Public cloud providers such as Dropbox and Microsoft OneDrive have a troubling history of security issues, with Dropbox users previously vulnerable to third parties gaining access to shared files, and users being locked out of accounts and unable to access paid apps and email following a perceived breach of the code of conduct — without any mode of recourse to restore access. Concerns have also been raised about the association of former Secretary of State Condoleezza Rice in Dropbox’s Board of Directors, and the closeness between service providers and government agencies.

With these concerns in mind, users looking outside of the traditional channels for cloud storage services have an easily available option: the ownCloud open-source software package. Being open source, ownCloud is free to run on your server, though the commercial arm of the organization does provide cloud storage as a service. Naturally, installing ownCloud does require a server — either on premises or leased from a data center — in order to operate.

Marcus Eaton, a Datacenter Monitoring Tech for the City of Seattle, notes, “Considering all of the security breaches and potentially more intrusive content moderation procedures with various cloud storage companies, hosting your own personal cloud has become an excellent alternative. Your data has to go somewhere, but rather than uploading your data to a non-specific server shared with other users, you know exactly what hard drive has your data, and almost nobody can see or modify it as they see fit.”

Installation, features, and use

The ownCloud package is easy to set up, even for novices. From the server side, the installation procedure can be handled via your preferred package manager, from a tarball archive, or by using a simple 9 KB file that can download and unpack the server software and guide you through the installation process automatically. For desktops, a standard installable package is available for Windows (including XP), Mac, and Linux hosts, and for mobile, clients are available (for $0.99) on the App Store, and for Android, on Google Play or F-Droid. Users of BlackBerry and Windows Phone devices without a native app have the option of using the mobile web interface.

Like other cloud storage services, ownCloud allows for the synchronization of files across devices, and some document editing and viewing capabilities. It also includes WebDAV support and CalDAV and CardDAV extensions for Calendar and Contact Lists, as well as music streaming with Ampache. A complete add-on structure exists, with an Apps repository for the web-based file manager — owing to the fact that this is an open source project, the ability to write your own apps is also present and well-documented.

For group usage, administration via OpenID or LDAP is supported. ownCloud is designed to scale up for large organizations — a default install for single users or small groups uses noSQL, though MySQL and MariaDB are preferred. According to the developers, some of the organizations using ownCloud include CERN, Hoy Global, De’Longhi, and the Dutch Ministry of Defense. Group sharing controls are available. For working with other systems and public cloud providers, transmitting data between systems (such as Google Drive or Amazon S3) using server-to-server sharing allows for the creation of a hybrid cloud.

Evading oversight is not all the security you need

Although ownCloud is a great solution for those looking to evade the oversight of public free (or paid) cloud providers, some additional work to introduce proper security is needed. HTTPS support must be implemented on the server to prevent man-in-the-middle attacks; this requires either signing an encryption certificate yourself, or paying for a certificate and the laborious process of installing it. This will be eased in the future when the Let’s Encrypt initiative is formally launched.

ownCloud also assumes that (and relies upon) the premise that it will be installed on a trusted server — encryption and decryption occur on the server side. The decryption key is on the server to allow editing and sharing files with others. According to the developers, “To run safely on a non-trusted server, data would have to be encrypted by the client (your computer, phone or other devices) before being sent to the non-trusted ownCloud server and you would lose the web interface access.”

There are a variety of reasons to not use a public cloud provider. Some retail groups avoid using Amazon Web Services, because Amazon is their biggest competitor. Some individuals avoid public cloud providers for being “hostile to privacy,” while others are adherents to the idea that “If you’re not paying, you’re the product” and still others insist that it isn’t much better if you are paying. Warranted or not, all of these reasons equate to a peace of mind argument.

The best way to gain peace of mind in this equation is to manage the data yourself, which is easy enough for people to do, but requires more than a bare minimum level of effort to do competently. A quick “install and go” is not sufficient to protect your data.

What’s your view?

Do you feel adequately secure in trusting your data to a public cloud provider? Do you have a current installation of ownCloud on your server? If so, is the server on a leased site or on-premises? Let us know your approach and thoughts in the comments.