ownCloud Architecture Overview

ownCloud, Inc. ownCloud GmbH 57 Bedford Street, Suite 102 Schloßäckerstraße 26a Lexington, MA 02420 90443 Nürnberg United States Germany phone: +1 (877) 394-2030 Tel.: +49 911 21 64 50 79 www.owncloud.com/contact www.owncloud.com/de/contact ownCloud Architecture Overview

Sensitive enterprise data is outside of IT‘s control

Many employees use cloud-based services to share sensitive company data with each other, vendors, customers and partners. They sync data to their personal devices and home computers in an effort to do their jobs quickly and efficiently – without IT‘s over­sight. Consumer cloud-based file sharing services store sensitive company data on external servers outside of IT’s control, in violation of corporate policies and regulatory requirements – maybe even outside the country – and not managed by IT. The risks of data leakage, compliance violations and damage to the business are enormous.

The Problem in Action

IN YOUR ENTERPRISE DROPBOX AT HOME & MOBILE

Document Document

User A Firewall (Mobile) Devices

Document NO IT CONTROL: NO IT CONTROL: User B • Storage and Servers • Sensitive Data NO IT CONTROL: • User Provisioning • Security • Governance

Figure 1: How sensitive data is shared beyond the firewall and IT control

Time to Regain Control ownCloud allows IT to regain control of sensitive data with managed file sync and share:

• Manage and Protect data on-premise • Integrate with existing IT systems • Extend functionality easily through – using any available storage, with the and policies – such as authentication a comprehensive set of APIs to complete software stack running on systems, user directories, gover- customize system capabilities, meet servers safely inside the data center, nance workflows, intrusion detection, unique service requirements, and controlled by trusted administrators, monitoring, logging and storage accommodate changing user needs. managed to established policies. management.

AND STILL provide end users clean, intuitive access to the documents they need to get the job done using desktop systems, laptops, tablets and smart phones.

Page 1 of 6 YOUR CLOUD, YOUR DATA, YOUR WAY! ownCloud in Action

IN YOUR ENTERPRISE OWNCLOUD AT HOME & MOBILE

Document Document

User A open APIs and architecture Firewall

Document (Mobile) Devices SAME CONSUMER grade ease of use IT MANAGED: IT MANAGED: User B • On-site Server • Governance • On-site, Off-site or Hybrid Storage • Security • User Provisioning & Authentication • Compliance

Figure 2: ownCloud provides managed file sync and share AND STILL consumer-grade usability

Solution Architecture Overview

The core of the ownCloud solution is the The ownCloud server stores user files ins provide functionality such as Active ownCloud server. Unlike consumer-grade in standard file system formats and can Directory (AD) and Lightweight Directory file sharing services, ownCloud‘s server use most enterprise file systems. If you Access Protocol (LDAP) integration for enables IT to protect and manage files can mount the file system on your server, user account provisioning and authentica- within the ownCloud environment – from ownCloud can use it – ownCloud is file tion. For custom integrations, ownCloud file storage to user provisioning and data system and storage agnostic. ownCloud can be easily extended using mobile processing. ownCloud monitors and logs can leverage storage that is physically libraries, open APIs and plug-in applica- all data access events for downstream located in your data center or “virtually tions. Features such as the online text auditing and analysis using popular mounted” third-party storage. Thus, editor, virus scanner, file versioning and tools like Splunk®. The server provides ownCloud enables you to protect your server-side encryption are included in the a secure web interface through which files as you would any other data asset ownCloud core. Enterprise features such administrators control all of ownCloud‘s in your infrastructure. ownCloud works as enhanced logging and audit plug-ins, resources, allowing authorized users seamlessly with all of your existing tools File Firewall, SAML authentication and Jive to enable and disable features, set and utilities, from standard backups and Software® integration are available in the policies, create backups and manage intrusion detection, to log managers and ownCloud Enterprise Edition. ownCloud users. Advanced features for enterprise Data Loss Prevention (DLP) solutions. customers have integrated a wide variety directory integration and file “firewalls” ownCloud can also activate the included of new functionality into ownCloud, from give admins exceptional flexibility and encryption module to provide an added video streaming to contact and calendar control. The server also manages and layer of encryption at rest for user files. syncing, custom authentication mecha- secures API access to ownCloud, while nisms, automated Optical Character Reco- providing the internal processing engine ownCloud provided plug-in applications gnition back ends, and API-based storage. needed to deliver high performance file make integration with your existing tech- In short, unlike proprietary alternatives, sharing services. nology stack a breeze. Enabled through ownCloud can be easily extended to do far the server control panel, integration plug- more than basic file sync and share.

