Merge branch 'security-difference-nextcloud-murena' into 'master'

### User report about Nextcloud security scan

One of our users got concerned when the Nextcloud server security check resulted in an F grade. However, this does not imply that Murena cloud is insecure. Rather, the low Nextcloud security scan scores are due to differences in how Murena cloud is deployed and how Nextcloud ranks servers.

### How does Nextcloud security scanner work?

The Nextcloud security scanner evaluates the security score of Nextcloud servers by checking factors like the version of Nextcloud version installed, the configuration of the server used, and some other factors. If the configuration used by a Nextcloud server is not as per the recommendations by Nextcloud, then the server's security score is reduced. As an example, one of Nextcloud's recent low security scans was because Murena cloud was only one minor version behind and did NOT lack any major security patches. Warnings issued by Nextcloud security scanner like "likely trivial to break in" is not applicable to Murena Cloud, because of the security measures and monitoring on our infrastructure.

### Security measures deployed on Murena cloud

We follow security news and also have automated systems in place to spot strange behavior in traffic and stop it before it can be exploited against Murena cloud. Other small issues that are unrelated to the Murena cloud or Nextcloud are handled at the infrastructure level as well. We follow Nextcloud's suggested security settings and other common security practices to keep Murena cloud secure. This different configuration environment may confuse the Nextcloud security scan, leading to inaccurate scores. This indicates that Nextcloud security scan is an effective tool to test vanilla Nextcloud setups, but does not accurately reflect the security of Murena cloud.

We are now receiving an A+ on the security scan. Nevertheless, the Nextcloud release cycle can occasionally cause a dip in the score, even when Murena cloud is secure.

  -  murena.io is a modified version of [murena-cloud-selfhosting](https://gitlab.e.foundation/e/infra/ecloud-selfhosting), which is based upon several open source projects.

  -  We have implemented [Nextcloud's server side encryption](https://nextcloud.com/blog/encryption-in-nextcloud/) on our servers. As you maybe aware SSE is a requirement for E2EE.

  -  We have a long-standing relationship with a security expert in charge of hardening and monitoring our systems, including murena.io.

  -  [Nextcloud security scanner's score doesn't accurately reflect the security of Murena cloud](/support-topics/security-difference-nextcloud-murena) 

  -  Read more about it on your [Murena Cloud instance](https://murena.io/settings/user/privacy)

A few of the improvements applied to murena.io in regards to the base murena-cloud-selfhosting instance:

---

layout: page

title: Is the Nextcloud security score important for Murena cloud?

namespace: support-topics/security-difference-nextcloud-murena

permalink: /support-topics/security-difference-nextcloud-murena

toc: true

---

{% tf pages/support_topics/security-difference-nextcloud-murena.md %}