Breaking the Last Barrier to Cloud Adoption with Box Enterprise Key Management

Today we have some incredibly exciting news to share with our customers and the industry. Box is breaking the final barrier to cloud adoption with a new technology that enables companies to control their own encryption keys, while still leveraging Box's best-in-class content management and collaboration capabilities.

For years, Box has been on a mission to transform the way that organizations and people work, across every company size, in every geography, and in every industry. Because of our early focus on security, compliance, scalability, and critical enterprise requirements we've been able to work with amazing organizations like GE, Eli Lilly, Toyota, Gap, DreamWorks, World Bank and many more as they move to a more cloud and mobile-centric IT model.

Along the way, however, some enterprises, often in industries or regions where government regulations are most strict (like financial services or energy), have not been able to move to the cloud as effortlessly. This has unfortunately led many large businesses to stay with on-premises systems to manage their critical content and information, reducing mobility and easy collaboration, and keeping enterprise IT architectures stuck in the past.

Today, Box is taking a big step to solving this problem. Over the past few years, we've debated the numerous solutions, but most approaches — such as hybrid systems or client-side encryption — usually led to curtailing Box functionality in some way, and thus our central value. In 2012, we landed on what we considered the best balance of ease-of-use and customer control, and have been designing, building, and partnering to create the patent-pending solution ever since: Box EKM (Enterprise Key Management).

Box EKM, available in Beta today and built in collaboration with major customers, Amazon Web Services, and SafeNet, is a breakthrough in cloud-enabled content management and collaboration because it gives enterprises full control over their encryption keys, while still enabling all of the key experiences and capabilities that make Box delightful to use for individuals. This is a no-compromising approach on both dimensions. In simple terms, here's how it works:

For customers that elect to use Box EKM, we will work with them to provision hardware security modules (HSMs) — a dedicated appliance that safeguards digital keys and provides cryptoprocessing — in both Amazon Web Services and their own datacenter (as a backup). The customer fully manages these SafeNet HSMs, but Box is connected to them via a secure and dedicated connection. When files are uploaded to the customer's Box account, the file gets encrypted with a unique encryption key for each version of the file (we do this for *all* customers today), but we now take that key and send it to the customer's HSM which is then encrypted with the customer's own key. Therefore, from that point on, the customer owns and exclusively controls the key for decrypting those files. Box can access those files only for customer approved requests. Moreover, a complete and irrefutable log of all transactions is always provided by the HSM directly to the customer.

EKM_blog

While there are many keys involved (each document version has a unique key), the customers control the one key that rules them all. The end result is a product that breaks the last barrier to the cloud.

  1. Exclusive key control - Box can't see the customer's key, can't read it or copy it.
  2. Unchangeable audit logs - Customers maintain exclusive control over the logs of key usage
  3. Preserves cloud benefits - Simple access across devices, frictionless sharing, file preview, AV scanning, and much more.
  4. No decrypted files or keys on disk - All encryption / decryption in memory only.
  5. Reliable and protected key infrastructure - Protected by SafeNet Hardware Security Modules
  6. Data access transparency - for customers seeking greater control over their data and increased transparency into how the keys protecting their data are used.

Box EKM will elegantly enable all new use-cases for our customers and the cloud. A multinational organization can comply with data privacy requirements, creating a single content collaboration platform for all of its people around the globe, fostering more innovation in the process. Law, financial and consulting firms can meet client contractual requirements for managing data in the cloud. They can make their highly mobile and talented employees more productive and improve collaboration with their clients. And so much more.

When we set out to solve this problem nearly 3 years ago, we realized it would require a new approach. That was the only way to give IT/security and end-users what they needed and the only way to solve the problems without compromising on what we believe.

Because of Box EKM's specialized infrastructure and operational requirements, the solution is priced as a separate capability from Box's core products. If your organization would like to learn more about Box EKM, we'd love to hear from you at boxekm@box.com. And over the coming months and quarters as Box EKM emerges out of Beta, stay tuned for additional capabilities and partnerships.

We're incredibly excited to be driving cloud security forward to help enterprise transform the way they work.