This document clarifies the shared responsibility model with Cameyo’s products.
Understanding the shared responsibility model is important when determining how to best manage and secure your workloads in Cameyo. The shared responsibility model describes the tasks that you have when it comes to security and which tasks and activities Cameyo will take to ensure a secure and operational environment.
Cameyo supports multiple operating methods:
Product Name | Description |
Cameyo Self Hosted | The Customer makes any infrastructure (Cloud or On Prem, or any combination thereof) available for the deployment of Cameyo and Virtual Applications. Customers are responsible for all associated Infrastructure and software running upon them.
Customers deploy applications to the managed infrastructure as Administrators, and enable users to access these applications using the Cameyo portal. See Isolation section below.
Customers are the administrators of the (Virtual) Machines and are responsible for all software (including the OS) running on these (Virtual) Machines. Updates, Patches, and any security challenges posed by this software are the responsibility of the Customer.
The Customer deploy Cameyo’s agent on this infrastructure to connect customer selected virtual machines with Cameyo’s portal to make sure virtual applications can be delivered. |
Cameyo BYO-GCP | The Customer makes Cloud infrastructure hosted on Google Cloud Platform available for the deployment of Cameyo and Virtual Applications. Customers are responsible for all associated Infrastructure and software running upon them.
Customers deploy applications to the managed infrastructure as Administrators, and enable users to access these applications using the Cameyo portal. See Isolation section below.
Customers are the administrators of the Virtual Machines and are responsible for all software (including the OS) running on these Virtual Machines. Updates, Patches, and any security challenges posed by this software are the responsibility of the Customer.
Cameyo is responsible for the deployment, scaling (up and down) of VMs and other resources within the Customer's own GCP environment as permitted by the customer.
|
Cameyo Fully Hosted | Cameyo makes Cloud infrastructure available to Customers, accessible with both user and admin rights (as required) in order to support the deployment, operation, and maintenance of Virtual Applications.
Customers deploy applications to the managed infrastructure as Administrators, and enable users to access these applications using the Cameyo portal. See Isolation section below.
Customers are the administrators of the Virtual Machines and are responsible for all software (including the OS) running on these Virtual Machines. Updates, Patches, and any security challenges posed by this software are the responsibility of the Customer.
Cameyo takes responsibility on a best efforts basis for securing the surrounding networking, storage and associated infrastructure, taking all reasonable precautions to ensure that infrastructure operated on behalf of the customer is accessible only to the Customer and - where permissible - Cameyo infrastructure administrators to perform routine maintenance, or tasks on behalf of the Customer. |
The following diagram shows how responsibilities are typically shared between Cameyo and the Customer.
|
| Self hosted | BYO-
GCP | Fully Hosted |
Content | Application Usage |
|
|
|
Application Security |
|
|
|
Application Updates |
|
|
|
Application Identity |
|
|
|
Drive based files availability and IAM |
|
|
|
Infrastructure | Cameyo Portal - IAM |
|
|
|
Cameyo Portal - Apps |
|
|
|
Virtual Machine Administration |
|
|
|
Virtual Machine Updates & Patching |
|
|
|
Virtual Machine Provisioning & Scaling |
|
|
|
Networking Configuration |
|
|
|
Networking Security |
|
|
|
Audit Logging |
|
|
|
Storage & Encryption |
|
|
|
Cameyo Portal Availability |
|
|
|
Cameyo App Availability |
|
|
|
Deployment | Cameyo Player Agent Deployment |
|
|
|
| Customer Responsibility |
| Cameyo Responsibility |
Isolation
As is common within Windows Based Virtualization environments, multiple end users (your users or employees) will share the same Windows Server Virtual Machine. The boundary between these users is the Windows Profile Boundary. Cameyo is designed to maximize efficiency of this usage method by running individual apps within each Windows Profile on a virtual machine. Each session connects an end user to the Windows Profile environment containing that app, and as a session ends the profile and all data is deleted to free up resources for new sessions. The customer takes responsibility for the activities taken by users on the Windows Server infrastructure and should ensure access is only granted to users (employees, customers, or other users) that are trusted.
Networking
In the Fully Hosted product, Virtual Machines and the Virtual Private Networks connecting them within our Cloud Infrastructure are dedicated to individual Cameyo customers. Multiple Cameyo customers (or companies) will never share the same Virtual Machines, and it is not possible to access any other customer network or virtual machine through Cameyo.
Customers are not able to manage or manipulate their VPC network configuration within Cameyo Fully Hosted to ensure this separation is maintained.
Summary
It is critical that customers understand responsibilities, particularly when it comes to managing infrastructure below the content of their applications and data within Cameyo.
