Welcome to Nextcloud News, our contributor blog roll. Nextcloud contributors should ask to get added!
Welcome to Nextcloud News, our contributor blog roll. Nextcloud contributors should ask to get added!
When we launched Nextcloud, on June 2 2016, we made it clear that we had one primary goal: provide a private cloud for everyone. It was the core of our work, and it still is.
We’re serious about the private part. Privacy is only made possible by focusing on security, and security is immensely important for us. This is why one of our first actions was to reboot the HackerOne program, offering 10x more than we used to for anyone who managed to find a serious vulnerability in our code. And, in December, we had the experts at the NCC Group review our security processes. We also wanted to help everyone ensuring that they ran a secure instance: we launched the Nextcloud Private Cloud Security Scan in March this year.
We’re serious about the cloud part. The cloud is where you collaborate and communicate today. So we integrated audio/video calls when we launched, added online office integration with Collabora and introduced a lot of improvements to sharing and collaboration features in Nextcloud 12.
We’re serious about the everyone part. We’re ambitious and want to move fast so we can cater for the needs of a wide range of users. This is only possible by working with our community, building a real, collaborative, open project. We targeted home users with the Nextcloud box, making it easier than ever to get a private cloud up and running. And with Global Scale, we cater to the largest of the largest deployments, delivering unprecedented performance at HUGE scale.
We moved quick and Nextcloud 9 was released just 2 weeks after we launched. We initially planned for mid July but the demand was big and more importantly, it was possible to pull this off because we received a lot of help!
Nextcloud 10 proved we could deliver a reliable, stable product, making big strides in old pain points of upgrading and showing the reliability of “.o” releases. And as part of this, we delivered enterprise capabilities – free and open. In the mean time, we had kicked off our bug bounty program, partnered with OpenCloudMesh and Collabora and organized 2 hackweeks. The first Nextcloud Conference was our next achievement, and over 100 participants witnessed announcement of the Nextcloud Box!
Then came December. First, we hit two important milestones:
Being a healthy, growing community backed by a healthy, growing company (over 30 employees now!) is of course a great accomplishment, certainly when achieved in only 6 months after getting started.
Then came Nextcloud 11, a release which made some huge steps forward for private file sync and share technology. Nextcloud 11 was focused on two aspects: security, introducing many new security protections, and scalability, with a big step forward for large deployments. We were also beginning to pay attention to collaboration, introducing full text search and built-in, still experimental video calls. It quickly solidified a reputation of being a rock solid release, setting a new standard in reliability and smooth, easy upgrades.
Where 2016 was about getting solid footing, 2017 has so far been about leading the way! Nextcloud 11 has put us ahead of our competition and this year we extended that lead significantly by implementing significant steps in our vision towards a more collaborative future. Security continues to be a core value of Nextcloud as the introduction of our Private Cloud Security Scanner and our recent update on our successful Security Bug Bounty program show. We’ve also visited several dozens of events over the last months, continued to grow our list of partners (over 20) and providers (over 50!). But we also look at the future, by integrating with innovative technologies like the blockchain storage tech Sia.
Of course, the biggest step forward was Nextcloud 12 which featured hundreds of improvements over its 6-month development cycle. It redefined File Sync and Share with communication and collaboration capabilities while also introducing new security hardenings, authentication features and much more.
It has been a crazy ride for us and we continue to be humbled by the support and encouragement we receive from our users. Following social media we can see how people appreciate the improvements we have made in stability, performance and capabilities, and we want to thank everyone for their kind words.
We’re very proud of the progress we have made since we started Nextcloud and look forward to continuing to serve our users, customers and partners better than ever before!
Whatever your company does to enforce compliance, some of your enterprise data is already floating in one or more Public Clouds. Your employees have to get work done so they circumvent your IT departments’ carefully designed permission structure by sharing documents by Gmail or via Dropbox. The real question thus is not “to Cloud or not to Cloud” but “which Cloud?” This is where Private Cloud technology comes in.
Enterprises legally and commercially need to maintain control over their data while employees and customers need to be able to collaborate, share and sync files they need for business purposes. Hosting a Private Cloud allows control and collaboration, and protects sensitive files from unauthorized access and the risk of espionage. Discover the three main reasons to self-host your data as a company!
With one in 5 UK companies hacked and ransomware attacks on the rise keeping your data private and secure should be your top priority at all time. This is not a responsibility you want to delegate to a Public Cloud, where your data will be mingled with those of hundreds of other companies. Your IT has no control over the software which runs on it or what happens to the data. A self-hosted solution like Nextcloud allows you to chose a more segmented approach, with on-premise Private Cloud for critical data and a data center of your choice for less-critical data. With encryption keys on premise, you get the best of both worlds – cloud data storage paired with local control.
