Security and authentication

Nextcloud is designed to protect user data
through multiple layers of protection.

Nextcloud understands the necessity to provide core principle baseline security requirements, as such Nextcloud 11 is built on these security principles to ultimately deliver a secure solution to their customers

NCC Group

Verified Enterprise Class Security

Our customers care deeply about security and so do we. Nextcloud aligns with industry standards such as Clause 14 of ISO/IEC27001-2013 and related standards, guidance and security principles. Our solution is built around combined assurance layers consisting of rich security features, applied best practices governed by policy and the design itself validated by industry standard testing processes.

NCC Group security review

Under your control

Control is key to security. With Nextcloud, your IT department takes back control over its data, managed under its policies and procedures. Nextcloud integrates in the tooling you use in your data center like logging and intrusion detection and works with existing authentication mechanisms like SAML, Kerberos and LDAP. Nextcloud features:

MONITORING

Nextcloud has built in monitoring and logging tools, compatible with industry standard tools like Splunk, Nagios and OpenNMS. It also offers a full, compliance-ready activity log for reporting and auditing purposes.

Monitoring
PERMISSION AND FILE ACESS

Administrators can set permissions on sharing and access to files using groups. Permissions of underlying storage, like Windows Network Drive access rights, are respected by Nextcloud

Sharing can be protected by passwords, expiration dates, hiding of existing files, blocking downloads and the enforcing of a video call before access is granted (Video Verification).

Sharing permissions
CanvasCreated using Figma

Define rules for data retention, allowing regular cleanup of files or ensurances that data stays put for a set amount of time.

Tagging and retention
CanvasCreated using Figma

The powerful workflow tools in Nextcloud enable administrators to limit access to data in accordance to business and legal requirements and perform automatic actions like file conversion. Describe restrictions like "XLSX files from the HR department are not to be accessible outside company IP ranges" or "employees in the US shouldn't access customer data from European data centers" for Nextcloud to enforce.

File access control
ENCRIPTION

Nextcloud uses industry-standard SSL/TLS encryption for data in transfer. Additionally, data at rest in storage can be encrypted using a default military grade AES-256 encryption with server-based or custom key management. Also optionally and on a per-folder base data can be end-to-end encrypted on the client with the server assisting in sharing and key management using a Zero-Knowledge model.

Note that E2E is currently (early 2019) in beta. V2 is expected end summer 2019.

Encryption
PERMISSION AND FILE ACESS

Nextcloud puts all the pieces for compliance with regulations like HIPAA and GDRP at your fingertips. This goes from extensive documentation on our customer portal to specific apps for data requests as well as encryption and security capabilities in Nextcloud itself.

Compliance

Regain control

Protect your data and communication with the leading content collaboration platform. Contact us now to learn how we can help you!

Integration

New technology should fit into existing processes and infrastructure. Nextcloud enables you to leverage existing security investments.

STORAGE AND DATABASE

Nextcloud supports your existing storage solution, keeping data under control of trusted IT administrators and managed with established policies. Nextcloud works with industry standard SQL databases like PostgreSQL, MySQL and MariaDB for user and metadata storage.

SECURITY TOOLS

Nextcloud offers built in monitoring tools and integrates with existing MDM, DLP, event logging and backup tools, enabling existing tool chains to be used to monitor, back up and restore systems.

SECURITY POLICIES

Nextcloud leverages existing data storage and database technologies so current security policies and governance processes can continue to be used to manage, control and secure operations with Nextcloud. Your IT department is fully in control.

Storage integration

Authentication

Nearly any authentication and provisioning mechanism works with Nextcloud, making it easy to fit with your existing user management.

CanvasCreated using Figma

Nextcloud has extensive LDAP/Active Directory support with an easy installation wizard.

Nextcloud can also work with Kerberos and other authentication mechanisms like OAuth2, OpenID Connect, JWT, CAS or Any SQL database mediated by Apache modules.

Nextcloud supports Single Sign On (SSO) and provides native SAML 2.0 (and Shibboleth) authentication in its web front end.

The native SAML integration negates the need for external software like Apache modules. Native SAML is compatible with all webservers and supports group memberships, flexible session management and app specific passwords. It can handle multiple Identity Providers and can authenticate to Samba servers with Kerberos.

CanvasCreated using Figma

Nextcloud includes a variety of second factors like TOTP, U2F and SMS gateaways. 2-factor authentication can be enforced and user sessions and devices can be managed.

