Maxim_Kazmin - Fotolia
The U.S. Department of Justice has started using Box for cloud-based document storage and collaboration, so does that mean it's secure enough for enterprise use? What does Box offer in the way of enterprise security features, and are there other options out there that offer better security?
The Enterprise Box service includes a variety of security features. The authentication system supports standard enterprise controls such as password policies, two-factor authentication and single sign-on. The authorization mechanism allows administrators to define access controls on users and groups and across operations, such as viewing, editing and sharing. Document retention policies are also supported.
Enterprise Box security features provide encryption in motion and at rest. It manages encryption keys for customers, but also offers customer-managed keys through the use of a hardware security module (HSM). Since using an HSM can add to the cost of cloud storage, it will most likely be used by customers that need to control access to their content, such as attorneys storing confidential documents about their clients.
Enterprise Box also includes services for detailed monitoring and reporting of user activity across 50 types of events. Customers with security information and event management (SIEM) applications can generate reports that integrate into several major SIEM products. Event reports are also available by username, email and IP address.
While all of these features are essential for maintaining a secure document repository in the cloud, it does not solve some common issues. Enterprises that use multiple SaaS services may find they need to implement the same controls in multiple services. Integration with on-premises LDAP or Active Directory servers can reduce duplication of effort with regard to authentication and authorization. Also, it is difficult to integrate and analyze activities across SaaS services using a SIEM.
It is important to clarify that there is no single standard for judging a service as "secure enough for enterprise use." A service with adequate security controls for a retail business may be not be appropriate for a healthcare provider, for example. Enterprises must clearly define their own detailed security requirements and assess how well a service provider meets their needs. This is certainly the case with enterprise file-sharing services.
Ask the Expert:
SearchCloudSecurity expert Dan Sullivan is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Don't miss SearchCloudStorage's guide to file sharing services
Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading