ownCloud Architecture Overview ownCloud, Inc. ownCloud GmbH 57 Bedford Street, Suite 102 Schloßäckerstraße 26a Lexington, MA 02420 90443 Nürnberg United States Germany phone: +1 (877) 394-2030 Tel.: +49 911 21 64 50 79 www.owncloud.com/contact www.owncloud.com/de/contact ownCloud Architecture Overview Sensitive enterprise data is outside of IT‘s control Many employees use cloud-based services to share sensitive company data with each other, vendors, customers and partners. They sync data to their personal devices and home computers in an effort to do their jobs quickly and efficiently – without IT‘s over sight. Consumer cloud-based file sharing services store sensitive company data on external servers outside of IT’s control, in violation of corporate policies and regulatory requirements – maybe even outside the country – and not managed by IT. The risks of data leakage, compliance violations and damage to the business are enormous. The Dropbox Problem in Action IN YOUR ENTERPRISE DROPBOX AT HOME & MOBILE Document Document User A Firewall (Mobile) Devices Document NO IT CONTROL: NO IT CONTROL: User B • Storage and Servers • Sensitive Data NO IT CONTROL: • User Provisioning • Security • Governance Figure 1: How sensitive data is shared beyond the firewall and IT control Time to Regain Control ownCloud allows IT to regain control of sensitive data with managed file sync and share: • Manage and Protect data on-premise • Integrate with existing IT systems • Extend functionality easily through – using any available storage, with the and policies – such as authentication a comprehensive set of APIs to complete software stack running on systems, user directories, gover- customize system capabilities, meet servers safely inside the data center, nance workflows, intrusion detection, unique service requirements, and controlled by trusted administrators, monitoring, logging and storage accommodate changing user needs. managed to established policies. management. AND STILL provide end users clean, intuitive access to the documents they need to get the job done using desktop systems, laptops, tablets and smart phones. Page 1 of 6 YOUR CLOUD, YOUR DATA, YOUR WAY! ownCloud in Action IN YOUR ENTERPRISE OWNCLOUD AT HOME & MOBILE Document Document User A open APIs and architecture Firewall Document (Mobile) Devices SAME CONSUMER grade ease of use IT MANAGED: IT MANAGED: User B • On-site Server • Governance • On-site, Off-site or Hybrid Storage • Security • User Provisioning & Authentication • Compliance Figure 2: ownCloud provides managed file sync and share AND STILL consumer-grade usability Solution Architecture Overview The core of the ownCloud solution is the The ownCloud server stores user files ins provide functionality such as Active ownCloud server. Unlike consumer-grade in standard file system formats and can Directory (AD) and Lightweight Directory file sharing services, ownCloud‘s server use most enterprise file systems. If you Access Protocol (LDAP) integration for enables IT to protect and manage files can mount the file system on your server, user account provisioning and authentica- within the ownCloud environment – from ownCloud can use it – ownCloud is file tion. For custom integrations, ownCloud file storage to user provisioning and data system and storage agnostic. ownCloud can be easily extended using mobile processing. ownCloud monitors and logs can leverage storage that is physically libraries, open APIs and plug-in applica- all data access events for downstream located in your data center or “virtually tions. Features such as the online text auditing and analysis using popular mounted” third-party storage. Thus, editor, virus scanner, file versioning and tools like Splunk®. The server provides ownCloud enables you to protect your server-side encryption are included in the a secure web interface through which files as you would any other data asset ownCloud core. Enterprise features such administrators control all of ownCloud‘s in your infrastructure. ownCloud works as enhanced logging and audit plug-ins, resources, allowing authorized users seamlessly with all of your existing tools File Firewall, SAML authentication and Jive to enable and disable features, set and utilities, from standard backups and Software® integration are available in the policies, create backups and manage intrusion detection, to log managers and ownCloud Enterprise Edition. ownCloud users. Advanced features for enterprise Data Loss Prevention (DLP) solutions. customers have integrated a wide variety directory integration and file “firewalls” ownCloud can also activate the included of new functionality into ownCloud, from give admins exceptional flexibility and encryption module to provide an added video streaming to contact and calendar