Virtualization Technology News and Information
Q&A: Interview with PolicyPak Software, Talking Virtualization, Remediation and Minimizing Risks

With users often working around important settings that VMware itself may not be able to enforce or remediate, it becomes a potential vulnerability for cyber threats.  And while researching, that's where I found out about PolicyPak.  To find out more about what this company is doing within the virtualization space, I reached out and spoke with Jeremy Moskowitz, Group Policy MVP who also founded PolicyPak Software.  I wanted to find out how they stopped problems like this.

VMblog:  How has virtualization changed over the past decade?

Jeremy Moskowitz:  Actually, virtualization goes back even longer than a decade. Back in the late 1990s we were "emulating" one system on another system (make my Commodore Amiga act like a Macintosh Plus). That was a form of virtualization where "expert consumers" could start to touch it and use it.

The next phase was when Virtual PC and VMware Workstation came out. Then, something special happened - the original consumer found a second life from businesses looking to reduce costs. Instead of buying a developer two PCs, you gave him one PC and Virtual PC or VMware Workstation and - poof! Easy enough for the techy and developer guy, and savings even a manager could love!

The next level was migrating servers from real silicon to virtual systems. And now we're on to getting rid of the silicon on the desktop itself with VDI.

Additionally, with the advent of Application Virtualization from vendors like Microsoft (via App-V) and VMware (ThinApp) there's yet another layer of virtualization in there.

We think there's still another layer that can be virtualized: the actual application's settings themselves. So when applications are deployed, the settings are dynamically applied based upon the particular circumstance.

VMblog:  How have these changes impacted IT admins?

Moskowitz:  IT Admins have to keep up. The amount of stuff to know has increased greatly. There's the original PC support stuff, then you layer on top of it all the server virtualization, VDI, application virtualization and/or storage and network virtualization. The sheer volume of change is exceedingly difficult for many IT admins to keep up and stay on top of it.

A good manager will ensure that his team is well prepared for the onslaught when going down the virtualization path.

VMblog:  In what situations can virtualization or VDI present potential risks to the business?

Moskowitz:  The big myth is that, because VDI systems are stored in the server room that they are somehow "magically more secure" than real desktops. Okay, so the box likely won't walk out of the building in a theft in the same as a PC or a laptop could.  But beyond the physical risks, all the software based risks are still there. All the reasons you need to make your desktops and laptops more secure and stable translates exactly one to one for your VDI systems. It isn't magic simply because it's VDI. It must be protected and managed precisely as well.

If we break VDI down to its barest elements, it's about two things: running and securing applications, and getting to and securing corporate data.

Windows Server OS has tons of built in controls to deal with securing and managing the data in a meaningful way. Most recently Windows Server 2012 added Dynamic Access Control which enables claims against data in a more meaningful way. So instead of relying only upon groups for security, you're nor relying on "where" they are in Active Directory to determine who has access to what. (Note: Getting Dynamic Access Control set up and managed is not for the faint of heart, but the moving pieces are in the box and do work as advertised when carefully put together.)

VMblog:  So what does PolicyPak do to mitigate potential risks associated with virtualization?

Moskowitz:  If VDI is about managing two things (application and data), I would say Microsoft does a pretty good job giving admins tools like Dynamic Access Control to help protect data.  However, what's missing is the management of applications and how they are controlled.

Think about it: Most applications have built-in security (i.e.: Use strong passwords, Turn on SSL encryption, and so on.) But there's no way to uniformly ensure that your Windows applications will actually have these settings turned on and locked down so users cannot work around them.

Microsoft's Group Policy does an admirable job of dealing with "in the box" settings for Windows itself. But it's got no control over 3rd party applications, like Firefox, Java, Flash, Acrobat Reader, AutoCAD, and countless thousands of other applications.

We're not talking about the deployment of applications. You've already got a tool for that like SCCM, LanDesk, KACE, etc. We're talking about the management of those applications once already deployed. How do you manage and lock down the settings - after the user tries to work around your requirements?

And that's where PolicyPak comes in.

PolicyPak is an application settings delivery and lockdown utility for IT Admins who want to protect their endpoints (desktops, laptops, and VDI). PolicyPak ensures that important IT settings for the applications themselves are dictated and enforced and cannot be worked around by the end user.  Once PolicyPak is installed, admins instantly get a handle on the "managing applications" part of VDI.  PolicyPak ensures that off-the-shelf and home-grown applications always have the correct settings, the ones IT knows are critical to prevent the next security breach.

For instance, in January, when the Department of Homeland Security recommended that Java be disabled everywhere, instantly - then our phone rang off the hook.

VMblog:  If Virtualization is all about user experience, what can be done to help the user experience with VDI?

Moskowitz:  Users love things to "just work." And what do they really want to "just work" the most?

Their applications.

So when they launch applications (via whatever method), they expect that it works the same way today as yesterday. If a user makes an "oops" then they're stuck waiting for someone to shadow them, or walk down there and fix their application. Or nuke their whole VDI session. None of those are excellent choices - if the problem was preventable in the first place.

VMblog:  And what virtualization solutions does PolicyPak integrate with?

Moskowitz:  PolicyPak integrates with most of the VDI layers (in general) and many specific vendor solutions.  For example, PolicyPak can dictate and lock down Windows applications when those apps run on desktop or laptop or from within Citrix XenDesktop or VMware Horizon View. PolicyPak also manages application settings when applications published or presented with Microsoft RDS or Citrix XenApp.

PolicyPak can also control applications' settings when they are really installed, or when virtualized with Microsoft App-V, VMware ThinApp, Symantec Workspace Virtualization, Novell ZENworks Virtualization or Citrix XenApp Streaming.

VMblog:  How are PolicyPak's directives delivered?

Moskowitz:  You deliver PolicyPak directives with Group Policy or you can use or your own systems management tool like SCCM, LanDesk, KACE, etc.

PolicyPak ships with almost 100 pre-configured Paks for common applications like Java, Flash, Firefox, Internet Explorer, Microsoft Office and tons of others.

PolicyPak's strength is that it's drop-dead easy to get started. Most administrators can be up and running, managing settings to real or virtualized desktop and applications in about 20 minutes.


Once again, I'd like to thank Jeremy Moskowitz, founder and Group Policy MVP of PolicyPak Software, for taking time out to speak with VMblog and educating us on PolicyPak.

Published Wednesday, March 13, 2013 6:30 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2013>