I have been a Nextcloud user since when it was ownCloud, before the fork. I recall that I was one of the first journalists who talked to Frank Karlitschek about ownCloud. I’ve always considered Nextcloud to be one of the most important open source projects because we are multi-device users and cloud plays a central role in the multi-device world to keep files and data synced across those devices. Nextcloud is actually the only fully open source and commercial cloud project that is so mature, stable and secure.
That last word, ‘secure’ is a key word in an era where mass surveillance and state sponsored hacking is increasing at an alarming rate. I looked at Nextcloud, and I talked to some of their customers and engineers to see how secure Nextcloud really is, and what I found in the process was quite reassuring. As the saying goes, ‘talk is cheap, show me the code’, Nextcloud also commissioned a report from the NCC Group to validate their claims of security.
Here is what I found: Nextcloud comes with industry standard technologies that are time tested and proven to be secure. It also follows best practices to ensure that the product offers the security that it promises.
Secure by design, secure by default
Protection from attackers
Brute force cracking is a very common, if not sophisticated, technique to crack users accounts. It is deployed by both criminals and government agencies to gain access to target accounts. Nextcloud comes with a built-in brute force protection that throttles too many failed login attempts originating from a range of IP addresses.
User account protection
Nextcloud caters to a wide range of users, employees of enterprise customers, individuals, staff and students of universities and schools, regional government agencies and many more. Nextcloud has many capabilities to protect accounts when they are used across devices. If a user wants to make any critical changes to their account in the admin area, Nextcloud requires the user password. So far I have seen such practices on Apple and Amazon products. One real life scenario could be that someone may try to modify a user account on an unattended or stolen machine where the user was logged in. Without the password, the change cannot be made.
Nextcloud also offers a password policy with a common password check for all passwords (sharing, user passwords, etc.) in the system. In addition, system admins can configure access rules for users from certain LDAP groups, that allows them to restrict access to files based on device, IP space and time frame.
System admins also have the ability to access the logging and audit log of critical actions. All critical operations are logged in an audit log which can also support remote logging.
Security of file access across devices
Two-factor authentication is becoming standard practice for many services; it must be encouraged in enterprise set-up, as well as at the individual level. The good news is that Nextcloud provides support for two-factor authentication, along with native support for hardware tokens like Yubikey. It also provides an optional build in SMS two- factor authentication for login.
Security on browser
Not everyone uses an app or a mobile device to access or manage files and document. Many people, including myself, use a web browser for the job. These connections can be insecure. Nextcloud is bringing support for Content Security Policy (CSP) v3.0. It’s a HTTP feature that allows the server to set specific restrictions on a resource when opened in a browser. CSP makes it much harder for attackers to exploit a Cross-Site Scripting vulnerability.
With CSP 3.0, Nextcloud now has an even stricter policy. Instead of restricting the JavaScript inclusion policy to ‘self’ they now use nonces. This is a security improvement because the previous implementation using ‘self’ didn’t take browsers into consideration that do mime type sniffing.
Security of apps
In order to ensure that apps and desktop clients of Nextcloud are secure and uncompromised, Nextcloud takes extra steps for code hygiene. All Nextcloud app and desktop client updates are digitally signed to make sure that no compromised code is installed. Nextcloud is not just a file sync service, it’s a platform where you can install applications to get services like calendar, contacts and much more. To ensure security across the Nextcloud platform, all additional downloadable apps are also signed.
Encryption is the key
Encryption is the first and most effective line of defense. Users must encrypt everything that leaves the local network. But encryption is not black and white. How the files are encrypted, who owns the keys, when and where it’s decrypted again outside the user’s own devices is also important. In the case of Nextcloud, the connection between the client and server is encrypted so that no one in the middle can snoop. In addition, customers can use Nextcloud as a file syncing service and store data on a fully encrypted NAS or other storage solution, which is under their complete control. Additionally, Nextcloud sessions are stored encrypted on disks so that even if the storage medium falls into the wrong hands, the data will not be accessible.
Security by ownership
There is no doubt that proprietary services continue to improve their technology and security, but all of them including OneDrive, Dropbox, Google Drive, iCloud…have one thing in common that compromises everything: ownership over files and data. A user is no longer the sole owner of their own files and data. These service providers become co-owners of your data and, depending on the vendor, can access your data (yes it’s encrypted, but they have the keys), they can share your data with government agencies and worst of all, block you from accessing your own data, locking you out. The biggest security compromise of all is being in total control of your data. Nextcloud, as far as I know, is the only enterprise and consumer grade open source product that can compete with the giants like Dropbox, Google and Microsoft, but maintain ownership of your data.
Security is an ongoing process
Nextcloud deploys some of the most stringent processes to ensure code quality. As Linus Torvalds famously said, no software can be free of bugs and some of those bugs can be security issues. The only way to combat bugs is to create a process for code development that ensures less bugs make it into the release and if they do, they are fixed immediately. Thanks to these practices there has been no known vulnerability in Nextcloud in the last few months. Here is what they do: first, Nextcloud only merges code that is reviewed by at least two additional developers.
Secondly, Nextcloud also runs a Bug Bounties program through Hacker One that offers rewards of up to $5000 to find security bugs.;
Nextcloud provides full security architecture reviews and audits for customers to make sure everything is configured as securely as possible. The security team of Nextcloud also performs regular static code scans and audits of the full code base.
Secure by verification: NCC Group’s report
These best practices that are being deployed by Nextcloud are not just on paper, they are not blatant claims by the company. Third party experts have verified it. The NCC Group is one of the most reputed organizations when it comes to software escrow and verification. In a report commissioned by Nextcloud, NCC concluded:
The Nextcloud 11 solution is built around combined assurance layers consisting of newly applied rich security features, applied best practices which are governed by policy and the design itself validated by industry standard testing processes. Following the security review of the new security features being deployed, it was considered that each feature including by aggregation by association will enhance the security standing of the Nextcloud 11 solution.
Talk is easy, show me the code
The biggest confidence in Nextcloud comes from a very simple and often overlooked fact: it’s open source. As a customer, you don’t have to take their words for it, the source code is out there for anyone to see and audit. It’s an open source project so no bugs or security holes can remain hidden. If there is a bug or hole, it will surface and when it surfaces, you don’t even have to wait for Nextcloud developers to patch it, which they do very quickly. You can take matters into your own hands and submit a patch. No other competitor — from OneDrive to Dropbox to Google Drive can beat that.
In a nutshell, when it comes to security, Nextcloud is unbeatable!
Regain control of your time with Hub 8: improvements all around Hub, new apps, new AI features, new level of performance and comfort. Tune in and discover the next generation of collaboration.
We bring you a major update to the Nextcloud AI Assistant, plus the news we work with several big hosting providers like IONOS and OVHcloud to bring AI-as-a-Service options to you!
Bechtle and Nextcloud announce today a complete managed collaboration platform for the public sector that requires no tender and can be deployed immediately.
Discover how to make the switch from ownCloud to Nextcloud. Our quick guide provides insights into the migration process, helping you make the transition smoothly.
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
Minor Nextcloud updates are released, carrying multiple stability and security improvements. As always, the upgrade process is designed to be safe and quick
Join us at Nextcloud Enterprise Day on April 24 in Munich and meet our sponsor, plusserver. Discover how they embody the pinnacle of 'cloud Made in Germany' with their commitment to data sovereignty and secure workplace solutions.
We save some cookies to count visitors and make the site easier to use. This doesn't leave our server and isn't to track you personally!
See our Privacy Policy for more information. Customize