Public Cloud vendors always insist on their security because they know it is their biggest weakness; they say they encrypt data, protect your encryption keys and prevent unauthorized people from accessing your data. But what are your guarantees? The strong security measures your IT team has implemented will be entirely circumvented by the Public Cloud. For instance, measures such as “accessing documents only through the company’s VPN” or “prevent access from certain countries” escape your control if your data is stored in Public Clouds. Of course, you can add software of another vendor on top which promises to enforce your rules, adding another potential security problem in the mix… With a Private Cloud, your own IT team can ensure the safety of your customers’ data by managing all these components, ideally based on your existing, fire-tested processes and tools.
In the end, the ability to know what is running, even access and audit its source code, is your best security guarantee. Nextcloud security processes have been audited by experts and our public Hacker One 5K bug bounty is a strong incentive for white hat hackers to find and report problems responsibly to us rather than hack away.
Leaking partner or your customers’ data is a massive legal risk. Credit cards, healthcare data, address or mere email and phone numbers; your company is responsible for their safety and having them fall in the wrong hands can result in expensive lawsuits. The problem is threefold:
Let’s consider the worst-case scenario: some of your data was leaked. The law requires you to inform your customers. If you use a Public Cloud, you may not find out there was a leak until long after the fact, hampering your ability to report (a legal requirement!) and mitigate the damage – Yahoo proved this by hiding a leak for 3 years. Private Clouds mean you are in control, and able to take the right measures when facing a data security issue.
Companies’ needs are constantly evolving, and their IT structure needs to adapt at the same speed. Most Public Clouds started as consumer products and have to build a very generic solution to cater to a wide range of customers. Rarely is it possible to truly customize and integrate into your specific workflows and needs. This kind of limitation was the reason that made Migsolvs want to change cloud supplier:
The service was adequate and the solution worked. However, over time it became more and more expensive and reporting became a problem because the report building function did not allow the creation of the kind of reports we were looking for.
Private Clouds cater your specificities by deeply integrating into your existing infrastructures like storage, authentication, monitoring and compliance tools and processes. Even better customization is possible due to the open source nature of solutions like Nextcloud.
Migsolvs actually discovered that changing providers is hard; the main issue was data migration. Ask yourself these questions:
And migration is made harder by the lack of standards in the Cloud industry as co-author of the SOA Manifesto Joe McKendrick, notes:
Cloud computing may be erasing the gains we’ve made in terms of vendor dependence lock-in. Going with a cloud solution means buying into the specific protocols, standards and tools of the cloud vendor, making future migration costly and difficult.
Public Clouds set no upload limit, but downloading your data can be costly, as Derrick Wlodarz notes:
All the big players work in a similar manner. They let you move as much data as you wish into their cloud servers, but when it comes to pulling data out, it’s on your dime after a certain threshold.
Using your data should not cost you money. Whether you host on-premise or use a trusted IaaS provider, you can have the benefits of the Cloud without paying for using what is yours.
Migrating your data to Public Clouds is costly, migrating away is even more expensive. With Nextcloud you can take advantage of your existing processes, workflows and storage technologies, simply making them available through a familiar, easy to use interface. You avoid costly migration and gain fine-grained control over who has access to data when and where.
Security has always been Nextcloud’s first priority, and we are always happy when people contribute in this area. Today, we are happy to present you privacyIDEA, a modular authentication system adding a security layer to your existing systems.
Before we explain what privacyIDEA is, let’s remind what 2-Factors-Authentication (2FA) is. When you log into a system, you usually use a password. This is necessary, but this is not super secure. Your password could be stolen, someone could reset it, it could be stored in an insecure place… 2FA tackles this issue by stating that in order to access a system, you must give two different pieces of information. First, something you know (your password). Second, something you have, whether it is a one-time code sent to one of your devices, a USB key (like Yubikey) or a token if you have lost your device. It could also be ‘something you are’ (like a fingerprint or retina scan). Key is: two different ‘factors’ are required to log in. Thus, if your password has been compromised, the attacker will not be able to access your account without this second factor of authentication. 2FA is a nice security layer to add to your authentication and plenty of companies use it to ensure the safety of their data.
2FA is not easy to manage in a company environment, though. For instance, Nextcloud implements a native 2FA feature, but companies might also need to define 2FA rules for certain employees or certain apps and they may want to use it for different layers (VPN, firewall) or applications (WordPress, CRM etcetera). It would be easier to have one 2FA system for all systems, rather than a separate second factor for each. And instead of letting employees defining rules of their own (or not using 2FA at all), companies want to centrally manage two factors and their restrictions and rules. This is where privacyIDEA comes in.
PrivacyIDEA is an open source solution enabling central management of 2FA. It can identify users from multiple sources (LDAP, Active Directory and many more protocols) and manage their second factor of authentication. Administrators define rules and circumstances under which a user needs to log in with a second factor in a central way. Of course, everything runs inside the company, limiting the risk of data exposure and security breach.
