Consulting on Security
Security is a very broad topic but in the context of a collaboration platform like Nextcloud security refers mainly on documents security.
The fact that you can install Nextcloud, and specifically its storage backend, whenever you want, is the first and most important step to increase the security of your documents. You directly control the installation and you can apply the policies for data access, storage and management that are necessary for your use case.
We are here to help you understand advanced data protection techniques and to support you in implementing smart policies that are a good balance between usability and protection of your digital assets.
We provide here some examples of such techniques:
Server-side encryption
Server-side encryption applies encryption to your primary and / or external storage, so that reading files content needs to be done through the application as it owns the encryption keys. This type of encryption is typically used when we don't fully trust the storage provider as the Nextcloud administrator can always use a master key to decrypt the files. While adding an additional layer of security, Server-side encryption has some implications in terms of operations, usability and performance, so its use should be carefully evaluated.
End-to-end encryption
With end-to-end encryption (E2EE) it is the user device that encrypts the files so that these never leave the device unencrypted. E2EE is supported on all official Nextcloud clients, being it Desktop (Windows, Linux, macOS) or mobile (Android - and derivatives - and iOS). E2EE gives users the strongest data protection guarantees, but its impact on usability is huge: for example, users cannot access encrypted files from the browser or cannot collaborate in real-time on them. It is recommended to use E2EE for only the most sensitive data and train users on how and when to use it.
Files Access Control
Files Access Control is a powerful mechanism to define rules to restrict access to Nextcloud files and folders. It is available in the framework of flows, and it can use different request properties such as the time, user agent or user group to deny access to a set of resources. It can be combined with the automatic tagging flow and the notification flow.
Brute Force Protection
Brute Force Protection has been developed to protect the Nextcloud instance from brute-force attacks, being them conceived to use passwords or tokens (app passwords). When such behaviour is detected from a given IP address, the rate of login attempts from this IP address is limited and gradually decreased if the attack persists. The administrator has also the tools to handle with false positives and when Nextcloud runs behind a load balancer or reverse proxy.
Authentication Security: Multi-factor authentication and app passwords
Authentication in Nextcloud can be either managed internally or externalized to an LDAP / Active Directory server and/or a Single Sign-On system. These authentication backends can coexist. When authentication is handled internally, the instance administrator can enforce multi-factor authentication for all the users or only for a subset.
Nextcloud features also app passwords. These passwords are either user-defined or created via clients login flows and allow the user to have a granular control on the devices and / or applications that have been authorized to access the account, or some part of it. The typical example of this functionality is to wipe devices that are not in control of a given users, because they have been lost, stolen or they just change owner. All the client apps in this device would need one or more app passwords and can be disabled from the web ui.