Cyber attacks are a considerable risk to any IT system -- be it on-premise or cloud-based. Security is at the core of Cameyo's design rather than an after-thought. This article summarizes the different mechanisms and counter-measures implemented within Cameyo for dealing with these risks.
Layered Revert: session wipeout
Whatever's done during a session is wiped out. The entire user profile is deleted and rebuilt. Only configured data locations are synced out and back in (Temporary user profiles).
Least privilege principle
Cameyo's sessions run under limited user privileges. Also, Cameyo's server-side agents perform the least tasks possible as SYSTEM / high privileges. Whenever an interaction is made with a user or a session, Cameyo's service spawns a module running under the same low privileges. This way, a vulnerability in Cameyo's own modules would not risk the server's security nor other users' data.
HTTPS security and encryption
All Cameyo cloud servers are automatically created with HTTPS - both standalone and elastic. This ensures that sessions are encrypted.
Port Shield: no ports left open in the cloud
Cameyo's HTTP/S ports are closed towards the Internet by default through Windows Firewall. Only authorized user sessions initiate a white-listing of the user's IP and actually open port 443 towards those user, during session time. Their IPs are then removed from the firewall's white-list once the session completes.
Cloud Tunneling: no ports left open on-premises
When installing Cameyo on-premises, Cloud Tunneling allows for a reverse connection model, where the server can't be connected in (no firewall openings). Instead, it's the Cameyo's server that connects out to a cloud tunneling server to broker the connection with the end-user. This way, no ports are opened towards the company's servers.
Auto-snapshots
Whatever may happen, Cameyo's cloud servers are regularly snapshotted and backed up on a monthly, weekly, daily and 4-hourly basis.
Windows Updates
Windows updates occur automatically during maintenance timeframes. This ensures that Cameyo servers run with the latest Microsoft security updates and patches.
Component Updating
Cameyo's 3rd party components such as Java and Tomcat can be push-updated as necessary from Cameyo. Thus, serious vulnerabilities can be force-patched by our team towards all servers.
Shell lockdown and limited system access
Cameyo sessions lock out users as much as possible from being exposed to the computer's file system. Not only this avoids user mistakes and IT issues, but it also reduces the surface of attack for intentional or unintentional malicious actions.