ownCloud Architecture Overview Providing Access to Data Where It Lives

Your IT landscape is complex, and often an answer that lets you leverage your exis- the cloud. Data is kept where it is while IT is inherited. You have storage systems, ser- ting infrastructure without duplicating or able to manage proprietary information and vers, private cloud management tools, log moving data. Further, you are looking to business risk; leveraging existing data managers, backup tools, authentication regain control while enabling modern management, security and governance tools options and many more solutions already on-the-go access that is demanded by your and processes. Whether in SharePoint, on a deployed. You don’t want to add another silo workforce. Windows network drive or in cloud storage, to enable secure file sharing for your emplo- users have a single interface from which yees, but you also don’t want your corporate ownCloud provides Universal File Access they can access, sync and share files on any confidential information being passed through a common file access layer regard- device, anytime, from anywhere – all com- around in consumer-grade applications less of where the data lives – in applica- pletely managed, secured and controlled by across multiple devices. You are looking for tions, object stores, on-premise storage or in IT as seen in Figure 1.

Figure 1: ownCloud has a single interface from which users can access, sync and share files on any device, anytime, from anywhere.

Solution Architecture Overview

The core of the ownCloud solution is the analysis using popular SIEM tools like file "firewall" rules give admins exceptional ownCloud server. Unlike consumer-grade file Splunk®. The server provides a secure web flexibility and control. The server also mana- sharing services, ownCloud‘s server enables interface through which administrators con- ges and secures API access to ownCloud, IT to protect and manage files within the trol all of ownCloud‘s resources, allowing while providing the scalable processing ownCloud environment – from file storage to authorized users to enable and disable fea- engine needed to deliver high performance user provisioning, file access rules to file pro- tures, set policies, federate servers, create file sharing services. cessing. ownCloud monitors and logs all data backups and manage users. Advanced fea- access events for downstream auditing and tures for enterprise directory integration and The ownCloud server stores user files in 2

PROTECT CONTROL AND MANAGE ACCESS Your Storage Your Server User Devices Primary metering monitoring central control Secondary

Hybrid cloud

LDAP/AD Virus Scan Versions Your App

Encryption File Firewall SAML …

INTEGRATE AND EXTEND

Figure 2: ownCloud Solution Architecture standard file system formats and can use module to provide an added layer of enhanced logging and audit plug-ins, File most enterprise file systems. If you can encryption at rest for user files. Firewall, Retention, SAML authentication and mount the file system on your server, ownCloud applications make integration Windows network drive(s) integration, ownCloud can use it. Further, ownCloud can with your existing technology stack a breeze. SharePoint integration and autotagging are also use S3 and Swift based object stores or Enabled through the server control panel, available in the ownCloud Enterprise compliant gateways – ownCloud is filesys- integration plugins provide functionality Edition. tem and storage agnostic. ownCloud can such as Active Directory (AD) and Light- leverage storage that is physically located in weight Directory Access Protocol (LDAP) inte- ownCloud customers have integrated a wide your data center or "virtually mounted" gration for user account provisioning, variety of new functionality into ownCloud, third-party storage (Figure 2). Thus, ownC- authentication and even quota manage- from video streaming to contact and calen- loud enables you to protect your files as you ment. SAML IdPs can also be used for dar syncing, custom authentication mecha- would any other data asset in your infra- authentication within ownCloud. For custom nisms, and API-based storage. Also, structure. As demonstrated in Figure 3, own- integrations, ownCloud can be easily exten- ownCloud’s encryption model is highly Cloud works seamlessly with your existing ded using mobile libraries, external REST scalable and allows administrators to main- tools and utilities, from standard backups APIs, internal app development APIs and tain complete control over their encryption and intrusion detection, to log managers plugin applications. Features such as the keys. In short, unlike proprietary alternati- and Data Loss Prevention (DLP) solutions. online text editor, virus scanning, file versio- ves, ownCloud can be easily extended to do ownCloud ning and server-side encryption are included far more than basic file sync and share. can also activate the included encryption in the ownCloud core. Features such as While ownCloud provides the ability to access, control and protect data in the enter- prise, ownCloud also delivers the consumer grade experience users expect on desktops, laptops, tablets and mobile phones. Intui- tive interfaces guide end-users through a wide range of file sharing activities, and administrator efficiency is aided through wizards, management tools and monitoring and logging capabilities. ownCloud also pro- vides the ability for standard WebDAV clients to access ownCloud files, enabling users to continue to use standards-based producti- vity tools to interoperate seamlessly with ownCloud.