Page 2 of 6 YOUR CLOUD, YOUR DATA, YOUR WAY! PROTECT MANAGE … AND STILL Your Storage Your Server User Experience

metering monitoring central control

Hybrid cloud optional

LDAP/AD Virus Scan Versions Your App

Encryption Text Editor OAuth …

INTEGRATE AND EXTEND

Figure 3: ownCloud Solution Architecture

While ownCloud provides the ability Apache on Windows or . This PHP optional external file system applica- to Manage and Protect, Integrate application manages every other aspect tions, such as Jive, Windows Home Direc- and Extend file sync and share in the of ownCloud, from user management tories, FTPs, WebDAV and even external enterprise, ownCloud also delivers the to plug-ins, file sharing and storage. cloud storage services S3, Swift, Google crisp, professional user experience on Attached to the PHP application is a Drive and Dropbox if desired. User desktops, laptops, tablets and mobile where ownCloud stores users, configurations can include dynamically phones that users demand. Intuitive, user-shared file details, plug-in applica- allocated storage driven by user direc- eye-pleasing visualizations guide tion states, and the ownCloud file cache tory entries – enabling data segregation end users through a wide range of file (a performance accelerator). ownCloud and multi-tenant deployments. sharing activities, and high-productivity accesses the database through an wizards, management and monitoring abstraction layer, enabling support for ownCloud includes a variety of open APIs screens allow ownCloud administrators Oracle, MySQL, SQL Server, and Post- for integrating with other systems. These to operate with efficiency. ownCloud also greSQL. Complete webserver logging is include: provides the ability for standard WebDAV provided via webserver logs, and user clients to access ownCloud files, enab- and system logs are provided in a sepa- • Activity – provides an RSS feed or API ling users to continue to use standards- rate ownCloud log, or can be directed to call to deliver all activities associated based productivity tools to interoperate a syslog file. with a user‘s files, such as sharing seamlessly with ownCloud. activity, updated, renamed, deleted To enable a broad range of storage and removed files alternatives, ownCloud also abstracts the storage tier. As a result, ownCloud • Applications – the most powerful can leverage just about any storage API, enabling customers to expand Server Architecture protocol that can be mounted on your ownCloud out of the box, to inte- Overview ownCloud server – from CIFS, NFS and grate with existing infrastructure GFS2, to clustered file systems like Red and systems, and to create new At its core, ownCloud is a PHP web Hat Storage. Other storage resources can plug-in applications. Examples of application running on top of IIS or also be mounted on the system using this API in use include the custom

Page 3 of 6 YOUR CLOUD, YOUR DATA, YOUR WAY! CORE SERVER

Logging Metering API Reporting Provisioning API primary

NFS, GFS, GFS2, processing engine HTTPs XFS, ZFS, gluster, etc. PHP

WebDAV secondary abstraction Storage optional CIFS, WebDAV, FTPs, Sharing API Capability API Application API Theming Swift, S3, Dropbox, Google

