Jos Poortvliet, Nextcloud: everybody has a right to privacy and control over their data
With the digital transition to the cloud accelerated by the pandemic, businesses need to think more about data privacy. One way to deal with privacy issues within the cloud ecosystem could be by going a step further and adopting open-source, decentralized cloud solutions.
A forecast by the International Data Corporation (IDC) predicts that 90% of new enterprise applications will be cloud-native by 2022. However, transitioning to the cloud also carries the emergent question of the cloud providers’ control over company data.
Companies that embrace the upcoming transition will need to adapt to new architectures and security measures, as well as assess the risks of handing over their data to a centralized cloud service provider.
Jos Poortvliet, co-founder and marketing director at Nextcloud, shared what the current cloud storage landscape looks like and why some companies should consider switching to the self-hosted cloud.
What makes your company stand out is that it is fully open-source. Could you tell us a little bit more about why you chose to develop Nextcloud this way?
Nextcloud is a platform for collaboration – that’s a core function in modern companies. At some point, most important documents and processes pass through a tool like Nextcloud. For example, every company hires people. You put the resumes of applicants on your Nextcloud to share it with the team that interviews them, use Nextcloud Talk for the interviews, then share the notes of the interviews and have a team call to make the final decision. Think of project management, think of planning for the future of your organization – these things happen with documents, task planning tools, all on Nextcloud.
In a work environment, you want a platform that your business relies on to be under your control. To not depend on the whims of a third party that might, in a contract disagreement, shut down your instance or leak your data. You want to determine when a new version is rolled out, what integrations to enable, and you want it to be 100% transparent with your IT team.
And for all that, open-source is the best answer. Transparency, security, and control are things a black-box, closed-source software, or Software-as-a-Service solution can never offer to the degree an open-source product can.
Of course, there are other reasons we chose open-source as a fundamental business model. Having thousands of contributors who test, improve, and contribute helps align the company to our customers’ needs. It helps us in our mission to give people privacy and control – while service business is our business model, we personally care a lot about private users and their ability to run Nextcloud at home if they so wish. We’re passionate about our principles and mission!
Together with the incredible work our community does in advocating for and promoting Nextcloud all over the world!
You often express concern about the security of Software-as-a-Service (SaaS) solutions. Are there any associated risks?
There are a few things at play here. First, with SaaS, you rely on the vendor for securing your data. When you say SaaS, we often think of the hyperscalers – Google, Microsoft, etc. No doubt, they have top-tier security teams in place. But that doesn’t solve all problems. These ‘all eggs in one basket’ giants attract a lot of attacks, and 75% of those attacks rely not on security flaws but on things like social engineering. These are hard to protect against, and being a prime target doesn’t help.
But most SaaS vendors are actually small companies with far less security expertise. And security costs money. So, SaaS has an issue in that regard, even if that is less relevant for the big players. They have their own problems – even if, strictly speaking, their security is probably better than what you can do in-house.
The second thing is that we have to think about the threat model here. If you are worried about somebody hacking into your server, Microsoft and Google can probably protect you. But maybe you don’t want the government to silently access your data. Perhaps, this is because you’re doing high-tech work and don’t want corporate spying, as proven in many known cases. Or because you want to be compliant. After all, the EU privacy laws, as well as the US with its CLOUD act, are incompatible with foreign governments getting access to private data). In these cases, having your data under the jurisdiction of your choice is important.
Look at it this way: if the US government wants data of a German citizen or company from Microsoft, they will get it. And the German company or citizen might never know if there’s a gag order involved. And yes, this is US law – the CLOUD act.
Now, if the Chinese government asks Microsoft for data on a German citizen, with a gag order included, they can fight it in the Chinese courts. But when they lose (not really an ‘if’, is it?), they have a choice: face a massive fine, leave all business in China, or “comply with Chinese law.” And, of course, China is a random example. You can also pick Russia, or Israel, or Iraq, or Saudi-Arabia, or the Netherlands. They all have varying degrees of the legal and financial pressure they can put on multi-national SaaS vendors. If that is a problem for you, don’t host with a company that has offices worldwide; it’s a risk.
SaaS is certainly not inherently insecure, but security and jurisdiction are risks. A big SaaS provider in your own country, or a jurisdiction you trust, is a lot safer than a tiny company offering a SaaS solution from a foreign country.
