Nextcloud and Virtual Data Room configuration
Nextcloud offers a number of features in the Virtual Data Room space which allow the creation of a collaboration environment that is walled off from other data and decreases the chance for data leakage. Note that there is a wide range of abilities associated with virtual data rooms and, like all solutions, Nextcloud has some features and lacks others. In general, a virtual data room is not a single feature but more of a combination of capabilities that can be configured, depending on your needs.
In this article we provide guidance to set up a VDR (Virtual Data Room) with Nextcloud.
NOTE: this article is a work in progress. Please ask questions through support.
Threat modelling
The first step for setting up a VDR is to examine the needs around security and capabilities. It is important to have an idea of both what should be possible and what risks you want to protect from. Here are some questions to ask when developing a threat model for a VDR:
- To what degree do you trust the users. Are you afraid users will intentionally try to extract data, or do so unintentionally?
- It is extremely hard to give somebody external access to data without allowing them to somehow copy the data. Nothing can prevent somebody from using a mobile phone to take photos of the screen showing them data! For this threat scenario, only physical restrictions (only access data in a surveiled, physical room) is effective. Most VDR scenario’s merely make it harder to make mistakes.
- To what degree do you trust the administrators. Nextcloud is designed with a trusted server administrator in mind. If you do not trust the administrator, you will have to use extra precautions like a 4-eyes policy where no admin gets to access the server without another admin supervising.
- While end-to-end encryption is available and can be used in a VDR setup, it is limiting collaboration significantly and not really recommended in VDR usage.
- To what degree do you trust your hosting solution. Nextcloud is designed to trust the local server and local storage, but can use encryption on external storage.
- To what degree do you trust local devices. Do you trust the android, iOS or laptop devices users use? You can then determine if you will allow use of mobile and/or desktop apps.
- What kind of attacks are you trying to prevent. While few organizations face government-level threats, phishing and ransomware are common threats. Each has mitigations in Nextcloud.
- For encryption options and threat modelling, see our blog on encryption in Nextcloud with some insights and tips.
Subscriber exclusive content
A Nextcloud Enterprise Subscription provides unlimited access to our knowledge base articles and direct access to Nextcloud engineers.