Spartak - Fotolia

Box introduces BYOK encryption key management service

Box will give enterprise cloud data storage customers the ability to control and store their own encryption keys through its new Enterprise Key Management service.

Box Inc. has made good on its promise to introduce a bring-your-own-key encryption service.

The Los Altos, Calif.-based cloud storage vendor Tuesday announced Box Enterprise Key Management (EKM), a new service that allows customers to retain and manage their encryption keys for data stored in Box's cloud.

Previously, the keys for encrypted customer data were held by Box itself, but last year Box said it was working on a new service that would change that dynamic and give customers complete, single-tenant ownership of their encryption keys and audit logs.

Rand Wacker, vice president of enterprise products at Box, said EKM was designed to "break through one of the last enterprise barriers for cloud adoption" by giving enterprises complete control over their encryption keys to ensure crucial data isn't exposed.

"A lot of enterprises still keep their crown jewel data on-premise, but it's not convenient or cost effective, especially as more work is being done in the cloud and on mobile devices," Wacker said. "We already offer encryption, but EKM now gives customers an unprecedented level of control over that encryption."

With Box's EKM, a customer's data encryption key is sent to a customer-managed SafeNet Inc. hardware security module (HSM), while all audit logs are sent from the module to the customer. Since the customer keys are no longer kept with Box, it prevents the vendor from exposing any customer keys in a potential data breach or turning them over to the government.

"Box never sees the customer keys," Wacker said. "They go right to the SafeNet HSM. And if the HSM is hosted, the companies hosting the modules can't see them either."

As a result, if government agencies such as the FBI or NSA want to obtain customer data stored with Box, they have to go through the customer -- and not Box -- to get it.

"The companies we talk to all want to comply with law enforcement orders," Wacker said. "They just want to make sure they're the ones doing the complying and that it's not happening without their knowledge."

Encryption interest growing

Data storage in the cloud has come under scrutiny in recent years since the Edward Snowden's disclosures about the NSA's surveillance programs. Rich Mogull, analyst and CEO of Phoenix-based research firm Securosis LLC, said business interesting in encryption technology has grown considerably, especially as it pertains to the cloud, which makes Box's new technology an important one for cloud security.

"This recognizes what we’ve all known, which is enterprises are pressuring cloud providers to support more encryption options," Mogull said. "I think bring your own key is an important evolution in cloud computing to allow customers greater control over their data."

Mogull said he expects to see more customer-managed key options for cloud services introduced in the future, but cautioned that it could be a slow transition because of the technical complexity involved. Wacker said EKM was built from the ground up at Box and took almost two years to develop.

Box EKM is now in beta and will be generally available this spring. Specific pricing terms have not yet been announced, but Box said customers will be able to purchase the service at an additional cost based on the size of their deployments.

Next Steps

Learn more about the importance of encryption key rotation in the cloud

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices