Box Answers IT Concerns – Deeper Security Options Roll Out

Just a couple of weeks ago I wrote about Dropbox releasing an entire swathe of new security functionality that sees it firmly mark itself as entering the corporate market and responding to the needs of IT. As I said at the time, Dropbox has long signaled an intention to move up the food chain. In doing so it competes more directly with Box, the content collaboration company that for several years has been focusing on enterprises.

Perhaps in response to that greater Dropbox threat, or perhaps purely coincidentally, Box is today announcing its own security release that also adds a lot of fine-grained control that will have IT departments feeling, once again, that the control is back in their hands. Anyway – this release includes core functionality, as well as integrations to wrap a layer of control and visibility around the Box product. Interestingly Gartner recently published a report, the inelegantly named “ MarketScope for Enterprise File Synchronization and Sharing” in which only Box, Accellion and Citrix gained a “strong positive” rating. I’m a bit dubious about rating all of these companies together – from purely on-prem to pure cloud, but beyond that the report uses an interesting methodology and is worth a read.

226376_3

Anyway – the new features and partnership cover the following areas:

  • Admin Controls for External Collaborators – allows admins to restrict individual users in their enterprise from creating externally shared folders
  • Device Pinning – allows IT admins the ability to limit from which devices users can access Box, ensuring trusted access to Box content on IT-approved devices
  • Samsung KNOX – Box is one of the first business applications available on Samsung KNOX, an end-to-end secure solution for Android that wraps a secure layer around work data on shared work/personal devices
  • Login Security – an enhanced security detection algorithm, which will automatically detect and prevent unexpected user logins
  • Partnerships with Code Green Networks and CipherCloud for Data Loss Prevention features
  • A new integration with GoodData to allow IT to measure content metrics to identify security risks

image

MyPOV

It’s always good to see cloud vendors deliver the functionality that IT departments feel they need – for that reason, this announcement should be welcomed. While things like disabling sharing outside of a domain might seem like a simple thing, it’s the kind of detail that, when lacking, IT departments hang off to disallow use of a product within the organization. As such, any progress in this area is good and gives organization comfort that Box is committed to the security of their data. Box is also being up-front that this is an ongoing task, and their confidential briefing deck speaks to the functionality which is on the horizon. I’m not at liberty to divulge the details, but suffice it to say that even more enteprise-grade security features are on the horizon.

From an industry perspective however, what is interesting to see is Box apparently scrambling to counter an enterprise announcement from Dropbox – if we put these two announcements head to head, we can see that they ar similar; both companies introduced more granular control of users’ permissions, more stringent device settings and deeper logging around log-ins and sharing. It’s fair to say that Box has gone further – in particular the integrations with DLP vendors and GoodData looks great in a vendor pitch – I’m not convinced how many enterprises will actually want to use the integrations, but as is so often the case in this industry, it’s more the fact that they’re able to that is important. It’s also fair to say that Dropbox is the one catching up in terms of functionality, for instance, Box has had company-only access as a permissions option for end users for awhile, but their new feature gives admins more granular control over the creation of folders with external collaborators. According to Box, device pinning has been a major ask from customers, as is DLP, especially in highly regulated industries.

Similarly the integration with Samsung Knox is interesting – Knox was announced just yesterday at Mobile World Congress, according to CNET, Knox:

…allows for a “container” system that separates personal and corporate data, and can also be used on applications. It also includes AES 256-bit encryption, the ability to create a virtual private network connection through a single app, improves the mobile device management controls, and works with hundreds of current IT policies.

Details are still scant but it would seem Knox is in a similar space to VMware Horizon which released under General Availability last week. The idea is to give organizations end to end security over corporate data, and to serve it up on a mobile device in a secure fashion while still allowing individual users to utilize their devices for personal use – kind of a holy grail and one which is fraught with difficulty (disabling cut and paste for example doesn’t stop someone taking a screen capture if they really want to leak data).

I’d also like to see all these vendors really front up and deliver on the encryption requirements of enterprise – this is an area that is at the very heart of their business model. Cloud storage vendors gain real economies of scale by deduplicating data to reduce storage costs. While deduplication can be performed on encrypted files, it’s a less simple process. For this and reasons of file search and other advanced functionality, cloud vendors seem reluctant to give organizations the ability to hold their own encryption keys and thus have the files unreadable by the vendor. This is still a major bottom line for many organizations whose IT departments will not permit use of a product that doesn’t offer native blind file encryption. While it’s fair to say that there are ways around it (IT could enforce the use of TrueCrypt folders for each individual for example) they tend not to be elegant solutions. My understanding is that Box is exploring ways to enable customer owned encryption key management without restricting the collaborative capabilities of the product – it’s a fair suggestion that whomever nails this one first will increase the development attention the other vendors give to the problem space.

Protecting the entire lifecycle of data is important in order to ease the adoption of cloud solutions by enterprise – these developments are key steps in that process but companies need to move more quickly if they really want step widespread adoption to occur.