I am currently in the process of pitching Nextcloud to my department head, but he is very strict about our network’s security and about data security.
My proposed architecture for our self-hosted Nextcloud:
Two redundant instances purely for internal use, hosted on different VMware Clusters, which would share a SAN. They would not be accessible from the Internet at all. There would be no new storage space needed, because the NC would look at the virtual drives the users already have.
There also will be another NC instance only accesible externally, purely for share-links.
The concerns raised by my boss:
This would be our first web-server that is both reachable from the outside and has access to internal resources. Our other web-servers are completely isolated from the rest of the internal network. How would I be able to pitch this as secure? I am especially struggling with this as he is specifically trained on data security and GDPR/DSGVO topics.
Even though our organisation would qualify for cheaper Enterprise support, I want to pitch the initial set-up for file-sharing and some collaborative work without Enterprise support, due to financial concerns.
I would greatly appreciate your help and thanks for reading!
I personally see little use for NC, if it is not accessible form the outside. Why bother with multiple layers of complexity, when you can just use a network share?
For me the main question would be, what is the alternative? And then compare the security to that alternative. Is it a wetransfer link? Dropbox? Compared to them, at least the data is stored locally and that would certainly help with DSGVO.
But yeah, if you currently really have that data air gapped (doubt) this would reduce security.
your design idea would not work without heavy customizing so data is shared between all the systems (I doubt it works at all) - and at the end the external system still can access the data - what is the purpose of separation? If you goal would be to separate “internal” and “shared” data - how would you achieve this? do you expect the user to copy the data back and forth? trust me this gonna fail…
you can easily deploy Nextcloud including a storage in a DMZ without access to internal resources (but requires storage in the DMZ)… but don’t forget the goal is to store data - if you place your data in the DMZ is it more secure? other way round you could deploy NC in the internal network and access it from outside through a reverse proxy (which could provide additional security).
network segmentation is a common concept from the past… as the requirements and application landscape changed to “always on” and “access from from everywhere” the buzzword changed to “zero trust” today with continuous authentication (e.g. OpenID/webauthn)… at the end the security of the application is key. …and no network segmentation itself doesn’t protect your data… it is just one small fragment of complex security framework.
Nextcloud takes security important and has continuous bug bounty open at hackerone. The application runs many high-value installations like Bundescloud and high-usage installations like MagentaCloud - you could assume it is good enough for people who don’t have spare budget for security and support contract
I would rather spend time and money on building one performant and secure system (pay somebody who knows the job not only from PowerPoint) apply good security settings, update frequently, setup good backup/restore and monitoring and do a pentest - this will give you more secure and user-friendly system rather just following some checklist…
Our employees do not need access to their files from the outside, so just letting out shares gives no room to let people use stolen logins, unless they’re already connected to one of our VMs that is. Our remote users connect to their internal VM. The only one thing that needs to go outside is the actual share.
Another concern I’ve heard, since making the post, is protecting against people sharing all their data by accident, which I also do not know how to deal with.
The alternative is a service we currently use similar to Dropbox, so only static uploads, no collaborative working, etc.
So basically, seperating internal and external NC instances makes no sense. Got that. I suppose setting up just the one NC server behind our proxy firewall on both sides would be best. Configuring it to not accept logins from the outside, and disallow folder shares outright to prevent both data loss and leaks on a larger scale. Then we could still share all data, just like in the previous system. Same risk as allowing our users to upload data to the web, which we do allow.
Email is used for internal and for external communication for secure data on the same server. But that is for most companies ok because EMail is 50 years old and cloud maybe 10 years.
Trust cloud security or do not use it. Same with EMail.
I have a hard time understanding how your internal IT stuff works, but it seems you misunderstood me.
I think your current setup of having all files only internally on a smb share by default and sharing external files in another application like Dropbox is not a bad idea.
But that also makes your current setup none air gaped.
If you want replace that Dropbox service with a NC Instance you would win a lot, data is now only in Europe, local, GPDR compliant, better performance, easier to manage in my opinion.
Another key benefit I see, would be able to share files internally. We currently use shared folders for each department, but that leaves sharing across departments, especially end-to-end, to e-mail (which also creates several duplicate files on our storage).
If anything, we could make our data more secure through nextcloud, because we can now restrict file uploads over the web outright, forcing users to use NC shares, which we can better police. For example we can’t properly geo-block downloads using our third-party, and those files potentially lay there downloadable to all forever. While with NC we can block suspicious actors from even downloading our files, while also enforcing timespans for shares and download caps too.
I pretty much got all my talking points together, thank you. I care maybe a little too much about using FLOSS, but I can literally see no better option for our needs at this point. The only thing I can think of would be a self-hosted MS sharepoint, but that would cost us a lot of money, while also being less configurable and expandable.
