Nextcloud Improves Security, Adds Enterprise Support

Nextcloud, a fork of the popular open-source ownCloud storage project, takes its next steps.


A month ago, Frank Karlitschek, founder of the ownCloud project, forked the code to create a new company called Nextcloud. Now in its first platform release the company's technology is getting enterprise support.

In keeping with ownCloud's numbering, the new release is Nextcloud 9, though the release brings more than what is available in the ownCloud 9 release that debuted in March.

"Nextcloud is building open-source replacements for the ownCloud closed-source enterprise-only features," Karlitschek told eWEEK. "With this release, 80 percent is done and the rest will be coming soon."

Nextcloud isn't simply replicating features that already exist in ownCloud. Karlitschek said Nextcloud is also developing its own set of new and innovative features.

"At the moment, we have a new and super easy way to theme your Nextcloud installation with different colors and logos directly from within the Web interface," he said.

Also, Nextcloud has built open-source enterprise features including Security Assertion Markup Language (SAML), which is used for single sign-on (SSO). Plus, Nextcloud enables an anonymous upload capability for its users. For both SAML and the anonymous upload capability, Karlitschek said Nextcloud's iteration of those features are more powerful and flexible than the ones available from ownCloud.

"This is the result of the open collaboration that we are doing with several universities and research institutions," he said.

Security is also a core focus, with Nextcloud 9 including two security updates for vulnerabilities that were reported by way of the company's bug bounty program. Nextcloud works with third-party bug bounty platform vendor HackerOne, which has been in the news in recent months for enabling the "Hack the Pentagon" bug bounty program.

Details on the two security issues that have been fixed in Nextcloud 9 have not yet been publicly disclosed.

"Nextcloud doesn't publish any security information to third parties until 14 days after the release, following industry best practices," Karlitschek said. "Note that we do work with our customers to mitigate the security issues we find from the moment we discover them, without sharing details of the vulnerability as much as possible."

Given that Nextcloud is mostly based on code from ownCloud at this point, the same vulnerabilities likely exist in both products. Karlitschek said Nextcloud is actively trying to work together with the ownCloud project on security issues.

"With regard to these vulnerabilities, we have made ownCloud a proposal on how we believe this information exchange should work, but they have not agreed on a proposal yet," Karlitschek said. "We hope that we can agree on a process so that ownCloud users also benefit from the security fixes we do."

For ownCloud users who want to migrate to Nextcloud, or for customers who want to get support, the process is easy, according to Karlitschek.

"Everyone who signed an ownCloud subscription before June can also get support from us for free," he said. "Just send a message through our contact form on the Website."

The migration from ownCloud to Nextcloud is straightforward—users just replace their ownCloud installation with the latest Nextcloud while keeping data and the configuration folder in place, according to Karlitschek.

Since starting Nextcloud, Karlitschek said that he has been surprised by the overwhelmingly positive response he has received so far, from customers, prospects and the contributor community. Thanks to the positive response, Nextcloud is moving faster than originally planned, he said.

"We are working full steam on the next major release, which is planned for August," Karlitschek said. "Users can expect more security hardening and improvements."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.