Nextcloud is one of the preferred cloud storage solutions for businesses. This open source tool allows you to configure your own cloud on a web server, highlighting its high capacity to customize the configuration. Although it also stands out for the control that can be exercised over the stored data, beware, these security measures are not sufficient to protect the valuable and sensitive information of many organizations. In this article, we will show you how to protect your organization’s files and the risks you run by not doing so.


What are the Data Security Risks Associated with Nextcloud?

Nextcloud currently offers some security measures such as double authentication factor, data access control, and server monitoring. It is true that Nextcloud is a more secure alternative to other more popular tools. Especially because you can host it on your own server and in on-premises mode.

A common case is when users of an organization, from different departments, upload documents and information to Nextcloud to store them or use it to share files and collaborate with people outside the organization.

Nextcloud allows collaboration both by sharing an access link and by inviting users to folders, giving access to one or more specific users to download, view or edit the stored information. You can also set an access period for specific collaborations, such as projects or campaigns. You can even password protect access to a shared file or folder and watermark documents.

But what if all the files have already been accessed and downloaded? In the normal context of collaboration, you need to be able to perform actions on the same file, share it in different ways, or have it available on the device.

So, allowing only viewing within Nextcloud is not an option that facilitates collaboration in most cases. In addition, the most popular file formats, such as Office and LibreOffice, cannot be accessed from within Nextcloud, forcing you to download them if you want to view, collaborate or modify them. In short, the users with whom you collaborate will be in possession of the files without any kind of security or limitation.

Allowing the download at this point is necessary if we want the collaboration to succeed, but we lose all control over the downloaded files. Once they leave our security perimeter, there is nothing we can do to control their use, distribution, or modification. Having to bear the cost of a data leak. Whoever owns the downloaded files has complete control over them. This is a huge risk for organizations, especially if the information is highly confidential and sensitive.

Nextcloud also allows us to monitor and audit both the activity and the documents that have been shared, so we know in real time which documents have left our storage environment, when they left, and who shared them.

However, we lose the ability to monitor activity with files once they leave Nextcloud and are in the possession of third parties. As we have discussed, once it leaves our perimeter of control, i.e., Nextcloud, we lose all real-time monitoring and auditing capabilities. Increasing the level of information security therefore requires a protection approach that focuses on the file or document itself and remains outside our perimeter of control.

These are the main risks that organizations face:

  • Internal data theft for personal gain by insiders.
  • Access to intellectual property or sensitive information by competitors after collaboration with suppliers, distributors, subcontractors, freelancers, etc.
  • Blackmail by malicious actors in possession of sensitive information, ransomware, after gaining access to our cloud through phishing, social engineering or malware.
  • Accidental human errors resulting in unauthorized access to sensitive information by unintended individuals.
  • External attacks on partner organizations that gain access to shared folders containing highly confidential information.

How to protect files in NextCloud even if they are downloaded?


1.      Traditional Password Encryption

You can use traditional encryption on individual files and password-protect access to them so that only the recipient(s) can access them. If it gets into the wrong hands, they will only be able to access it if they have the password.

Some file formats, such as PDF, Office, or .zip/.rar compression tools, allow you to password protect a document.

This is better than nothing, but it is not a sufficiently effective security measure if, for example, you work with many files and need to protect each one with one or more passwords. In addition, it does not allow to limit the permissions, once they have the password, you lose control and its trace. The user can distribute, modify or use to his advantage the information he has received. Therefore, it is not a recommended measure

2.      Digital Rights Management (DRM) Solutions

Digital Rights Management (DRM) solutions, effectively implemented, significantly enhance information security information security by protecting data at all times and limiting what can be done with it, even when in the possession of third parties. This is why the most secure organizations and leading CISOs rely on this technology to facilitate the collaboration that is essential to compete today, while securing information throughout its lifecycle, whether at rest, in transit, or in use. They choose to secure the archive itself and have real-time control over it. Data-centric cybersecurity will be key in the next years to a world of “data everywhere”. But beware, there are differences from one vendor to another, so it is important to choose a solution that best fits your organization’s environment and offers guarantees for a successful implementation.

SealPath protection to shield your files in NextCloud

SealPath is an EDRM tool that has more than 10 years of experience in the market helping large organizations to protect their information. In 2022 it was awarded for its cutting-edge technology and the continuous innovations it develops to meet today’s data privacy and security challenges.