Your Apps

Figure 4: ownCloud Server Architecture

authentication back ends, music and In addition to delivering the core of Deployment Scenario video streaming applications, a bit. ownCloud, the ownCloud server also ly-inspired app called shorty, and an includes the ownCloud web interface, With the ownCloud solution and server image preview application. which provides a control center for confi- architectures outlined above, this guring, managing and monitoring the paper now examines how ownCloud • Capability – offers information about system. The ownCloud portal also gives is deployed on site, how it is integ- the installed ownCloud capabili- end users tools for controlling access rated with the storage tier and existing ties, so that ownCloud and third to their files and folders. Employees are infrastructure tools, and the flexibility party applications can query for the set up in the system as users, administ- provided by ownCloud‘s APIs. This enabled features and plug-in appli- rators, or both. Administrators can add, understanding is facilitated by a brief cations. enable, and disable ownCloud features review of how ownCloud is typically through the settings menu; they can add deployed in production environments. • External provisioning – provides the and remove users and groups; and they ability to add and remove users remo- can manage various ownCloud settings In production, ownCloud is most often tely, and enables admins to query and administrative tasks (migration and deployed as an n-tier load balanced web metering information about ownCloud backup, for example). Users access the application running in a data center or storage usage and quota. web interface to browse and manage managed cloud infrastructure. ownCloud their files, and to set granular permis- can be deployed to physical, virtual, • Sharing – provides the ability for sions on files and folders shared with or private cloud servers using native external apps, such as the ownCloud others on the system. Users can also binaries or a virtual appliance footprint. mobile app, to share files from remote access enabled applications through There is always a load balancer on the devices. the web portal, such as text and image front-end of the deployment connected previews, file and folder sharing, Jive to at least two web servers. The ownC- • Themeing – a simplified mechanism integration, previous versions roll back, loud web servers host the PHP code, for branding the ownCloud server and much more. The ownCloud web and are most often deployed on Apache to match your corporate look and interface is compatible with Firefox, over Linux, though IIS and Apache on feel, enabling colors and logos to be Safari, Chrome and Internet Explorer on Windows are also supported. All of the updated with style sheets. Windows, Mac OS and Linux machines. web servers are then connected to a

Page 4 of 6 YOUR CLOUD, YOUR DATA, YOUR WAY! LOAD BALANCER & WEB SERVER DATABASE CLUSTER STORAGE

Data Node

primary secondary MgMT Node optional

Data Node

Figure 4: Common ownCloud Deployment Architecture database (frequently a clustered MySQL changed to that path. Each user gets a scenario through the use of plug-in appli- database instance) for user information, directory, and all versions, folders and cations. For example, ownCloud provides including the virtualized file cache, user files are stored in that location. a plug-in application that mounts Jive as and group meta data, shared file lists, a backend storage location via Jive Rest and storage required by enabled ownC- In larger installations, it may be neces- APIs. When enabled, the plug-in applica- loud apps. The web servers are also all sary to create more than one storage tion redirects POSIX commands for one connected to shared back-end storage, location for an ownCloud instance. folder of user content to the Jive REST often a clustered filesystem. With this Perhaps policy requires high perfor- API. For the other folders on the server, configuration, ownCloud can be scaled mance, fully redundant storage for one ownCloud retains a file system mount. In up easily to meet load requirements, group, and less expensive storage for other installations, ownCloud‘s built-in while providing whatever redundancy another group. In this situation, it is External Fileystem plug-in leverages a and backup requirements are needed to possible to leverage ownCloud‘s built in mix of APIs, providing system admins the achieve system availability objectives. integration with LDAP or Active Directory flexibility to connect openStack SWIFT, servers to dynamically assign a storage CIFS, FTPs, WebDAV and other storage path to each user. The LDAP/AD plug-in systems in addition to the existing file is further described below, but once system storage. On-Site Storage connected, the storage path attribute can be inherited, and users can be Ultimately, administrators must decide For nearly all deployment scenarios, directed to two or more storage paths which storage system to use, how to connecting ownCloud to back-end based on these entries. Simply mount configure user access, and whether or storage is as simple as mounting on-site the storage devices on the server in the not to mix and match storage to optimize storage on the server, such as mount desired mount point, such as /data/high- existing infrastructure, security policies, point /data/storage device. Nearly all endstorage1 and /data/lowendstorage2, and end-user requirements. ownCloud storage devices and file systems – from and user files and versions will be saved provides the mechanisms to optimize the direct attached NTFS to cluster systems to the specified path. use of on-site, cloud or hybrid storage, like Red Hat Storage – have well tested, giving admins control of corporate data, high-performance Linux drivers that Occasionally ownCloud needs to connect while still providing the capabilities that make this easy. Once the storage device to REST API-based storage. In some users demand. is mounted in the desired location, the cases, API-accessed storage replaces ownCloud configuration file is edited the mounted file system described with the storage device path, and above, and in some cases it augments all ownCloud storage is immediately the storage. ownCloud can handle either

