The National Institute of Standards and Technology issued a guidance document for securely configuring and using virtualisation technologies.
The institute said that "full virtualisation" - when one or more operating systems and their applications are run on top of virtual hardware - was efficient but created security flaws.
“Virtualisation adds layers of technology, which can increase the security management burden by necessitating additional security controls,” researchers wrote.
The Guide to Security for Full Virtualisation Technologies was for system administrators, security program managers, security engineers or anyone who designed, deployed or maintained such systems.
Security should be considered before installing, configuring and deploying: “Most existing recommended security practices remain applicable in virtual environments”.
This included securing the hypervisor, a central program that runs the virtual environment, the host OS, guest OSs, applications and storage. Organisations should patch their software and use secure configuration baselines, host-based firewalls and anti-virus software or other mechanisms to detect and stop attacks.
“Organisations should have the same security controls in place for virtualised operating systems as they have for the same operating systems running directly on the hardware,” the guidance document states.
To secure the hypervisor, disable unused virtual hardware and unneeded hypervisor services, such as clipboard or file sharing. And administrators should monitor it for compromise and consider monitoring the security of each guest OS and related activity.
Providing physical access controls for the hardware on which the hypervisor runs was also important, added the guidance document.
Administrator access to the virtualisation solution should be restricted.
By next year, more than half of US enterprise data centres will be virtualszed, Gartner wrote last year.
And in five years, virtualised systems likely will be more secure than their physical counterparts but until then most virtualised servers will be less secure than the physical servers they replace, Gartner predicted.
The analyst firm blamed the stumbling on organisations' failure to involve the IT security team in its deployment projects and immature tools to protect these new environments.