Offerman Consulting
spacer Zone

German IT security experts validate ownCloud for high-protection environments

Author: Adrian Offerman

The 'Bundesamt für Sicherheit in der Informationstechnik' (BSI, the German Federal Office for Information Security) qualifies ownCloud as a modern, internet-based successor to the proprietary server software that traditionally provided file and messaging functionality to organisations and workgroups.

The BSI just published a report on the operation and security of ownCloud. The report (in German) provides IT managers and other decision makers with requirements, measures and considerations, and the security assessment and the risks involved with a high-protection deployment of ownCloud in their organisations.

According to the authors, an important aspect is that an on-premise ownCloud deployment provides its services to internet and mobile users while control over the data remains with the owners of the system. This sovereignty is lost when using a commercial cloud provider who stores its data all over the world, providing no quarantees as to the applicable jurisdiction.

Overview

The report kicks off with an overview of ownCloud and its features, architecture, functions, components and associated apps. The software is available as a free community-supported version — ownCloud Server — and as an Enterprise Edition that comes with additional features and support.

The second half of the report discusses risks and measures related to the security and operational aspects of an ownCloud deployment. The authors conclude that the software provides with little effort a quick start towards a self-operated sharing service. Although its features may seem limited compared to commercial offerings, this it not a real disadvantage since it avoids the consequential complexity of configuration and administration. Of course, even though control over the data may be lost, a commercial service is less expensive than a self-hosted solution. These and other aspects should be taken into consideration when deciding which operational model to use.