CanvasCreated using Figma

Nextcloud offers an easy to use, REST based provisioning API to create and configure user accounts.

User management

Active and passive protection

Nextcloud offers a series of advanced security features:

  • server side, client side and in-transit encryption
  • Security hardenings like brute-force detection, CSP and SCC
  • Machine learning based suspicious login detection
  • Automated security checks and warnings
Advanced security features

Protected Sharing

For Nextcloud customers, securely exchanging data is key. Nextcloud offers industry standard protection mechanisms and adds innovative and unique capabilities like Video Verification.

Securing shared links

Nextcloud features industry-leading protection for file shares.

Administrators can set defaults or enforce these options.

Video Verification

In situations where extreme security is warranted and the identity of a recipient has to be verified with absolute certainty before they are granted access, Nextcloud includes the industry-first implementation of Video Verification.

Video Verification enforces a Nextcloud Talk video call before access is given to a share, making sure the identity of the recipient is properly checked. The call can be picked up through the Nextcloud Talk Mobile apps as well as the web interface.

Remote Wipe

While many companies have Mobile Device Management, thanks to build-in support, Remote Wipe will work on systems not under management of the company. This is useful for home users but also large universities and of course in a scenario where guest accounts were handed to a third party. If you permit downloading of documents by the third party, you can wipe the documents from their devices when the the collaboration has ended.

Remote wipe can be used on a per-device basis by users and on a per-user base by the administrator.

in action

Virtual Data Room

In settings where a firewall is needed between departments or organizations without impeding smooth and efficient collaboration, a separate Virtual Data Room can be set up. Nextcloud offers a wide range of unique features for VDR use and its on-premises nature offers unparalleled confidentiality and control.

Virtual Data Rooms
in action

Best Ransomware protection in the industry

Ransomware attacks are becoming more targetted as lots of money can be extracted from businesses and government organizations. While insurance can cover direct costs, the disruption to business is immense regardless. Nextcloud goes far beyond competing solutions, offering automated, one-click ransomware recovery tools.

Ransomware risks and protection

Security process

Nextcloud development follows industry leading security processes. Security bugs are like technical debt: fixing them later is expensive. Our strategy is to prevent them from happening through a rigorous focus on security through the entire life cycle of our product and to get those which find their way through found and fixed as soon as possible.

Click each step in the process to learn more

Security training

  • We provide detailed documentation about common web security vulnerabilities
  • We organize internal and public security trainings
  • Developers are asked to fix security issues they caused themselves

Requirements

Implementation

  • Unsafe functions are forbidden (e.g. unserialize, non-prepared statements and unsafe comparisons)
  • Our internal functions are designed to provide secure defaults for developers
  • We employ a strict mandatory code review process with 2 reviewers besides the original developer

Verification

  • We regularly run static and dynamic security scans like Burp, Veracode and others
  • We follow industry-standard security processes and have them independently verified
Check out our security review reports:

Response

Security bug bounties

Nextcloud protects your security with an up to USD 10.000 Security Bug Bounty program

HackerOne program

We have partnered with the HackerOne platform because of its extraordinary popularity among IT security professionals. More than 3,000 hackers have reported over 24,000 bugs via the platform. Running a program on HackerOne allows us to quickly leverage the collective knowledge of a huge amount of these security experts.

Nextcloud's commitment to responsiveness and putting security first puts them in the best position to attract top hacker talent to continue to supplement the good work their internal security team is doing to protect customers.

-- Michiel Prins, co-founder HackerOne.

Anyone reporting a security vulnerability in Nextcloud can earn up to $10.000, making ours some of the highest security bug bounties in the open source industry. For more details, see our announcement, our update in 2017 and the HackerOne whitepaper in 2018

Nextcloud’s lightning fast response times are impressive and make them a model for how to build an efficient bug bounty triage and response process.

-- Michiel Prins, co-founder HackerOne.

Find an example of RhinoSecurityLabs blogging about a security issue we dealt with here (HackerOne disclosure). Here is another example.

Download HackerOne whitepaper.

Need the best security?

A Nextcloud Enterprise Subscription provides you early access to security warnings, patches and mitigations.

Nextcloud enables you to focus on your work, taking care that your data stays private and completely under your control!

You have javascript disabled. We tried to make sure the basics of our website work but some functionality will be missing.

This website is using cookies. By visiting you agree with our privacy policy. That's Fine