Ooh, I like this thread. Great questions! I have answers.
go for it
Self-hosting FOSS like Nextcloud can be very empowering, especially for nonprofits and small businesses. Besides cost savings, raw access to data is so powerful.
secure by default
A core/base Nextcloud install appears to have excellent security. The source is in heavy use and is backed by a solid company with a reputation that depends on their commitment to security. They make it easy to lock down and vet (it is FOSS after all). The defaults appear secure. They follow best practices. They have a public bounty program and threat model.
start with the right questions
I think you are asking āam I good self-hosting Nextcloud, including sensitive information? can I do this?ā, and I think you should ask āis the org good self-hosting Nextcloud, including sensitive information? can the org do this?ā. More on this below.
this is fundamentally about resources
I think most folks here would agree that it costs money and time to do security well, not to mention privacy, compliance, reliability.
Have you tried contacting Nextcloud GmbH? Maybe they have a special pricing tier for nonprofits or could at least offer guidance.
What about grant money? If you get specific on costs (see below), that is helpful info to include in a grant application, and/or helps the org target specific donors/sponsors/donation channels/grant money.
should you do more than just stand up Nextcloud
Yes.
I would take extra steps. Most of the security of a Nextcloud instance is left to the host. The security recommendations are a good start, assuming youāre talking about this. As @NaXal touched on, thereās a lot more to it, and it depends (in part) how much of a target your org / these data are. Iād add: how irreplaceable the data are, the cost of a breach, potential liability, stuff like that.
more thoughts, lightning round
- encrypt data at rest
- how sensitive are your data?
- PII is a big deal, PHI or financial data are radioactive
- have a plan for compliance ā the fines for failing at this are substantial
- whatās your risk profile?
- phone a friend to help you do a simple threat model, it might not be as bad as you think
- sure, yes, do an audit
- budget based on your risk
- if you have low risk / low budget: just get 2nd, 3rd opinions
- are you aligned with the org you are supporting?
- present your findings/recommendations and solicit feedback
- be realistic about costs
- show your work re: hosting/admin cost, and include predictions for ongoing costs
- count your time as a cost, even if you donāt charge for it (this helps the org plan for the future)
- be transparent about your choices
- document what you do and why
- heck, document everything
- e.g. āwe canāt afford paid hosting, we need to go paperless, hereās our plan, itāll be awesomeā
- consider succession: what if you get hit by a bus?
- whatās the plan for backups and restores?
- have periodic maintenance plans (weekly, monthly, etc)
- applying security patches
- checking backups, logs
- making sure users with access are the right ones
- pay attention to Nextcloudās community release EOL schedule
- test! (what @wwe said!)
- consider document retention
- understand and exceed your org and end-user expectations for reliability
- ballpark cost to the org for failures
- if you get budget, formalize SLAs, SLOs, QoS, SLIs, etc.
use caution re: customization
You mention āflexibilityā as a benefit of self-hosting. Proceed with caution. Every customization you make, app you install, and device that connects increases your attack surface. Test heavily first (including desktop clients, WebDAV, headless scripts with access). Keep a test instance (and scripts to stand up & tear down same) on standby for this purpose. Make sure everything is justified and documented.
Start with the leanest possible vanilla install using the Docker image. The official AIO release looks fine tooāI havenāt tried it, personally. For filesharing all you really need is the Files app. āCollaborationā can mean lots of things, but you probably want Notes and to be able to edit office documents together, yeah? Those apps work well (on desktops, not so much mobile), IMHO. I also just started using Temporary files lockā¦ this is handy. You get the point thoughāless is more when it comes to installing Nextcloud apps and security.
I want to specifically address the E2EE app since it appeared in this thread. On paper it sounds like exactly what you want, but there are quite a few open issues. I tried it and I do not recommend it yet. YMMV
who is this guy anyway?
I guess I should say why you might want to listen to me at all. Iāve been in tech for over 20 years: coding, architecting, hiring, managing, startups, big enterprise, giving lectures, writing, sysadmin, security, privacy, compliance, stuff like that. Iāve been self-hosting and using Nextcloud heavily for a couple years now (and owncloud before that). So letās say I have some experience and I aspire to become an expert. I am not affiliated with Nextcloud GmbH.
parting thoughts
Topic for another thread, but I bet youāre not at all alone in looking for affordable secure cloud hosting for a nonprofit. Iād love to learn more about that together!