Figure 3: IT Controls Access in Their Environment 3

CORE SERVER

Logging Metering API Reporting Provisioning API primary

Swift, S3, NFS, GFS, GFS2,XFS, ZFS, processing engine HTTPs Red Hat Storage, PHP GPFS, etc.

WebDAV Storage abstraction Storage secondary

Sharing API Capability API Application API Branding CIFS, WebDAV, FTPs,Swift, S3, , Google,SharePoint, Windows Network Drive, ownCloud, etc. Your Apps

Figure 4: ownCloud Server Architecture

Server Architecture dynamically allocated storage driven by user directory entries – enabling data segregation • Branding – a simplified mechanism for Overview and multitenant style deployments. branding ownCloud servers, and through ownBrander, to brand desktop, mobile and At its core, ownCloud is a PHP web applica- ownCloud includes a variety of open server- web clients to match your corporate look tion running on top of Apache on . This side APIs for integrating with other systems. and feel. PHP application manages every aspect of These include: ownCloud, from user management to plug- In addition to delivering the core of ins, file sharing and storage. Attached to • Activity – an RSS feed delivers all activities ownCloud, the ownCloud server also inclu- the PHP application is a where associated with a user‘s files, such as des the ownCloud web interface, which pro- ownCloud stores user information, user- sharing activity, updated, renamed, deleted vides a control center for configuring, mana- shared file details, plugin application states, and removed files. ging and monitoring the system. and the ownCloud file cache (a performance ownCloud gives end users tools for control- accelerator). • Applications – the most powerful API, ling access to their files and folders. Emplo- ownCloud accesses the database through an enabling customers to expand ownCloud yees are set up in the system as users, admi- abstraction layer, enabling support for out of the box, to integrate with existing nistrators, or both. Administrators can add, Oracle, MySQL and PostgreSQL. Complete infrastructure and systems, and to create enable, and disable ownCloud features webserver, user and system logging is provi- new plugin applications. Examples of this through the settings menu such as add and ded and may be used with the log reporting API in use include the custom authentica- remove users and groups or manage various tools of your choice. tion backends, music and video streaming ownCloud settings and administrative tasks applications, a URL shortener app and an (migration and backup, for example). Users To enable a broad range of storage alternati- image preview application. access the web interface to browse and ves, ownCloud also abstracts the storage manage their files, and to set granular per- tier. As a result, ownCloud can leverage just • Capability – information about the installed missions on files and folders shared with about any storage protocol that can be ownCloud capabilities, allows ownCloud others on the system. Users can also access mounted on your ownCloud server – from and third-party applications to query for the enabled applications through the web por- CIFS, NFS and GFS2, to clustered file systems enabled features and plugin applications. tal, such as the activity stream, text editor like Red Hat Storage, IBM Elastic Storage, and image preview, file and folder sharing, and even object stores like Swift and S3. • External provisioning – the ability to add SharePoint document libraries, Other storage resources can also be moun- and remove users remotely, and to query Windows network drives, rollback of previ- ted on the system using optional plug in metering information about ownCloud ous versions and much more. The ownCloud applications, such as SharePoint, Windows storage usage and quota. web interface is compatible with all major network drives, Windows home directories, browsers on Windows, Mac OS and Linux (s)FTP, WebDAV, another ownCloud instance • Sharing – the ability for external apps, such machines. and even external cloud storage services as the ownCloud mobile app, to share files such as S3, Swift, and Dropbox from remote devices or to natively share if desired. User configurations can include between two ownCloud servers. LOAD BALANCER & WEB SERVER DATABASE CLUSTER STORAGE

