Box adds enterprise key management to overcome last hurdle to the cloud

Are you the keymaster?

Hoping to leapfrog what it sees as the last hurdle to enterprise cloud adoption, cloud storage company Box has announced Box Enterprise Key Management (EKM), which is designed to allow customers to keep control over their encryption keys (and thus, the data stored in the public cloud) without sacrificing easy user experience. 

This, Box said, is a major point of concern for many larger customers with strict information security needs; banks, medical centers and even movie studios need to keep an audit log and a repository of encryption keys to meet regulatory standards or just for their own internal best practices to prevent breach.

The conventional wisdom has been that you need an on-premises solution to get the benefit of that security model. The result? Siloed information-sharing solutions kludged together by IT with ease-of-use at the bottom of the priority list -- not so good compared to dedicated cloud vendors like Box and Dropbox, which are comparatively elegant, increasingly enterprise-friendly and accessible across devices. 

"Many [customers] have recognized they want to use the cloud, but they want to maintain control over their most sensitive content," said Box's vice president of enterprise product, Rand Wacker. 

The way EKM works is straightforward, per Box's announcement: When you store a file in Box's cloud, it's encrypted with a key, and a dedicated hardware appliance in the Amazon Web Services (AWS) cloud takes that key and encrypts it again and stores it in a tamper-resistant hardware appliance that only the customer has access to, complete with unchangeable access log. When you need the file, Box queries the appliance for the key, the log gets updated, the file gets opened, and the end-user has no idea anything happened at all. 

box ekm encryption flow Box

If someone broke into a Box EKM customer's account, they'd have a lot of useless files that they couldn't access without the keys. And the keys they'd need are on that hardware appliance hosted in AWS, which is manufactured by Gemalto and hardened against breach; it's tamper-resistant to the point of wiping itself clean if some bold criminal even tried to get in and remove it from a data center rack. Box is boasting that the Gemalto SafeNet Hardware Security Module (HSM) is up to Department of Defense standards, widely used by government agencies and contractors the world over.

Any would-be attacker would have two high fortress walls to overcome. "That really is the last barrier to cloud adoption," Wacker said. 

If the customer is big enough to have a SafeNet HSM on-site already, Box said it'll integrate with that as backup, too. Box noted that AWS is only the first cloud-hosting provider it's worked with, and more options should be coming to the Box EKM sooner rather than later. 

If that sounds complicated, think of it like the ending to Ghostbusters: Box is the Gatekeeper, the Amazon-hosted appliance is the Keymaster, and when they get together, they release Gozer the Gozerian -- or your company's latest sales deck, as the case may be. 

Box EKM is available in beta now and in general availability sometime this Spring.

A look inside the Microsoft Local Administrator Password Solution
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies