Box to Let Enterprises Bring Their Own Keys to the Cloud

Box on Tuesday raised the curtain on a new offering that allows its enterprise customers to control the digital keys used to encrypt their data stored in the storage provider’s cloud.

Box is working with Amazon Web Services and Gemalto to bring to market the solution, called “Box Enterprise Key Management,” and give its most security-minded customers total control over the keys used to encrypt data they store on Box.

“Industries like finance, government, legal and healthcare are facing a new set of challenges when it comes to establishing control over their content — and who can access it — without hindering collaboration and productivity,” Aaron Levie, Box co-founder and CEO, said in a statement.

“With Box EKM, we’ve removed the final barrier to cloud adoption for industries that require the highest levels of protection over their information,” he added.

Gaining Street Cred

With the addition of bring your own key (BYOK) to its services, Box is raising the bar for all cloud storage providers, a report released Tuesday by Forrester Research maintained.

“Box’s announcement of customer-controlled encryption keys is a tipping point for further expanding the market availability and reach of cloud-based file sharing and collaboration solutions,” analysts Tyler Shields and Heidi Shay wrote in the report.

They contend that enterprise buyers aren’t the only ones who will benefit from Box’s move.

“When one of the leading file sharing and collaboration vendors adds a feature as needed as this one, all vendors will quickly follow suit,” they noted. “This move raises the bar for security in all cloud offerings and delineates the enterprise security-ready leaders from the laggards.”

“With this added security street cred, Box is primed for a position of dominance in the market for securely hosting enterprise data,” they added.

Expanding Niche

Control of data placed in clouds operated by third parties has been a hang-up for enterprises for years. Some enterprises just don’t trust someone else with their data. Compliance with government and industry rules prevent others from using the public cloud.

“That’s why during the past year, there has been so much excitement for bring-your-own-encryption (BYOE) solutions — solutions that enable [security and risk] pros to retain control of their encryption keys and, thus, retain control of the security state of their data, regardless of its storage location,” the Forrester report explained.

“To date, BYOE solutions have come primarily from startups and data security specialists, but in the coming days and weeks, many cloud vendors will offer their own functionality for customer-managed encryption keys,” it added.

Control of the keys used to encrypt data sent to the cloud can be especially important during legal proceedings. “If a subpoena is issued to a company, their attorneys get to review it, and they can negotiate for how they fulfill that subpoena,” explained Nick Stamos, co-founder of nCrypted Cloud.

“If the data’s available to a cloud provider, pretty much any cloud provider will hand your data over without any negotiation,” he told the E-Commerce Times.

Undoing Snowden’s Damage

More than legal concerns are prompting organizations to demand control of the keys they use to scramble their data. “Companies in financial services, healthcare, and in countries with privacy laws need to meet compliance mandates,” said Willy Leichter, global director of cloud security for CipherCloud. “There are stiff financial penalties if they don’t meet them.”

“Companies are also concerned about their intellectual property, and with all the breaches we’re seeing these days, nobody wants to be the next one in the news, so encryption is becoming a hot topic across the board,” he told the E-Commerce Times.

Giving customers control of their encryption keys could have another benefit for U.S. cloud providers whose reputations were sullied by revelations that they’ve been targeted by their country’s intelligence agencies.

“With countries adopting data sovereignty legislation dictating that certain content has to stay in the geographical confines of that country, a customer-managed key solution may be acceptable to them to meet those data sovereignty obligations,” said Todd Partridge, director of product marketing at Intralinks.

“If a company can prove to regulators that the keys that encrypt their data never leave their geographic confines,” he told the E-Commerce Times, “does it matter where the content is stored?”

A spokesperson for Box was not immediately available to comment for this story.