Data Node

primary secondary MgMT Node optional

Data Node

Figure 4: Common ownCloud Deployment Architecture

Deployment Scenario Onsite Storage and user files and versions will be saved to the specified path. With the ownCloud solution and server For nearly all deployment scenarios, connec- architectures outlined in Figure 2, this paper ting ownCloud to backend storage is as sim- Occasionally ownCloud needs to connect to now examines how ownCloud is deployed on ple as mounting onsite storage on the ser- REST API-based storage. In some cases, API- site, how it is integrated with the storage tier ver, such as mount point /data/storage_ accessed storage replaces the mounted file and existing infrastructure tools, and the fle- device. Nearly all storage devices and file system described above, and in some cases xibility provided by ownCloud's APIs. This systems – from direct attached NTFS to clus- it augments the storage. ownCloud can understanding is facilitated by a brief review ter systems like Red Hat Storage – have well handle either scenario through the use of of how ownCloud is typically deployed in tested, high-performance Linux drivers that plugin applications. For example, ownCloud production environments. make this easy. Object stores can also be provides a plugin application that mounts S3 mounted through ownCloud. Once the sto- and Swift as HTTP based backend storage In production, ownCloud is most often rage device is mounted in the desired loca- systems. When enabled, the plugin appli- deployed as an n-tier load balanced web tion, the ownCloud configuration file is edi- cation performs all file operations using the application running in a data center or ted with the storage device path, and all abstracted S3 intervace. For the other folders managed cloud infrastructure. ownCloud can ownCloud storage is immediately changed to on the server, ownCloud retains a file system be deployed to physical, virtual, or private that path. Each user gets a directory, and all mount. In other installations, ownCloud‘s cloud servers using native binaries or a vir- versions, folders and files are stored in that built-in External Fileystem plugin leverages a tual appliance footprint. There is almost location. Object stores leverage containers mix of APIs, providing system admins the fle- always a load balancer on the front-end of in a similar manner, flattening the file path xibility to connect CIFS, FTPs, WebDAV and the deployment connected to at least two into the database and storing only an object. other storage systems in addition to the web servers for fault tolerance. existing filesystem storage. In larger installations, it may be necessary to The ownCloud web servers host the PHP create more than one storage location for an Ultimately, administrators must decide code, and are most often deployed on ownCloud instance. Perhaps policy requires which storage system(s) to use, how to con- Apache over Linux. All of the web servers are high performance, fully redundant storage figure user access, and whether or not to mix then connected to a database (frequently a for one group, and less expensive storage and match storage to optimize existing infra- clustered Oracle or MySQL database for another group. In this situation, it is pos- structure, security policies, and end-user instance) for user information, including the sible to leverage ownCloud‘s built in integra- requirements. ownCloud provides the virtualized file cache, user and group meta tion with LDAP or Active Directory servers to mechanisms to optimize the use of onsite, data, shared file lists, and storage required dynamically assign a storage path to each cloud or hybrid storage, giving admins con- by enabled ownCloud apps. The web servers user. The LDAP/AD plugin is further descri- trol of corporate data, while still providing are also all connected to shared backend bed below, but once connected, the storage the capabilities that users demand. storage, often a clustered filesystem. With path attribute can be inherited, and users this configuration, ownCloud can be scaled can be directed to two or more storage paths For more information on scaling ownCloud up easily to meet load requirements, while based on these entries. Simply mount the and hardware sizing, visit providing whatever redundancy and backup storage devices on the server in the owncloud.com/whitepapers requirements are needed to achieve system desired mount point, such as /data/high- availability objectives. endstorage1 and /data/lowendstorage2, Infrastructure ownCloud also provides mechanisms for Admins choose and implement the key creating plugin applications to integrate with manager of their choice (theirs, ours or a dif- Integration existing systems. One common ferent one altogether) or replace the AES-256 use case is the custom authentication cipher with one of their choosing. ownCloud The most common infrastructure integ- mechanism. While ownCloud supports LDAP is the only vendor to provide this capability. ration request is to connect ownCloud to an and AD integration and SAML 2.0, several ownCloud Encryption 2.0 