The enterprise cloud service Box has security features such as authentication and encryption that give enterprise IT administrators some peace of mind about employees' cloud use and corporate data security.
Among many companies' end users, cloud storage services have supplanted USB sticks and file servers, because they offer cheap (or often free) storage and seamless access to data across multiple devices. If management wants the IT department to implement its own cloud service in response, the organization must first consider how to address cloud security issues. For organizations that choose to use Box, its built-in security features help keep data safe in the cloud.
Since Box came about, it has worked with IT shops to find ways to merge the needs of the enterprise with the wants of users. The company views itself as the custodian of its customers' content, said Grant Shirk, a Box product marketing manager. To that end, Box's enterprise-level service uses single sign-on (through either on-premises or cloud authentication), encryption standards, key storage and mobile device security, and it provides different levels of access based on various roles and needs.
Dealing with complexity
File and content security are big challenges, even at a local level with a single file server. Protecting data becomes even more difficult when files and content are spread out across multiple devices, device types and users. Box tends to point to system-specific controls as the culprit. For example, when you manage a file server, you control files at the server, but once a user downloads and emails the file, it's out of your control.
The Box security approach -- at the data level rather than at the device level -- translates to today's mobile-first environments where data needs to be accessible on the go. Box integrates with the top mobile device management (MDM) platforms and extends their functionality (such as remote wipe and policy enforcement) to Box data on mobile devices.
With most consumer cloud storage services, control over data rests with the individual. When sharing files, users often misunderstand the settings and share too much or make their data publicly accessible. Box's security model assumes the content is not an island on the network -- rather that it is data that will be shared -- and protects the data before employees can over-share it.
The key is setting up collaboration in the proper way. Box security has seven layers of permissions around files and folders. These layers can be integrated with federated authentication services such as Ping Identity, Citrix NetScaler, VMware Horizon and others, or through Active Directory Federated Services. Box looks for Security Assertion Markup Language (SAML), which provides confirmation of authentication and passes details such as group membership so you can apply the same permissions process to objects in Box as you do internally. SAML also has single sign-on capabilities that many organizations now require their cloud applications to have.
If you chose to manage your Box accounts without directory services integration, Box provides a fairly robust administration console. You can set fine-grained controls over policy, such as password length and other requirements, and you can give co-administrators control over all users or over specific groups of users. Box includes its own multi-factor authentication system, but you could also use the multi-factor authentication method within your directory service.
Admins can control who can read and write to files, how external users can interact with files, who can share links and collaborate with external users, who is allowed to see the collaborators on a folder and more. If a complex password is required for accessing content, users with simple passwords must update them before being granted that access. In addition, you can apply expiration dates to links and files, making them accessible to others for viewing or editing only within a specific time frame. And if you don't want certain files to be re-shared, you can control who is allowed to invite whom to collaborate.
Protecting data out there
When files were kept on local networks, there was little reason to worry about data leakage. When we started carrying laptops, which were sometimes lost or stolen, disk encryption was implemented. Now that we have personally owned mobile devices, we can't implement the same device and OS controls. Box ensures protection of data at rest through strong encryption and at the network layer when syncing over Secure Sockets Layer. The encryption keys are actually kept separate from the data so that an exposed file is as secure as possible. When you need to address a mistakenly-shared file -- or an intentional security breach -- links to shared content can be cut off immediately. All files and content are tracked through audits for one year. Integration with data loss prevention tools such as Proofpoint and CipherCloud are ways to expand visibility into the audit trail.
Box also integrates with other applications through Box's application programming interfaces, which create internal uses for secured Box cloud data. In addition, Box has its own mobile app interface called OneCloud, plus an app store with applications such as SmartSheet and HelloFax that integrate with Box storage. Well-known Software as a Service apps, such as SugarCRM and NetSuite, can also integrate with Box, allowing you to manage the files in those other cloud apps under the same Box security settings.