Page 5 of 6 YOUR CLOUD, YOUR DATA, YOUR WAY! Infrastructure Integration and WebDAV access, ownCloud APIs seamlessly into existing infrastructure, offer the flexibility to integrate as needed management and security tools; Extend The most common infrastructure integ- into existing environments. functionality easily through a compre- ration request is to connect ownCloud to hensive set of APIs, AND STILL provide an enterprise directory, or other standard ownCloud also provides mechanisms for the polished, professional user expe- authentication mechanisms. ownCloud creating plug-in applications to integrate riences employees have come to value provides out-of-the-box integration with with existing systems. One common from consumer-grade services, running LDAP, AD and SAML 2.0. Administrators use case is the custom authentication on all popular desktop and mobile simply enable the ownCloud AD / LDAP mechanism. While ownCloud supports devices. or SAML plug-in application, configure LDAP and AD integration and SAML 2.0, the server addresses, protocols and several custom user authentication But don‘t take our word for it, point your filters, and users are authenticated and authorization plug-ins have been browser to www.ownCloud.com and take against the appropriate service. With created, from token to user name and ownCloud for a test drive today. the appropriate settings, user group password-based plug-ins. Others inte- memberships, quotas and even, as grations have included log managers, outlined above, storage paths can Data Loss Prevention tools, and anti- be centrally managed and applied to virus mechanisms, to name a few. For More Information ownCloud. The first time a user logs into ownCloud with a user name and As an n-Tier web application, ownCloud Please visit our website at password, ownCloud provisions the user integrates into most corporate web www.owncloud.com for a wealth of and they are off and running. Administra- farms. Intrusion detection systems work, information about ownCloud, links to tors can also enable custom attributes, network management tools work, and download the software, and detailed such as custom display names, to make firewalls simply leverage existing ports product documentation. it easier for users to find each other and SSL certificates. Backup systems when sharing documents. All corporate take server and database backups as policies governing the account, such with any other web application, and as failed login account lockout, are still user experience systems wrap around managed out of the corporate directory, the existing ownCloud application. For with ownCloud enforcing the result. unique requirements, the ownCloud API’s and mobile libraries provide exten- Beyond LDAP/AD integration, ownCloud sive flexibility. All of this gets managed offers a wide range of other integration with enterprise tools, in an enterprise capabilities. For example, it is possible data center, to enterprise policies, to to leverage the user provisioning API put IT back in control of corporate data, to provision new users via an external and still provide end users the pleasing, automation service. In some very large productive interfaces they demand. deployment scenarios, it is far more efficient to provision new users in US Headquarters this manner than to use an enterprise ownCloud, Inc. directory. The provisioning API can Conclusion 57 Bedford Street, Suite 102 also be used to report on user activity, Lexington, MA 02420 shared file information, and to disable Many employees use cloud-based United States user accounts. The WebDAV API can be services to share sensitive company data www.owncloud.com/contact used to provide authenticated access with each other, vendors, customers to ownCloud files and folders based and partners. They sync data to their European Headquarters on user account information, a popular personal devices and home computers, ownCloud GmbH feature among tablet users. WebDAV all in an effort to do their jobs quickly Schloßäckerstraße 26a support also allows desktop users to and efficiently – all without IT‘s over­ 90443 Nürnberg browse ownCloud folders using familiar sight. With ownCloud, you can Manage Germany file explorer tools in Windows, Mac and and Protect sensitive data by hosting Linux. While most deployed customers your own solution on site, using your www.owncloud.com/de/contact limit themselves to LDAP/AD integration own storage and servers; Integrate

Page 6 of 6 YOUR CLOUD, YOUR DATA, YOUR WAY! ownCloud, Inc. 57 Bedford Street Suite 102 Lexington, MA 02422 United States www.owncloud.com/contact phone: +1 (877) 394-2030

ownCloud GmbH Schloßäckerstraße 26a 90443 Nürnberg Germany www.owncloud.com/de/contact Tel.: +49 911 21 64 50 79

www.owncloud.com