SealPath’s protection focuses on securing the file itself, adding a layer of security that follows the document wherever it goes. That means it protects data in the cloud, on any device, or on its own server. Whether it is downloaded, shared or stored. This protection does not disappear. This protection does not disappear. This is important because it enables compliance with the Zero Trust model standards.

One of the features that many CISOs choose SealPath for is the ability to control the various permissions that are granted when a document is consumed. For example, you can specify that a user can only view a document and not edit, copy or print it. This is done in a way that is transparent and easy for the user.

Another highly requested feature is the ability to revoke access to any file in real time and remotely. This is very important because when you stop working with third parties, an employee leaves, or other organizations stop working with you, you can prevent them from continuing to have confidential information.

Some of the most important features to consider are:

  • Control permissions in seconds: Control the actions that your customers or employees can perform.
  • Seamless use of common tools: Seamlessly integrates with major corporate applications, with no hindrance to users receiving the document.
  • Comprehensive access control: See if other users have accessed the document, if the protection has been tampered with, or if someone is trying to open the protected document without authorization.
  • Protects most file formats: Protection applies to a wide range of formats, from Office, PDF, CAD Drawings to open source formats such as LibreOffice.

Advanced file protection in NextCloud with SealPath



With SealPath, you can automatically apply protection to files in a Nextcloud folder without user intervention. Automation is recommended to avoid relying on users to apply protection manually and to avoid human error.


So when users download documentation from Nextcloud, it travels protected with SealPath, and you can control who opens it and when, or remotely revoke access.

All you have to do is make a few simple settings, such as the server Nextcloud is hosted on, and create a protection rule in a matter of seconds.

You can have the information on different servers, it is no problem for SealPath, you can continue to apply rules for each of them from the same configuration window.

When you create the protection rule, you can set it to be recursive, i.e. to automatically protect all files and subfolders within the folder you want to protect.

Selecting the folder to be protected is very simple, we just have to select it from a list where you can see the subfolders. After selecting the folder to which the automatic protection rule is to be applied, you can select the protection policy that will be applied to all the files inside it, and the protection will be applied in an instant.

As mentioned in the SealPath highlights, protection policies define which users can access a document and what actions can be performed on it (view, copy, edit, print…). You can also set the date on which they lose their rights, the days on which they can access the document without being connected to the Internet, and the possibility of adding watermarks to PDFs and images.

As a result, documents automatically protected in Nextcloud folders have a higher level of protection, so even if an unauthorized person gains access to Nextcloud, they will not be able to access the stored files, rendering them unusable.


We have emphasized the importance of collaboration, especially secure collaboration. SealPath provides maximum simplicity when sharing with external parties. It provides the ability to self-invite external users to access protected documents.

Users do not need to ask administrators to register third-party users, nor do administrators need to manage who is introduced to the platform.


In addition, some organizations have implemented security measures based on classification, i.e. they have catalogued all stored files using tags according to their content, criticality, or distribution capability. Some of the most common labels are Confidential, Internal, Public, Personal, or Financial.

SealPath is also capable of interpreting the labels and automatically applying protection policies. This way, in folders where the nature of the files is very diverse, we protect the information by applying more or less restrictive policies depending on the type of information it contains. This is a measure that we highly recommend because it increases the level of information protection.


SealPath and NextCloud Benefit Summary

Thanks to the integration of SealPath protection with NextCloud you can have:

  • Automatic protection in seconds: After the Admin applies a protection policy to a folder, the user only has to save the documents he needs there. They are immediately protected when they are uploaded to the system.
  • Tracking, control, revocation: Security managers can see who is accessing when and with what permissions in real time. And in cases where it is decided to restrict access to a document, this can be done, even if the documents have already been downloaded from NextCloud and are on the third-party network.
  • 100% transparent secure management: Users will have no friction when storing, sharing and modifying files. No software downloads required.
  • Easy and secure collaboration with third parties: Users can collaborate on Word, Excel, LibreOffice, PowerPoint, PDFs, etc. documents while maintaining company confidentiality policies and information security on any device.

Would you like to know more and would you like us to help you protect your NextCloud documentation effectively? Do not hesitate to contact us here, we will answer your requests as soon as possible.