maxkabakov - Fotolia

Box Shield adds enterprise content security features

Box Inc. adds security features for information governance to prevent unintended oversharing of sensitive information and intellectual property in the remote work era.

Box Inc. enterprise content users have new tools to ease single sign-on and security features to protect confidential content.

Box Platform security certificate management is now a self-service function, where before it required assistance from Box. The new feature gives Business, Business Plus and Enterprise plan users control over their review, rotation and deletion of certificates after they expire. This can help reduce disruptions with single sign-on integrations with vendors such as Okta, Azure AD, OneLogin, Ping and others, which require current certificates for employees to access content on Box. Box also automated setup of employee groups to make SSO integration more efficient.

Users of Box Shield, an add-on threat-detection and information governance feature suite, now can auto-classify live content. Previously, content at rest in Box could be auto-classified at the file level to restrict access to files that contain sensitive customer or employee data, regulated content and intellectual property according to user-set rules. New features extend auto-classification to active content as users upload, edit, move, copy, share or add new collaborators.

Box Shield also deepened Microsoft Information Protection (MIP) integration. MIP, updated last December, enables users to classify sensitive corporate content in Office 365 apps, OneDrive and SharePoint for compliance and privacy and to protect intellectual property. Admins can set rules for content to be shared inside or outside an organization. The new integration extends MIP rules set up for Office 365 applications and platforms to Box.

Regulated industries likely early adopters

Box users in regulated industries such as healthcare, legal, government and banking will likely be the leading adopters of these new features, said Alok Ojha, vice president and security product manager at Box. But most of these features will apply to many more customers outside those industries, said Gartner analyst Michael Woodbridge. Any business with a European customer, for example, is subject to the General Data Protection Regulation and if they do business in the United States, the California Consumer Privacy Act and similar regulations that restrict the flow of protected customer data.

As Box tries to convince users that its platform is the ideal repository to store enterprise content, it must continue to build security into it, Woodbridge said. This presents a challenge to data loss prevention (DLP) tools, which overlap many of the Box auto-classification and access control features. Hosting the content cloud does give Box distinct advantages in that regard.

Box's strength is that it can be more granular about the actions that they take, and they can detect [threat] signals in the overall graph of usage activity within Box.
Michael WoodbridgeAnalyst, Gartner

"Box's strength is that it can be more granular about the actions that they take, and they can detect [threat] signals in the overall graph of usage activity within Box," Woodbridge said. "When was this file last shared? Who has it been shared to? Do I need to flag an alert about that? Is there anomalous activity happening around that file? For all of those things, Box claims they have greater insight into than a standalone DLP."

Box has seen activity change over the last year, Ojha said. Users are logging in from different devices and at a wider range of times as they work from home. There's also been a 71% more Box activity in conjunction with video conferencing, led by Zoom, as users share documents from Box in their video meetings. Box released document sharing in Zoom in December 2019 right before the pandemic and enhanced its integrations last summer with annotations and Zoom meeting launches from within Box content.

The security features Box natively built into the platform -- such as user-configurable exceptions that allow frontline employees to justify sharing content outside the company -- empower users and remove obstacles to their work, he said.

When they're blocked from viewing or sharing content, Box strives to provide transparent explanations for the security measures.

"End users truly need to understand what's going on," Ojha said. "We think security can be empowering. When it comes to content, collaboration and risk around data leakage, end users don't want to do bad things. They want to do their work. What they really want is [this]: If I make a mistake, the system's got my back."

The feature releases come as Box Inc. receives a $500 million investment from Kohlberg Kravis Roberts & Co. L.P. Co-founder and CEO Aaron Levie will relinquish his position as board chair but remain CEO and a director.

Dig Deeper on Content collaboration

Business Analytics
Data Management