Ooh, I like this thread. Great questions! I’ll try to offer some helpful advice.
go for it
Self-hosting FOSS like Nextcloud can be very empowering, especially for nonprofits and small businesses. Besides cost savings, raw access to data is so powerful.
secure by default
A core/base Nextcloud install appears to have excellent security. The source is in heavy use and is backed by a solid company with a reputation that depends on their commitment to security. They make it easy to lock down and vet (it is FOSS after all). The defaults appear secure. They follow best practices. They have a public bounty program and threat model.
start with the right questions
I think you are asking “am I good self-hosting Nextcloud, including sensitive information? can I do this?”, and I think you should ask “is the org good self-hosting Nextcloud, including sensitive information? can the org do this?”. More on this below.
this is fundamentally about resources
I think most folks here would agree that it costs money and time to do security well, not to mention privacy, compliance, reliability.
Have you tried contacting Nextcloud GmbH? Maybe they have a special pricing tier for nonprofits or could at least offer guidance.
What about grant money? If you get specific on costs (see below), that is helpful info to include in a grant application, and/or helps the org target specific donors/sponsors/donation channels/grant money.
should you do more than just stand up Nextcloud
I would take extra steps. Most of the security of a Nextcloud instance is left to the host. The security recommendations are a good start, assuming you’re talking about this. As @NaXal touched on, there’s a lot more to it, and it depends (in part) how much of a target your org / these data are. I’d add: how irreplaceable the data are, the cost of a breach, potential liability, stuff like that.
more thoughts, lightning round
- encrypt data at rest
- how sensitive are your data?
- PII is a big deal, PHI or financial data are radioactive
- have a plan for compliance – the fines for failing at this are substantial
- what’s your risk profile?
- phone a friend to help you do a simple threat model, it might not be as bad as you think
- sure, yes, do an audit
- budget based on your risk
- if you have low risk / low budget: just get 2nd, 3rd opinions
- are you aligned with the org you are supporting?
- present your findings/recommendations and solicit feedback
- be realistic about costs
- show your work re: hosting/admin cost, and include predictions for ongoing costs
- count your time as a cost, even if you don’t charge for it (this helps the org plan for the future)
- be transparent about your choices
- document what you do and why
- heck, document everything
- e.g. “we can’t afford paid hosting, we need to go paperless, here’s our plan, it’ll be awesome”
- consider succession: what if you get hit by a bus?
- what’s the plan for backups and restores?
- have periodic maintenance plans (weekly, monthly, etc)
- applying security patches
- checking backups, logs
- making sure users with access are the right ones
- pay attention to Nextcloud’s community release EOL schedule
- test! (what @wwe said!)
- consider document retention
- understand and exceed your org and end-user expectations for reliability
- ballpark cost to the org for failures
- if you get budget, formalize SLAs, SLOs, QoS, SLIs, etc.
use caution re: customization
You mention “flexibility” as a benefit of self-hosting. Proceed with caution. Every customization you make, app you install, and device that connects increases your attack surface. Test heavily first (including desktop clients, WebDAV, headless scripts with access). Keep a test instance (and scripts to stand up & tear down same) on standby for this purpose. Make sure everything is justified and documented.
Start with the leanest possible vanilla install using the official AIO release. For filesharing all you really need is the Files app. “Collaboration” can mean lots of things, but you probably want Notes and to be able to edit office documents together, yeah? Those apps work well, IMHO. I also just started using Temporary files lock… this is handy, IMHO.
I want to specifically address the E2EE app since it appeared in this thread. On paper it sounds like exactly what you want, but there are quite a few open issues. I tried it and I do not recommend it yet. YMMV
who is this guy anyway?
I guess I should say why you might want to listen to me at all. I’ve been in tech for over 20 years: coding, architecting, hiring, managing, startups, big enterprise, giving lectures, writing, sysadmin, security, privacy, compliance, stuff like that. I’ve been self-hosting and using Nextcloud heavily for a couple years now (and owncloud before that). So let’s say I have some experience and I aspire to become an expert. I am not affiliated with Nextcloud GmbH.
Topic for another thread, but I bet you’re not at all alone in looking for affordable secure cloud hosting for a nonprofit. I’d love to learn more about that together!