YOUR CLOUD, YOUR DATA, YOUR WAY!Page 1 of 6

ownCloud Architecture Overview

Time to get control back Employees are using cloud-based services to share sensitive company data with vendors, customers, partners and each other. They are syncing data to their personal devices and home

computers, all in an effort to get their job done faster and easier, and all without IT‘s permission. This is the Dropbox Problem. The result is your sensitive company data, stored on servers outside

your control, outside your policy and regulatory guidelines – maybe even out-side your country. The potential for data leakage, security breeches and harm to your business is enormous.

The Dropbox Problem in Action

Introducing ownCloudWith ownCloud, you can gain control over your sensitive data: • Protect and Manage sensitive data by

storing it on-site – using any available storage, with the complete software stack running on servers safely inside your data center, controlled by admi-nistrators you trust, managed to your policies.

• Integrate into existing infrastructure and security systems, managed to company policies, from user directo-ries, governance, security, monito-ring, storage and back-up, to intrusion detection, monitoring, and automated provisioning tools to name a few.

• Extend functionality easily through a comprehensive set of APIs to rapidly customize system capabilities, meet unique service requirements, and future proof your investment.

AND STILL provide end users simple access to the documents they need to get the job done on the devices they use daily.

User A

User B

Fire

wal

l

AT HOME & MOBILE

Document

Document

Document

DROPBOXIN YOUR ENTERPRISE

NO IT CONTROL:• Storage and Servers• User ProvisioningNO IT CONTROL:

• Security• Governance

NO IT CONTROL:• Sensitive Data

(Mobile) Devices

YOUR CLOUD, YOUR DATA, YOUR WAY!Page 2 of 6

ownCloud in Action

Solution Architecture Overview The core of the ownCloud solution is the ownCloud server. Unlike consu-mer cloud-based services and other applications with third-party storage, ownCloud‘s server enables IT to protet and manage every element associated with ownCloud on-site – from file storage to user provisioning and data proces-sing. ownCloud monitors every activity that occurs, and logs these activities into a file for later auditing and analysis. The server provides a secure web portal through which the entire system is cont-rolled by the administrator, providing the ability to enable and disable features, set policies, create backups and manage users. The server also manages and secures API access to ownCloud, while providing the internal processing engine needed to deliver file sync and share.

The ownCloud server stores user files in standard file system formats, and can use most file systems. With ownCloud,

if you can mount it on your server, own-Cloud can use it. Practically, this means just about any standard file system and storage device combination can be used – ownCloud is file system and storage agnostic. The storage can be physically located in your data center (or be “moun-ted” to third-party storage), enabling you to protect your files as you would any other element of your infrastructure, from standard backups and intrusion detection, to log managers and Data Loss Prevention (DLP) solutions.

It is simple to Integrate ownCloud with existing IT infrastructure through the use of plug-in applications. These plug-ins can be enabled through the server control panel, provide functionality such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) integ-ration for user account provisioning and authentication. If an integration is not included out of the box, it is simple to

extend ownCloud through open APIs and plug-in applications. Features such as the online text editor, virus scanner, and file versioning are included in ownCloud and other applications, such as the enhanced logging and audit plug-ins, are available to our customers. ownCloud customers have integrated a wide variety of new functionality into ownCloud, from training video streaming to contact and calendar syncing, custom authentica-tion mechanisms, automated Optical Character Recognition back ends, and API-based storage. In short, unlike our competitors, ownCloud can be easily extended to do far more than basic file sync and share.

AT HOME & MOBILEOWNCLOUDIN YOUR ENTERPRISE

IT MANAGED:• Storage and Servers• User Provisioning

IT MANAGED:• Security• Governance

SAME CONSUMERgrade ease of use

User A

User BFi

rew

all

(Mobile) Devices

open APIs and architecture

Document

Document

Document

YOUR CLOUD, YOUR DATA, YOUR WAY!Page 3 of 6

Figure 1: ownCloud Solution Architecture

While ownCloud provides the abili-ty to Manage and Protect, Integrate and Extend file sync and share in the enterprise, ownCloud Still provides the core file sync and share functionality that users demand. Simple, web-based access through a standard browser to

access, share, rollback and manage files is critical to satisfy users and remain in control of sensitive data. ownCloud also offers access to browse, download, edit, and upload files while on a mobile device or tablet, and the desktop client, which automatically syncs the latest files with

the server. ownCloud also provides the ability for standard WebDAV clients to access ownCloud files, enabling users to continue to use standards-based productivity tools to access their files in addition to the standard ownCloud access tools.

Server Architecture Overview

At its core, ownCloud is a PHP web appli-cation running on top of IIS or Apache on Windows or Linux. This PHP application manages every other aspect of ownC-loud, from user management to plug-ins, file sharing and storage. Attached to the PHP application is a database, where

ownCloud stores users, user-shared file details, plug-in application states, and the ownCloud file cache to accelerate access to files. As ownCloud accesses the database through an abstraction layer, support is provided for Oracle, MySQL, SQL Server, Postgres and SQLite.

Complete webserver logging is provided via the webserver logs, and user and system logs are provided in a separate ownCloud log, or can be configured to a syslog log file.

