Box gets customer-managed key encryption

Brandon Butler

Fresh off its initial public offering, cloud file synch share and storage company Box has a new Enterprise Key Management (EKM) offering out this week that analysts say could ease customer concerns with using a cloud-based service.

Box's EKM uses Amazon Web Services' Hardware Security Module (HSM), a device that sits on customers premises to hold keys to encrypted data. Previously, customers relied on Box to encrypt their data and Box held the keys; now, customers get to hold the keys on their own premises.

"Yes this is significant news," says Adrian Sanabria, a security analyst at 451 Research Group. "I'd say that client-side encryption has been a major obstacle to increased cloud/EFSS (Enterprise File Synch and Share) adoption."

Box launched the beta of the program after developing it for more than three years, CEO Aaron Levie wrote in a blog post (read the full blog post announcement here). Interested customers will deploy AWS's HSM; once the hardware is installed on customers' premises then any data that is sent to Box will be encrypted and Box will send the keys to decyrpt the data to the customer for storage in the HSM. The HSM comes with unchangeable audit logs, allowing customers to keep track of exactly when the keys are used.

Sanabria says in the absence of EFSS vendors like Box and DropBox giving customers the opportunity to hold their own encryption keys that a market of third-party vendors has sprouted up to provide these services. Box coming out with its own answer could siphon off some of that market, which includes vendors like nCrypted Cloud, SafeMonk, Sookasa, PKWARE's Viivo and others, he says.

But, EKM will not be cheap. Box didn't announce specific pricing details yet but AWS's HSM starts at about $5,000 with monthly payments of around $1,300, Sanabria notes. That will relegate Box's EKM to its largest customers; Sanabria estimates those who spend more than $30,000 monthly will likely be most interested in this service.

It also may not satisfy the most security-conscious customers. While Sanabria says EKM greatly reduces the chances of a data leak when using Box, it does not eliminate it. If Box were to be compromised a hacker could theoretically access customer data before Box sends the encryption keys to the customer's HSM. A rogue employee at Box is an omnipresent threat. EKM is also a Box-specific solution; customers may prefer a service that can manage keys across multiple vendors.

451 encryption analyst Garrett Bekker reckons these reasons will keep a market of third party security vendors alive for the most security-sensitive customers. For Box customers who want some protection but don't need a Cadillac, it could be attractive.

1  2  Next Page