is built modularly enterprise directory, or other standard custom user authentication and authoriza- with the ability to swap out components. authentication mechanisms. ownCloud pro- tion plugins have been created, from token Encryption is delivered as an app that is vides out-of-the-box integration with LDAP, to user name and password-based plugins. easily and quickly integrated with existing AD and SAML 2.0. Administrators simply Others integrations have included log mana- infrastructure. enable the ownCloud LDAP/AD or SAML gers, Data Loss Prevention (DLP) tools, plugin application, configure the server Mobile Device Management (MDM) tools and Conclusion addresses, protocols and filters, and users antivirus mechanisms, to name a few. are authenticated against the appropriate ownCloud is open by nature and designed to service. With the appropriate settings, user ownCloud also offers integrations with integrate with existing infrastructure, group memberships, quotas and even, as SharePoint, Windows network drives as well management and security tools. A compre- seen in Figure 4, storage paths can be cen- as other ownCloud instances. Access Control hensive set of APIs and native integrations trally managed and applied to ownCloud. It Lists (ACLs) and local policies are preserved enable anytime, anywhere access to all your is even possible to enable SAML and AD/ and files are synced automatically in both data, wherever it resides. LDAP at the same time, using SAML for directions. Selective sync allows users to authentication and AD/LDAP for group sync only the most relevant files which are For More Information memberships. all accessible through the ownCloud inter- face and, subsequently, on any device. Please visit www.owncloud.com for more The first time a user logs into ownCloud with Users may also configure web and desktop information about ownCloud product down- a user name and password, ownCloud provi- clients for a single view into multiple loads, and detailed product documentation. sions the user and they are off and running. ownCloud instances. Administrators can also enable custom attri- butes, such as custom display names and As an n-Tier web application, ownCloud inte- avatars to make it easier for users to find grates into most corporate web farms. Intru- Copyright 2016 ownCloud All Rights Reserved. ownCloud and the ownCloud Logo are registe- each other when sharing documents. All cor- sion detection systems, network manage- ment tools and firewalls simply leverage red trademarks of ownCloud, Inc.in the United porate policies governing the account, such States and/or other countries. as failed login account lockout, are still existing ports and SSL certificates. Backup managed out of the corporate directory, with systems take server and database backups as with any other web application, and user ownCloud enforcing the result. ownCloud, Inc. experience systems wrap around the exis- 57 Bedford Street ting ownCloud application. For unique requi- Beyond LDAP/AD integration, ownCloud Suite 102 rements, the ownCloud API’s and mobile lib- offers a wide range of other integration capa- Lexington, MA 02420 raries provide extensive flexibility. All of this bilities. For example, it is possible to leve- United States rage the user provisioning API to provision gets managed with enterprise tools, in an new users via an external automation ser- enterprise data center, to enterprise poli- www.owncloud.com/contact vice. In some very large deployment scena- cies, putting IT back in control of corporate phone: +1 (781) 778-7577 rios, it is far more efficient to provision new data, while providing end users the plea- users in this manner than to use an enter- sing, productive interfaces they demand. ownCloud GmbH prise directory. The provisioning API can also Schloßäckerstr. 26a be used to report on user activity, shared file Data protection is also a critical requirement 90443 Nürnberg information, and to disable user accounts. for sharing files. ownCloud provides robust Germany The WebDAV API can be used to provide server-side encryption for data at rest. www.owncloud.com/de/kontakt authenticated access to ownCloud files and ownCloud’s open architecture also integra- phone: +49 911 14888690 folders based on user accounts, a popular tes with toolkits such as OpenSSL to protect feature among tablet users. WebDAV support in-flight data, and can be easily extended to www.owncloud.com also allows desktop users to browse support other advanced security require- ownCloud folders using familiar file explorer ments such as client-side encryption. tools in Windows, Mac and Linux. While most deployed customers limit themselves Additional flexibility is also inherent in the @ownCloud to LDAP/AD integration and WebDAV access, encryption that is available in ownCloud. facebook.com/owncloud ownCloud APIs offer the flexibility to integ- Customers are provided the ability to gplus.is/owncloud rate as needed into existing environments. manage their key stores and to access/ linkedin.com/company/owncloud manage the reading and writing of files. Whitepaper ENG 160507