MANAGE

INTEGRATE AND EXTEND

Your Storage

Hybrid cloud

PROTECT

LDAP/AD

Encryption

Virus Scan

Text Editor

Versions

OAuth

Your App

…

Your Server User Experience

… AND STILL

metering monitoring central control

optio

nal

YOUR CLOUD, YOUR DATA, YOUR WAY!Page 4 of 6

Figure 2: ownCloud Server Architecture

ownCloud includes a variety of open APIs for integrating with other systems. These include:

• External provisioning – provides the ability to add and remove users re-motely, and enables admins to query metering information about ownCloud storage usage and quota.

• Applications – the most powerful API, enabling customers to expand ownC-loud out of the box, to integrate with existing infrastructure and systems, and to create new plug-in applica-tions. Examples of this API in use include the custom authentication back ends, music and video streaming applications, a bit.ly inspired app called shorty, and an image preview application.

• Capability – offers information about the installed ownCloud capabilities, so that ownCloud and third party ap-plications can query for the enabled features and plug-in applications.

• Sharing – enables external systems to initiate the sharing of files or fol-ders between users without using the web interface.

• Themeing – a simplified mechanism for branding the ownCloud server to match your corporate look and feel, enabling colors and logos to be upda-ted with style sheets.

In addition to delivering the core of ownCloud, the ownCloud server also includes the ownCloud web portal, which provides a central location for adminis-trative control and configuration of the system, and also a central point for users to control access to files and folders. Employees are set up in the system as users, administrators, or both. Admi-nistrators can add, enable, and disable features within ownCloud through the settings menu, can add and remove

users and groups, and can also manage various ownCloud settings and admi-nistrative tasks, such as migration and backup. Users access the web portal to browse and manage their files, and to set granular permissions on files and folders shared with others on the system. Users can also access enabled applications through the web portal, such as text and image previews, file and folder sharing, previous versions roll back, and much more. The ownCloud web portal is com-patible with Firefox, Safari, Chrome and Internet Explorer on Windows, Mac OS and Linux machines.

CORE SERVER

Your Apps

HTTPs

WebDAV

Metering API ReportingLogging Provisioning API

Capability API Application APISharing API Theming

processing enginePHP

Stor

age

abs

tract

ion

NFS, GFS, GFS2,XFS, ZFS, gluster, etc.

primary

CIFS, WebDAV, FTPs,Swift, S3, Dropbox, Google

secondary

optio

nal

To make it possible to access and use many different types of storage, ownC-loud has a built-in storage abstraction layer. As a result, ownCloud can leverage just about any storage protocol that can be mounted on your ownCloud server – from CIFS, NFS and GFS2, to cluster file systems like Gluster. Other optional storage can also be mounted on the system using an optional external file system application, enabling admins and users to mount FTPs, WebDAV, CIFS and even external cloud storage services S3, Swift, Google Drive and Dropbox if desired. Individual users can also be configured to have dynamically allocated storage locations, depending on their user directory entries – enabling data segregation and basic multi-tenancy.

YOUR CLOUD, YOUR DATA, YOUR WAY!Page 5 of 6

Deployment Scenario With the ownCloud solution and server architectures outlined above, this paper now looks at how ownCloud is deployed on site, how it is integrated with storage back ends and existing infrastructure tools, and the flexibility provided by the APIs. To understand how all that works, it is important first to understand how ownCloud is deployed in production environments.segregation and basic multi-tenancy.

LOAD BALANCER APP SERVERS DATABASE CLUSTER STORAGE

MgMT Node

Data Node

Data Node

primary secondaryoptional

Figure 3: Common ownCloud Deployment Architecture

In production, ownCloud is most often deployed as an n-tier load balanced web application running in an on-site data center. ownCloud can be deployed to physical, virtual, or private cloud servers, as required. There is always a load balancer out front of the entire deployment connected to at least two app servers. The ownCloud application servers host the PHP code, and are most often deployed on Apache over Linux, though IIS and Apache on Windows are also supported. All of the app servers are then connected to a database, most often a MySQL instance in a redundant configuration for storing user informati-on, including the virtualized file cache, user and group information, shared file lists, and storage required by enabled ownCloud apps (Oracle and Postgres are also supported). The app servers are also all connected to the same back-end storage. With this configuration, ownCloud can be scaled up easily to meet load requirements, while providing the minimum redundancy required for an installation.

On-Site StorageFor nearly all deployment scenarios, con-necting ownCloud to back-end storage is as simple as mounting on-site storage on the server, such as mount point /data/storagedevice. Nearly all storage devices and file systems – from direct attached

NTFS to cluster systems like Gluster – have well tested, high-performance Li-nux drivers that make this easy. Once the storage device is mounted in the desired location, the ownCloud configuration file is edited with the storage device path, and all ownCloud storage is immediately changed to that path. Each user gets a directory, and all versions, folders and files are stored in that location.

