This content is part of the Essential Guide: A CIO's guide to cloud risk management

Essential Guide

Browse Sections
News Stay informed about the latest enterprise technology news and product updates.

Is Box enterprise key management a game changer for enterprises?

Box wants to make the cloud your default location for classified data. Also in Searchlight: Your Samsung Smart TV might be eavesdropping; Apple takes off with JetBlue.

Box thinks it might have just the thing to put your cloud security worries to bed.

This week, the cloud storage and file sharing company, based in Los Altos, Calif., announced a new service, called Enterprise Key Management (EKM), which would give companies more control of the encryption of their own data using a public key program.

How it works, according to SearchSecurity: EKM runs on a SafeNet hardware security module (HSM) that is placed inside an enterprise's own AWS instance, called CloudHSM, so users can manage their own encryption keys in their data center. Before Box can encrypt or decrypt any file, it needs to request permission directly from the customer using open APIs on its HSM; the module then logs the request in an unchangeable audit log for the user's own compliance purposes. This gives customers control of when Box can access their data and prevents the vendor from being able to send that data to a third party without the customer's knowledge.

This is very layered security, the strictness of which might make some wonder how EKM affects Box's built-in functionality and user experience. And indeed, one way Box and other cloud vendors had already been doing encryption -- going through a third party -- does sometimes break these capabilities.

"You would go to a third party, who would encrypt the data before it got up into Box. But that would break all of Box's innate, built-in functionality, because it couldn't see the data -- the data was just a blob," Tyler Shields, a senior analyst at Forrester, told me.

The other extreme, however -- giving Box access to and control of your encryption keys -- is not that much more appealing. "You essentially had to trust [Box] not to do anything bad," he said.

Once the enterprise realizes that an external encryption module gives them better auditing, better control, better security, and still keeps the functionality, yeah, I think they'll start to use it more and more.
Tyler Shieldssenior analyst, Forrester

Which is why Box's new layer of data control is something enterprises should pay attention to, Shields said. While Box isn't the first to offer encryption key management, what's new with Box's service is that it offers a happy medium between those two extremes. "Box can do everything they need to do, but then you've got full audit control," he said. And because the hardware module only stores the customer-managed keys, which are much smaller and easier to transport than large files, performance and functionality aren't sacrificed.

This type of encryption key management, where the HSM is external to the cloud provider, could turn heads, particularly at highly regulated organizations, such as those in the healthcare and finance industries, Shields asserts. "Once the enterprise realizes that an external encryption module gives them better auditing, better control, better security, and still keeps the functionality, yeah, I think they'll start to use it more and more," he said. Events such as the Anthem breach, in which 80 million patient records were leaked from the healthcare provider's unencrypted legacy databases, only increase the product's attractiveness.

Customer-managed keys a challenge worth taking on?

But does Box's announcement mean enterprises should use the cloud for storing sensitive data? Not so fast, warns Jay Heiser, research vice president at Gartner.

First, encryption isn't that easy to implement, Heiser told me over email. Effective encryption requires secure key management, which in turn involves the creation, use, distribution and destruction of encryption keys.

"No buyer should automatically assume that their service provider didn't make some sort of subtle but fatal mistake," said Heiser. For instance, when it comes to encrypting data at rest, it's easy to determine when a laptop or phone device is encrypted -- when it's turned off. But with cloud encryption, figuring out when a multi-tenant, multiuser public cloud is considered "at rest" is a trickier task.

No buyer should automatically assume that their service provider didn't make some sort of subtle but fatal mistake.
Jay Heiserresearch vice president, Gartner

So how can enterprises make sure a provider's encryption implementation is reliable? "The onus is always on the vendor to provide evidence," said Heiser. "A formal evaluation by an independent party is the most rigorous way to do that."

Heiser also warns that customer-managed encryption key technology is only one facet of data control, and one that doesn't necessarily help with a common form of security failures -- account compromise through tactics like phishing or brute-force attacks. "If the attacker gains your password, and there's no other form of authentication, then the attacker can access your stuff -- in the cloud or in the enterprise. Server encryption won't help with that," he said.

In spite of these cautions, customer-managed encryption is definitely a step in the right direction in terms of data security, both Heiser and Shields agree. In fact, it's something enterprises should watch out for in the market, because other cloud providers will likely follow suit and offer a feature similar to Box EKM.

"The idea of allowing customers to manage their own keys is a good one, and we expect to see more of it," Heiser said. But when it comes to adoption, Shields thinks enterprises will have to go through a learning process before many of them use this technology.

"This is not something that's just easily grasped by the general enterprise buyer," Shields said. "They have to understand what it actually means by pulling out the encryption [from the vendor's environment] and putting it into a separate system," the user's.

How should enterprises start on this learning curve? By watching early adopters -- cloud-first companies that have either already trusted Box prior to EKM or those that have been waiting for that extra layer of security before they adopted encryption management services.

"Any company that's embracing the cloud is a company worth watching right now, because the security of their data is paramount," Shields said.

CIO news roundup for week of Feb. 9

More tech headlines from the week as the snow-fatigued press on:

  • You may want to watch what you say as you cozy up in front of your Samsung Smart TV. The Daily Beast published an excerpt of Samsung's privacy policy for the Internet-connected product, which revealed that if its voice-activation feature is on, it will capture everything that is said and send it to a third party -- and that includes any personal information. (Of course, is there any information imparted TV-side that isn't personal?)
  • It's not just smart TVs you might start worrying about. A report set to be released Monday by Sen. Edward J. Markey revealed that the majority of automakers of vehicles that use wireless technology either lack security systems or have installed inadequate ones.
  • Twitter's new transparency report, which reveals how frequently government agencies worldwide ask for user data from the social media platform, showed that total requests have risen by 40% from the company's last report, published in July. Who had the most requests? Turkey, which doesn't have the most stellar relationship with the company.
  • Apple Pay takes flight: As early as next week, passengers on certain JetBlue flights can start using Apple Pay on their iPhone 6 devices to purchase anything from food to upgraded seats.

Check out our previous Searchlight roundups on the FCC chairman's gutsy net neutrality proposal, and Microsoft's Windows 10 announcement.

Next Steps

Head over to sister site SearchSecurity for full coverage of Box's encryption key management service. Then, get Forrester analyst James Staten's take on why enterprises should take heed of bring your own encryption.

Dig Deeper on Cloud computing for business