt them, and send them out into the world where they run separate and secure from the host machine, then leave no trace behind when the key is removed," he says. "Imagine the efficiencies in patch management, updates and version controls for your endpoints," he adds.