What are the advantages of self-hosted cloud storage? Are there any downsides to it?
So, let’s first talk about what self-hosting really is. The question here is not if you do all the work and if the server is in your office. You can pay a company to manage a Nextcloud instance for you at IONOS or another big hosting provider, and it’s still self-hosting: you can fire the people who manage it if they don’t manage it how you like and make changes. You can’t do that with Office 365, for example.
That touches on the real benefit: control. Why is it a benefit, may you ask?
It helps with being aware of data access by the government. A SaaS vendor can be forced to hand over data and be forbidden to tell you about it with a gag order from a court. But if you run the software yourself, you will obviously know when your IT department gets a court order to hand over data. See the recent ProtonMail incident – this happens.
Second, security is under your control. Not per-se better, but you can decide what your threat model is, what you want to protect from. You can use measures you can’t always use with SaaS, like firewalling a system off from the internet, and you can invest as much as you want, rather than hoping that the promises from the SaaS vendor are being kept.
Third, nobody can shut you down. Yes, that happens. An example – Zoom decided to shut down thousands of business accounts in Russia some time ago – and what could these businesses do? Nothing. They had no control. If Zoom was open and run by Russian SaaS providers, this would not have been possible.
Will Microsoft shut down your account? Maybe. It does happen, and if it does, it is crippling. Obviously, it isn’t in their business interest, but they don’t control what the governments in countries they work in demand them to do, so they can be forced to do it. And especially for consumers, decisions around shutting-down-or-not are made automatically because there’s no budget for actual customer support. That costs way too much.
It’s not just about the ‘big’ shutdowns like that of Zoom, though. If your SaaS provider updates the software, it gets updated. You might get a heads-up, but you don’t get to say “no,” or control the timing, or have an option for custom changes or anything like that. There’s no… control. You get that with self-hosting.
There are other advantages, and one is cost. For large organizations, SaaS services actually become very expensive. Self-hosting can save a lot of money.
Then, the downsides.
Costs – yeah, it can also be expensive, especially if you’re a small company. Initially, the IT, often a small department/person can probably keep it running just fine, but when it gets bigger, it gets to be a fair bit of work, and SaaS makes sense at that point.
And work. You need to do the work and, of course, know about scalability, maintenance, updates, backups… or hire an IT firm to do it for you.
For small businesses, I’d recommend a locally-hosted, turn-key solution from a Nextcloud hosting provider. You know the jurisdiction, and it’s affordable. For a bigger organization, a custom solution from a Nextcloud partner is better – you are 100% in control, but don’t have the work or need to have the knowledge.
Did any new security threats come into the picture because of the pandemic?
For people who already worked from home, nothing changed. But businesses that moved to work-from-home were facing new challenges. Auditing and controlling employees became harder, and some businesses went a little far there, tracking employee behavior in a very scary, 1984 surveillance style way. But that’s not as much security- as it is privacy-related.
I’m sure there are more phishing attempts and such, but the main problem most of our customers faced was simply a speed up in their roll-out of Nextcloud. It is perfectly suitable for work-from-home and thus, not much changed.
What are the main differences between centralized and decentralized cloud?
In very simple terms: with a centralized cloud, like Google, if you manage to hack one data center, you have all the data of everyone.
With Nextcloud, if you hack one server, you have the data of one server. Good luck with the rest.
And, as the vast majority of the hacks are based on phishing and social engineering, you’ll need to invest a lot more effort to hack all Nextcloud servers. Plus, you’ll probably get caught or called out before you are even halfway, and others have an opportunity to protect themselves.
What is the single most important data privacy issue you would like to see solved in the next couple of years?
We think data minimization is key to improving privacy – keep as little data as possible, so there is as little to be abused as possible. In the long run, that’s the best protection against the abuse of private data.
So this should be a more important principle, we think. Sadly, companies don’t like deleting data since it’s the new (digital) oil.
It seems like remote work is here to stay, so what actions can businesses take to protect their workers and important data?
Use Nextcloud, or other privacy-respecting, locally hosted solutions rather than handing data over to non-compliant, foreign clouds, of course!
Share with us, what’s next for Nextcloud?
We want to further improve accessibility and usability. We think everybody has a right to privacy and control over their data, so we work with many of our customers as well as with the wide community of Nextcloud users and contributors to improve functionality but also usability and access for everyone.