OverDrive - Features
Description
OverDrive is a file hosting system based on the Nextcloud solution.
The Nextcloud server is configured and accessible through a secure web interface, enabling authorized users to control storage, set policies on file access or set up automated file processing, manage users, enable or disable functionality and more.
Nextcloud is a PHP web application running on a Linux web server. It stores file sharing information, user details, application data and configuration as well as file information in a PostgreSQL database.
OverDrive uses Object Storage Service (S3) as a primary storage.
Architecture
Availability
The product is currently available in all our regions as well as in all availability zones.
Resiliency
OverDrive relies on cegedim.cloud's Linux virtual instance product.
Supported versions
cegedim.cloud supports Nextcloud version 27 in this OverDrive product.
Update can be executed by cegedim.cloud: either on request or during grouped update.
Features
This section is to list which feature / capability is available to customer, and how to request/perform them :
Self service | Customer can perform action autonomously |
On Request | Customer can request for the action to be done by cegedim.cloud support team |
| Features | Self-Service | On Request | Comments |
|---|---|---|---|
Change OverDrive configuration | ✅ | Via administration settings | |
Security patches / Versions upgrade | ✅ | Update is done by cegedim.cloud: either on request or during grouped update. | |
Add existing SSO product | ✅ | Update is done by cegedim.cloud: either on request or during grouped update. | |
Add users / Resize user storage | ✅ | Accessible through admin account, in "Users" settings. | |
Add new application | ✅ | Accessible through admin account, in "Applications" settings. | |
(forthcoming) Expand the OverDrive sizing | ✅ | (forthcoming) Possible via the resize button on ITCare. |
Sizings
XS Diagram
Resource
XS
Sizing supported 1 to 49 users:
1 Nextcloud Frontend (Linux virtual instance - 2/4)
Dedicated S3 bucket
24/7 Monitoring (optional)
Data replication enabled (virtual instance disaster recovery)
Configuration and properties
Product configuration
Local Log Management
Logs are accessible with the administrator account (admin_client) through the Web UI, in the section "Parameters" > "Logging".
Remote Log Management
Logs are sent to cegedim.cloud SIEM to detect security issues and sensitive actions.
Security
Authentication
Web access
A default admin_client account is provisionned by default.
The customer can access its account by connecting to the drive URL (ending by *.mydrive.cegedim.cloud), choosing "Direct authentication", and using the admin_client account with the password chosen during provisionning.
Authentication for local accounts (e.g.: admin_client) are protected by TOTP.
The TOTP can be configured on the first connection, after the provisioning of the OverDrive through ITCare. It ensures that only the client can connect to the admin_client account.
cegedim.cloud still has the possibility to activate the admin account for security uses ("bris-de-glace"). This password does not provide access to data hosted on the web servers.
When needed, these accesses are protected by several security measures:
TOTP usage
Access through the bastion, as presented on the diagrams
Full traceability
System access
System access is reserved to cegedim.cloud administrators. These accesses are necessary to provide mandatory services for the application, for example:
Monitoring operations (e.g.: restart a service)
Version update
Security update
Servers providing the OverDrive services can be accessed by SSH and require to be authenticated through the cegedim.cloud Bastion. These accesses are limited to cegedim.cloud administrators and entirely journalized to ensure only legitimate operations are realized.
Authorizations
Roles
| Roles | Permissions |
|---|---|
Users | Use the product |
Administrators | Use the product and manage users |
Super Admin | All |
Network
SSL is used while connecting to the Nextcloud application.
A secure profile is deployed to avoid any deprecated cipher to be used.
Data location
The infrastructure is located in France and the data is stored within cegedim.cloud's datacenters.
Files are stored on cegedim.cloud's Object Storage solution (S3 compatible).
Password management
The end user password is not stored into our password management solution and is known only by the client. This password is created when the end user order its OverDrive on ITCare.
cegedim.cloud admin account is deactivated during the OverDrive creation process.
This section lists the password management :
| Password | Stored by Cegedim.cloud | Stored by Customer | Enforced | Hashing algorithm |
|---|---|---|---|---|
admin_client account | sha256 | |||
ANY other account | sha256 |
Monitoring
Each OverDrive instance deployed through ITCare is monitored. An automatic check verifies if the Nextcloud service is available.
When the drive website is unavailable, the alert is taken into account by our monitoring teams which implement corrective measures.
The 24x7 option, available in ITCare, will extend the monitoring to non business hours.
Antivirus
The servers are protected by cegedim.cloud antivirus (SentinelOne).
Backup
OverDrive virtual machines are always backuped by default.
Last updated