control. The server also manages and layer of encryption at rest for user files. syncing, custom authentication mecha- secures API access to ownCloud, while nisms, automated Optical Character Reco- providing the internal processing engine ownCloud provided plug-in applications gnition back ends, and API-based storage. needed to deliver high performance file make integration with your existing tech- In short, unlike proprietary alternatives, sharing services. nology stack a breeze. Enabled through ownCloud can be easily extended to do far the server control panel, integration plug- more than basic file sync and share. Page 2 of 6 YOUR CLOUD, YOUR DATA, YOUR WAY! PROTECT MANAGE … AND STILL Your Storage Your Server User Experience metering monitoring central control Hybrid cloud optional LDAP/AD Virus Scan Versions Your App Encryption Text Editor OAuth … INTEGRATE AND EXTEND Figure 3: ownCloud Solution Architecture While ownCloud provides the ability Apache on Windows or Linux. This PHP optional external file system applica- to Manage and Protect, Integrate application manages every other aspect tions, such as Jive, Windows Home Direc- and Extend file sync and share in the of ownCloud, from user management tories, FTPs, WebDAV and even external enterprise, ownCloud also delivers the to plug-ins, file sharing and storage. cloud storage services S3, Swift, Google crisp, professional user experience on Attached to the PHP application is a Drive and Dropbox if desired. User desktops, laptops, tablets and mobile database where ownCloud stores users, configurations can include dynamically phones that users demand. Intuitive, user-shared file details, plug-in applica- allocated storage driven by user direc- eye-pleasing visualizations guide tion states, and the ownCloud file cache tory entries – enabling data segregation end users through a wide range of file (a performance accelerator). ownCloud and multi-tenant deployments. sharing activities, and high-productivity accesses the database through an wizards, management and monitoring abstraction layer, enabling support for ownCloud includes a variety of open APIs screens allow ownCloud administrators Oracle, MySQL, SQL Server, and Post- for integrating with other systems. These to operate with efficiency. ownCloud also greSQL. Complete webserver logging is include: provides the ability for standard WebDAV provided via webserver logs, and user clients to access ownCloud files, enab- and system logs are provided in a sepa- • Activity – provides an RSS feed or API ling users to continue to use standards- rate ownCloud log, or can be directed to call to deliver all activities associated based productivity tools to interoperate a syslog file. with a user‘s files, such as sharing seamlessly with ownCloud. activity, updated, renamed, deleted To enable a broad range of storage and removed files alternatives, ownCloud also abstracts the storage tier. As a result, ownCloud • Applications – the most powerful can leverage just about any storage API, enabling customers to expand Server Architecture protocol that can be mounted on your ownCloud out of the box, to inte- Overview ownCloud server – from CIFS, NFS and grate with existing infrastructure GFS2, to clustered file systems like Red and systems, and to create new At its core, ownCloud is a PHP web Hat Storage. Other storage resources can plug-in applications. Examples of application running on top of IIS or also be mounted on the system using this API in use include the custom Page 3 of 6 YOUR CLOUD, YOUR DATA, YOUR WAY! CORE SERVER Logging Metering API Reporting Provisioning API primary NFS, GFS, GFS2, processing engine HTTPs XFS, ZFS, gluster, etc. PHP WebDAV secondary abstraction Storage optional CIFS, WebDAV, FTPs, Sharing API Capability API Application API Theming Swift, S3, Dropbox, Google Your Apps Figure 4: ownCloud Server Architecture authentication back ends, music and In addition to delivering the core of Deployment Scenario video streaming applications, a bit. ownCloud, the ownCloud server also ly-inspired app called shorty, and an includes the ownCloud web interface, With the ownCloud solution and server image preview application. which provides a control center for confi- architectures outlined above, this guring, managing and monitoring the paper now examines how ownCloud • Capability – offers information about system. The ownCloud portal also gives is deployed on site, how it is integ- the installed ownCloud capabili- end users tools for controlling access rated with the storage tier and existing ties, so that ownCloud and third to their files and folders. Employees are infrastructure tools, and the flexibility party applications can query for the set up in the system as users, administ- provided by ownCloud‘s