The good news is that privacyIDEA works perfectly fine with Nextcloud! If you run a Nextcloud for your family or friends, the native 2FA should be sufficient. But it you run a bigger group with a need for permissions and central management, you should definitely give it a try. Learn more about privacyIDEA in Nextcloud in this video!
We’d like to introduce you to a new member of our hosting community, CiviHosting. CiviHosting is a top-tier hosting firm based in the US with a strong focus on security. Their CTO, Hershel Robinson, has become an active contributor to Nextcloud, helping with code review, security issues, our YouTube videos and improvements to our own website.
Until today, CiviHosting has specialized in CiviCRM (an open source CRM) and their team has been serving the CiviCRM community for over 10 years to very positive feedback. Now, CiviHosting has expanded their services to include specialized hosting for a few other packages as well. Nextcloud is their private cloud of choice, and we’re excited to welcome them onboard.
They offer shared hosting at a very fair price. For those with higher usage needs, they provide powerful VPS hosting and a high-end enterprise-level solution as well. Bulk discounts are available for larger clients or resellers, they offer a referral program, and of course, they install Nextcloud for you.
CiviHosting features servers in the US and Europe and services clients worldwide. As they put it:
Yes, we have clients from Alaska to Australia and the whole gamut of places in between and we have servers internationally to service them.
Users rate CiviHosting’s service and support as top, as many reviews show. They have been involved in supporting open source (CiviCRM, Drupal, WordPress, Linux…) for over 12 years and truly believe in open source, with their servers running only open source software.
Their “open” attitude extends to running their business as well, and they provide their clients will full freedom and full control over their data.
No web software on CiviHosting’s servers is ever locked down. We provide all clients with full access to their files and data, and each can generate and download an archive of all of their files and data at any time.
With security a prime concern to Nextcloud and its users, CiviHosting offers a strong security record with zero compromises since they started hosting. This spotless security record is achieved by a combination of automated and human monitoring services and having their support team online, watching their systems, 24 hours a day, every day of the year. They even take pro-active measures to protect their clients’ security and privacy.
CiviHosting also partnered up with Let’s Encrypt, a free, automated, and open certificate authority, to provide free SSL security to all of their clients. Integration is built into the CiviHosting Control Panel and so, at the click of a mouse, your site is protected by a Let’s Encrypt certificate.
We built our business on a few key principles, and one of them is security. We support a secure internet and have enabled all of our clients to have HTTPS security, at no cost, just by pressing a few buttons.
You can find public feedback about CiviHosting at the bottom of their Why Choose CiviHosting page and on the old Praise for CiviHosting forum thread from Eileen, one of the key CiviCRM developers, and Donald Lobo, the project founder and lead developer for many years.
We at Nextcloud want to thank CiviHosting for participating in our project and we wish them success in serving the Nextcloud community.
In a series about hosting providers we offer each of our providers a chance to present themselves to the Nextcloud community. Just email us! This is not advertising (as it isn’t paid for) but content is provided by the provider. You can discuss your experience with this or other hosting providers on our forums!
Nextcloud is 100% open source, providing protection from the risks caused by mixing proprietary and open source licensed code. Risks for businesses are increasing with the rise of copyright trolls in especially Germany. Black Duck reports in their Open Source Security and Risk Analysis that nearly all of over 1000 applications scanned contained open source components, noting that: “67% applications with open source had vulnerabilities, and legal risks were even more widespread.” Nextcloud takes these issues extremely seriously, running a successful Security Bug Bounty Program to protect their customers and has now taken the step to be the first enterprise file sync and share solution to verify full license compliance through OpenChain.
The OpenChain Project, hosted by The Linux Foundation®, identifies key recommended processes for effective open source management. The project builds trust in open source by making open source license compliance simpler and more consistent. In order to achieve this goal, they provide a set of tools:
Nextcloud joins the likes of LG, Qualcomm, and Siemens in certifying its supply chain using OpenChain.
OpenChain Conformance is designed for companies of all sizes that deal with open source software. Nextcloud is a high profile, high growth startup that adheres to the same overarching compliance processes as multinationals. It is a clear example of why OpenChain Conformance is the correct approach to establishing an industry standard for open source compliance in the supply chain.
says Shane Coughlan, OpenChain Program Manager.
Nextcloud is 100% open source, avoiding the legal risks of mixing proprietary and incompatible open source licenses and providing the full benefit of open, transparent development. Compliance with open source licenses is an important matter for us and we’re glad to participate in the OpenChain program, using their approach to help verify compliance, giving customers increased peace of mind with regards to license compliance.
said Frank Karlitschek, managing director at Nextcloud GmbH.