Box on building customer trust in cloud collaboration

Phil Wainewright Profile picture for user pwainewright March 25, 2015
Cloud collaboration provider Box wants to take a lead in building customer trust in the cloud, its Chief Trust Officer told me on a visit to London

Security concept with padlocks © Maksim Kabakou – Fotolia
(© Maksim Kabakou – Fotolia)
From the earliest days of SaaS and cloud, providers have always needed a good answer to the security question. This has been especially true in the field of enterprise content management, where the documents being stored and shared often contain commercially sensitive information or valuable intellectual property.

As cloud collaboration vendor Box continues its drive into enterprise accounts it is working hard to ensure it has the answers to handle those objections — and the man in charge of delivering those answers is Chief Trust Officer Justin Somaini. I caught up with him during a visit to London earlier this month.

There's plenty to catch up on as Box has added to its arsenal of data security and protection capabilities in the past few months. But before we got into the detail of those, Somaini was careful to recall that most enterprise customers hold the cloud provider to a far higher standard of behavior than they in fact follow themselves.

Businesses have always operated with very sensitive data with third parties, but the technologies that they've been using — primarily email — as a mechanism for sending files back and forth have had some significant limitations in a security context.

There's a massive lack of visibility and control that has significant impact when you start talking about data loss from insecure business communications. Roughly 80 percent of business communication is really done over email in a general sense, so the question from a security practitioner's side is, how do I solve the real problems that exist in my business? Not just the ones that are perceived to be introduced.

Owning encryption

Justin Somaini, chief trust officer, Box
Justin Somaini, Box

One announcement that directly addresses the concerns enterprises have when handing over files to Box was the launch in beta last month of Box Enterprise Key Management (EKM). This uses SafeNet technology from Gemalto, hosted in a dedicated AWS appliance, to give enterprises exclusive ownership and control of the encryption keys used to secure their content inside Box. Somaini explained:

They have visibility into every encryption and decryption process. Whenever they want, they can terminate, but we don't have access to the keys. So it gives them the confidence in confidentiality, that they're in control.

The main thing was empowering our customers to take ownership around confidentiality than they ever had before. A lot of financial services, especially companies out of the EU, have really been wanting that.

Remembering that this had been a feature that had first been discussed around the time of the Snowden revelations of NSA spying, I wondered whether it had been a reaction to those incidents. That had been a wake-up call, he said, but Somaini saw it as just one more change in the evolving threat landscape.

I think we really need to take a look at the basic premises of security — confidentiality, how we do encryption, how we do authentication, how we do logging and analytics — a whole wide spectrum — to really say, it's not just this one issue but there's probably a whole bunch of things that we've been living with for a long time or could happen in the future that we just want to start to architect out, if we have not done it in the past.

I don't necessarily feel that EKM, today, is a response to Snowden as opposed to a proper traveling point in that journey to do what we really should do, which is truly drive confidentiality to the greatest degree that we can to our customers' enablement.

Because next year it'll be something else. Five years later, it'll be something else. Being reactive like that never helps anybody, but how we truly go down that journey is probably the right strategic decision.

Mobile content

With content becoming accessible from an ever-expanding spectrum of mobile devices, Box's acquisition earlier this month of startup Subspace added another useful security function. This was effectively an 'acqui-hire' of a seven-strong team that has pioneered the use of containerized browser technology for protecting content accessed from laptops, mobile phones, and tablets. Somaini explained how it works:

So for instance you're sharing content out with a third party, you want to have certain indicators of whether that device is healthy, where is that device, who's on that device.

Also with your own devices, how do I harden and lock that down in context of the content? Is it highly sensitive data or is it public data? Maybe that makes a change in your policy.

So as we move on that journey, Subspace was actually a very good focus and stepping point for how we build out that visibility and that control between the endpoints, the content and how we manage it.

It'll be very interesting to see how the market plays out as consumer devices drive more into corporations. How do those leading-edge customers adapt from a management of end-user computing? That's just the journey that we're on in this client-cloud and consumerization, that story isn't fully told yet. We're evolving.

To help customers in that process of evolution, December saw the launch of Box Trust, an ecosystem of security partners and solutions that work with the Box service. Enterprises need help in identifying how to extend security across cloud applications and services, said Somaini. While there are some functions Box has to provide and manage within its own service, many are better delivered horizontally across multiple services.

How does a customer, a CISO, or a security customer, say I just want to do what I've always done, [but do it] in this new world. There's a couple of interesting things that come about where the onus of that integration which used to be on the security practitioner side, is now what we call partnerships.

So it's really a roadmap at an architectural level, giving guidance from an industry perspective. Your controls don't change, but who you deal with does.

From a Box perspective, [we're saying], here are the partnerships that we have, to provide those legacy controls that you've always been expecting.

There are things that are very specific to the application service that we need to build in, and have and own ourselves. But other things maybe are more horizontal.

Data privacy

Finally, since we were meeting in Europe, the conversation strayed onto the territory of data protection, privacy and regulation. Somaini told me:

I think the conversation around privacy is a signficant one — it's actually a very enjoyable conversation that I have in the EU, that maybe we should have more of probably in the US and other countries. Out of that comes a lot of conversation points around jurisdiction, localization, and where does the data actually sit so we can control it?

These were questions the industry should solve rather than leaving them to governments, he felt.

It's really about how do we as an industry mature to the level where the protection of that becomes so significant that we don't really have that fear. That's a more important conversation.

We absolutely want to empower our customers' internal requirements as well as regulatory requirements with their specific jurisdiction. But if we wait for a balancing cloud security agreements or even regulatory issues, that's very reactive in a lot of ways, where they're chasing the problem.

We really want to be solving the problems that exist today and in the future. We want to lead by example versus waiting for consensus.

Image credits: Digital padlocks © Maksim Kabakou -; headshot by Box.

A grey colored placeholder image