In larger installations, it may be neces-sary to create more than one storage location for an ownCloud instance. Perhaps policy requires high perfor-mance, fully redundant storage for one group, and less expensive storage for another group. In this situation, it is possible to leverage ownCloud‘s built in integration with LDAP or Active Directory servers to dynamically assign a storage path to each user. The LDAP/AD plug-in is further described below, but once con-nected, the storage path attribute can be inherited, and users can be directed to two or more different storage paths based on these entries. Simply mount the storage devices on the server in the desired mount point, such as /data/high-endstorage1 and /data/lowendstorage2, and user files and versions will be saved to the specified path.

Occasionally ownCloud needs to connect to REST API-based storage. In some

cases, this API accessed storage repla-ces the mounted file system described above, and in some cases it augments the storage. ownCloud can handle either scenario through the use of plug-in applications. In one instance, ownCloud was deployed leveraging a custom REST-based storage system similar to many Content Management Systems. When enabled, the custom-developed plug-in application redirected POSIX commands to the REST API. While ownCloud did re-tain a file system mount, it was primarily retained for log storage purposes on the server. In other instances, the out-of-the-box External Fileystem plug-in leverages a mix of APIs, providing the admins the flexibility to connect openStack SWIFT, CIFS, FTPs, WebDAV and other storage systems in addition to the existing file system storage.

Ultimately it is the administrator‘s decis-ion on which storage system to use, how to configure user access, and whether or not to mix and match the storage based on existing infrastructure, security policies, and end-user requirements. ownCloud provides the mechanisms to enable the administrator to leverage the right mixture of on-site storage, and put them back in control of corporate data, while still providing the capabilities that users demand.

YOUR CLOUD, YOUR DATA, YOUR WAY!Page 6 of 6

Infrastructure IntegrationThe most common infrastructure re-quest is to integrate with the corporate directory, or other standard authentica-tion mechanisms. ownCloud provides out-of-the-box integration with AD, LDAP and OAuth 2.0. Administrators simply enable the ownCloud AD / LDAP plug-in application, configure the server addres-ses, protocols and filters, and users are authenticated against the corporate directory. With the appropriate settings, user group memberships, quotas and even, as outlined above, storage paths can be centrally managed and applied to ownCloud. The first time a user logs into ownCloud with the corporate directory user name and password, ownCloud provisions the user and they are off and running. Administrators can also enable custom attributes, such as custom dis-play names, to make it easier for users to find each other when sharing docu-ments. All corporate policies governing the account, such as failed login account lockout, are still managed out of the corporate directory, with ownCloud enforcing the result.

Beyond AD / LDAP integration, ownCloud offers a wide range of other integration capabilities with other tools. For examp-le, it is possible to leverage the user provisioning API to use an automation solution to provision a new ownCloud user. In some very large deployment scenarios, it is far more efficient to pro-vision new users in this manner than to use a corporate directory. The provisi-oning API can also be used to report on user activity, shared file information, and to disable an account if needed. The WebDAV API can also be used to provide authenticated access to ownCloud files and folder based on user account infor-mation, something many tablet users like to do, and something that desktop users often choose as way to access ownCloud from a file explorer. While most deployed customers limit themselves to AD / LDAP integration and WebDAV access, these other ownCloud APIs exist to provide flexibility to integrate as needed into an existing environment.

Beyond the existing integration points, ownCloud also provides mechanisms for creating plug-in applications to integrate with existing systems. One use case that

is often delivered is the custom authen-tication mechanism. While ownCloud supports AD and LDAP integration and OAuth2.0 out of the box, several custom user authentication and authorization plug-ins have been created, from token to user name and password-based plug-ins. Others integrations have included log managers, Data Loss Prevention tools, and anti-virus mechanisms, to name a few.

As an n-Tier web application, ownCloud integrates into most corporate web farms. Intrusion detection systems work, network management tools work, and firewalls simply leverage existing ports and SSL certificates. Backup systems take a server and database backup as with any other web application, and user experience systems wrap around the existing ownCloud application. For unique requirements, the ownCloud APIs provide extensive flexibility. All of this gets managed with enterprise tools, in an enterprise data center, to enterprise policies, to put IT back in control of cor-porate data, and still provide end users the capabilities they demand.

ConclusionEmployees are using cloud-based ser-vices to share sensitive company data with vendors, customers, partners and each other. They are syncing data to their personal devices and home computers, all in an effort to get their job done faster and easier, and all without IT‘s permissi-on. With ownCloud, you can Manage and Protect sensitive data by hosting your own solution on site, using your own sto-rage and servers; Integrate seamlessly into existing infrastructure, management and security tools; Extend functionality easily through a comprehensive set of APIs; AND STILL provide the seamless, easy-to-use access to sensitive data

that end users have come to expect from consumer-grade services.

But don‘t take our word for it, point your browser over to www.ownCloud.com and give it a try today with our free demo cloud deployment!

For More InformationPlease visit our website at www.owncloud.com for a wealth of information about ownCloud, links to download the software, and detailed product documentation.

US HeadquartersownCloud, Inc.10 Foster RoadLexington, MA 02421United Statesinfo@owncloud.com

European HeadquartersownCloud GmbHSchloßäckerstraße 26a90443 NürnbergGermanyinfo@owncloud.com

https://www.owncloud.com