OverDrive - Features

Description

OverDrive is a file hosting system based on the Nextcloud solution.

The Nextcloud server is configured and accessible through a secure web interface, enabling authorized users to control storage, set policies on file access or set up automated file processing, manage users, enable or disable functionality and more.

Nextcloud is a PHP web application running on a Linux web server. It stores file sharing information, user details, application data and configuration as well as file information in a PostgreSQL database.

OverDrive uses Object Storage Service (S3) as a primary storage.

Architecture

Availability

The product is currently available in all our regions as well as in all availability zones.

Resiliency

OverDrive relies on cegedim.cloud's Linux virtual instance product.

Supported versions

cegedim.cloud supports Nextcloud version 27 in this OverDrive product.

Update can be executed by cegedim.cloud: either on request or during grouped update.

Features

This section is to list which feature / capability is available to customer, and how to request/perform them :

Self service

Customer can perform action autonomously

On Request

Customer can request for the action to be done by cegedim.cloud support team

Features
Self-Service
On Request
Comments

Change OverDrive configuration

Via administration settings

Security patches /

Versions upgrade

Update is done by cegedim.cloud: either on request or during grouped update.

Add existing SSO product

Update is done by cegedim.cloud: either on request or during grouped update.

Add users / Resize user storage

Accessible through admin account, in "Users" settings.

Add new application

Accessible through admin account, in "Applications" settings.

(forthcoming) Expand the OverDrive sizing

(forthcoming) Possible via the resize button on ITCare.

Sizings

XS Diagram

Resource

XS

Sizing supported 1 to 49 users:

  • 1 Nextcloud Frontend (Linux virtual instance - 2/4)

  • Dedicated S3 bucket

  • 24/7 Monitoring (optional)

  • Data replication enabled (virtual instance disaster recovery)

Configuration and properties

Product configuration

Local Log Management

Logs are accessible with the administrator account (admin_client) through the Web UI, in the section "Parameters" > "Logging".

Remote Log Management

Logs are sent to cegedim.cloud SIEM to detect security issues and sensitive actions.

Security

Authentication

Web access

A default admin_client account is provisionned by default.

The customer can access its account by connecting to the drive URL (ending by *.mydrive.cegedim.cloud), choosing "Direct authentication", and using the admin_client account with the password chosen during provisionning.

Authentication for local accounts (e.g.: admin_client) are protected by TOTP.

The TOTP can be configured on the first connection, after the provisioning of the OverDrive through ITCare. It ensures that only the client can connect to the admin_client account.

cegedim.cloud still has the possibility to activate the admin account for security uses ("bris-de-glace"). This password does not provide access to data hosted on the web servers.

When needed, these accesses are protected by several security measures:

  • TOTP usage

  • Access through the bastion, as presented on the diagrams

  • Full traceability

System access

System access is reserved to cegedim.cloud administrators. These accesses are necessary to provide mandatory services for the application, for example:

  • Monitoring operations (e.g.: restart a service)

  • Version update

  • Security update

Servers providing the OverDrive services can be accessed by SSH and require to be authenticated through the cegedim.cloud Bastion. These accesses are limited to cegedim.cloud administrators and entirely journalized to ensure only legitimate operations are realized.

Authorizations

Roles

Roles
Permissions

Users

Use the product

Administrators

Use the product and manage users

Super Admin

All

Network

SSL is used while connecting to the Nextcloud application.

A secure profile is deployed to avoid any deprecated cipher to be used.

Data location

The infrastructure is located in France and the data is stored within cegedim.cloud's datacenters.

Files are stored on cegedim.cloud's Object Storage solution (S3 compatible).

Password management

The end user password is not stored into our password management solution and is known only by the client. This password is created when the end user order its OverDrive on ITCare.

cegedim.cloud admin account is deactivated during the OverDrive creation process.

This section lists the password management :

Password
Stored by Cegedim.cloud
Stored by Customer
Enforced
Hashing algorithm

admin_client account

sha256

ANY other account

sha256

Monitoring

Each OverDrive instance deployed through ITCare is monitored. An automatic check verifies if the Nextcloud service is available.

When the drive website is unavailable, the alert is taken into account by our monitoring teams which implement corrective measures.

The 24x7 option, available in ITCare, will extend the monitoring to non business hours.

Antivirus

The servers are protected by cegedim.cloud antivirus (SentinelOne).

Backup

OverDrive virtual machines are always backuped by default.

Last updated