Limit virtualization to management specified risk aggregation tolerances.
This approach places limits on virtualization based on management risk thresholds. As risks increase because of aggregation, additional compensating controls are required and the costs go up. For example, while low risk systems have almost no protective requirements, medium risk systems may have many more such requirements. When low risk systems are aggregated into a combined virtualized environment, the resulting risk may reach the medium level, forcing increased protection for systems that used to require very little. The costs of virtualization are forced to include increased security costs and as more and more gets aggregated, the return on investment gets smaller and smaller. Eventually, the right tradeoffs are made and virtualization is limited with compensating controls in place as appropriate.
Limit virtualization of security functions but not business functions.
This approach attempts to separate security out from other business functions and is sometimes offered as a compromise solution. While security functions certainly have to meet separation of duties requirements and be limited in risk aggregation, so do other business functions, and therefore this sort of compromise should be rejected except in cases of small enterprises where separation is very limited anyway.
Don't virtualize at all.
Not virtualizing at all may be cutting off your nose to spite your face. Using a virtualization approach is cost effective even for the smallest enterprises and completely separating every business function into its own computer is almost always unnecessarily wasteful.
Virtualize as far as you can and use redundant virtual environments to compensate for virtualization security implications.
Adding redundant virtual environments to compensate for virtualization security implications, only compensates for availability limitations of virtual environments and ignores integrity, use control, accountability, and confidentiality issues that stem from the imperfection of virtual environments in separation. In addition, only limited availability protection is afforded because an attack on one copy of the environment is also likely to work on another unless additional separation is in place.
Virtualization is all about reducing costs. Combining more computing functions into fewer devices reduces management and operational costs including but not limited to floor space, power consumption, maintenance and support costs, administration time, and supporting infrastructure. But from a security standpoint, it also aggregates risks. Every time you combine two functions into one system, the vulnerabilities of each potentially impact the other, a failure of the hardware lowers all ships, and the commonality of operating environments makes vulnerabilities apply to more and more systems. The more things you combine, the more weight you put on the virtualization system. Unless there are compensating controls, risks increase to exceed tolerance levels and failures result in intolerable losses. So virtualization is ultimately a tradeoff that trades cost for risk.
Virtualization should be understood as as a tradeoff between operational costs and security costs, and not just treated as a reduction in operating costs resulting from technology advances. Technology advances do indeed reduce costs, but when used in the virtualization mode of aggregating systems and their content into fewer systems, reduced integrity, availability, confidentiality, use control, and accountability results unless compensating controls are put in place. Since those compensating controls also have costs, those costs must be part of the balance considered in limiting virtualization and must be recognized as such by those who are making decisions surrounding virtualization.