ownCloud on Security

Security is about providing a performant, safe and compliant solution that still enables the business.

Contact Sales Get started for free

At ownCloud, we take security very seriously and we know that it encompasses broad considerations, processes and technologies.  ownCloud installs in your data center; managed by you, to your policies, following your procedures. Encryption at rest secures your files on the server and still allows sharing among users. The File Firewall ensures all access requests meet rules set by the administrator, and existing infrastructure – such as intrusion detection and log management – can provide added layers of security. With WebDAV, mobile libraries and the ownCloud API as well as several enterprise-only apps, secure file sharing is in your control.

ownCloud Security and Encryption

Most enterprises have an extensive list of existing security investments.  Any new solution under consideration must also work with these investments, not create an entirely new set of requirements.

  • Leverage Existing Processes, Procedures, Tools, and Investments
    ownCloud uses any available object store, with the complete software stack running on servers safely within the data center, controlled by trusted IT administrators, and managed to established policies.
  • Leverage Existing Storage (monitor, backup, restore)
    ownCloud leverages any available existing storage to provide additional file management capabilities including monitor, backup and restore.
  • Leverage Existing Databases (monitor, backup, restore, manage)
    ownCloud requires a database to store user and file meta data. Working with leading SQL databases, customers can choose the database they already know how to monitor, manage and administer.
  • Integration with Existing Security Infrastructure
    ownCloud leverages the existing security infrastructure, DLP, MDM, event logging, monitoring and back-up systems. It also mounts any object store like S3 or SharePoint, and has APIs to integrate easily with existing tool chains and the corporate infrastructure, while keeping IT in control of corporate data.
  • Retain Existing Security Policies
    On-premises solutions don’t require existing security policies and governance processes to be reinvented – they simply function within IT’s established framework. And when data requirements expand, IT has the ability to securely scale with them. At ownCloud we do not have access to your information and cannot interfere with existing processes and regulations. IT Admins have full power of data with set security controls from file level permissions to auditability.

Security Controls

  • Admin Set User/File-level Permissions
    User or file-level permissions can be defined when and where files are shared. Access expiration dates and restrictions can be set at multiple levels. Plus, administrators can use File Firewall to create rules that control access to ownCloud servers based on user connections, time intervals, geographic locations and more.
  • File Firewall
    The File Firewall provides a policy engine for the ownCloud instance, prohibiting access to files that do not meet standards.  Rules and operators (AND, OR, NOT, EQUAL) are configured by the admin based on attributes of a request.  And the results of each rule evaluation can be logged for reporting.  A File Firewall rule can also evaluate a tag on a file and determine access based on the specific file request.
  • Encryption
    ownCloud provides two levels of Encryption capabilities; encrypting server data at rest, and supporting encryption for data in motion. Another option for customers who want encryption if motion is for them to use SSL.Additionally, ownCloud gives customers the ability to manage their key stores and as well as access/manage the reading and writing of files. Admins choose and implement the key manager of their choice (theirs, ours or a different one altogether) or replace the AES-256 cipher with something different like a cipher of your choosing. ownCloud is the only vendor to provide this capability.  Our Encryption 2.0 is built modularly with the ability to swap out components. Encryption from ownCloud is delivered as an app that is easily and quickly integrated with your existing infrastructure.
  • Key management / choose algorithm:
    By default, our competitors manage encryption keys in the cloud which exposes them to the same vulnerabilities as the cloud. ownCloud allows you to manage keys in your enterprise key store.  You may also create your own key manager, and write an app to use your own encryption solution.
  • File Integrity Checking:

    To prevent file corruption the integrity of up- and downloaded files is automatically verified by comparing their unique checksums before and after transfer.
  • Authentication
    • SSO / SAML 2.0
      Single Sign On (SSO) is supported and Shibboleth, a SAML-based authentication, is integrated with ownCloud’s web-front end, ownCloud mobile apps, and desktop clients. As users are managed by those services, ownCloud automatically acquires and implements the associated authentication.
    • AD/ LDAP
      Built-in wizards allow IT to integrate ownCloud with Active Directory or LDAP or customers may choose custom authentication mechanisms as needed for their environment.
    • 2-Factor Authentication
      Integrated 2-Factor Authentication Provides More Security. The authentication method allows that additional technologies and tokens can to be used via plugins. This not only improves access security, but also provides administrators with an option for disabling individual tokens. Time-based one-time passwords (TOTP) enable users to automatically increase the security of their accounts by using services like Google Authenticator or the open-source implementation of the TOTP standard.
  • Virus Scan
    When enabled, by default, uploaded files are scanned with ClamAV, preventing the potential for automated distribution of infected files or integrated with external virus scanners.
  • Auditability / Logging
    Not only does ownCloud allow IT to control each user’s permissions, but it also enables a full audit trail—allowing IT to understand how, when and where data is accessed and shared. A single app allows admins to log account level activities such as logins to ownCloud as well as what users do with files on the server. This provides admins the basic information they need for compliance reporting and auditing of ownCloud usage and the tools to actively follow file sharing activities.  The use of a SIEM solution like Splunk or other log readers is reported.

ownCloud Bug Bounty Program

As an open source company, we believe in transparency and the importance of community.  With 800+ contributors and over 10,000 different ticket participants, we are proud to be the most downloaded open source project for file sync and share.

We want to take the security of ownCloud one step further. We’re the company behind the ownCloud Project and we are calling upon security experts across the globe to help us.

The ownCloud Security Bug Bounty Program rewards community members for finding security bugs in the ownCloud Server. When a security bug is identified, it is either submitted directly via HackerOne (https://hackerone.com/owncloud) or, if the submitter chooses not to get a bounty, emailed to the ownCloud security mailing list (security@owncloud.com). If the bug is identified as meaningful and qualifies for the program, and the submitter has followed the Disclosure Policy, the bug bounty is paid out on the following schedule by bug severity.

Visit the Bug Bounty Program page

Please fill out the form below to get your download.