Box wants to let businesses control cloud encryption keys “this year”

Posted on by

Box CEO Aaron Levie told Ars last September that the cloud storage company is trying to build a service that would let customers store data in Box data centers but would keep encryption keys in-house. Today, he said it might be available before the end of this year.

Such a system could make it impossible for Box to turn customer data over to the government in a readable format. In the history of our entire company this has never happened to an enterprise customer, he said, referring to blind subpoenas in which the government demands access to a customers data without that customer being told. But government requests are still a risk.

We are working on an encryption key solution right now. Were still figuring out the exact details of how we want to integrate it with a customer environment. We do see that for very large or sensitive organizations that this is going to be an important solution for them, he said.

Levie wasnt ready to promise an actual product last September, noting that its hard to design without undermining the Box collaboration tools that make storing data with the company a worthwhile proposition. Box has apparently made some progress, though, as today he said the more secure service is on the roadmap right now I think were looking at this year, probably.

Levie was speaking during a Q&A at the InformationWeek Conference in Las Vegas, which is being hosted alongside the annual Interop show.

This is something we want to get right, so there's a lot of moving pieces, he said. Were very sympathetic to the issue of encryption keys; we respect that there are definitely environments where its really important.

Last year, Levie told Ars that Box is architecturally similar to "Google or Microsoft in that we are encrypting all the data on both transit and storage, but we obviously have to manage the encryption key, because as a collaborative application we have to broker that exchange between multiple users. To make it a seamless experience, it requires us to have those keys."

There are ways for businesses to use collaborative cloud storage services without trusting encryption to the provider. One product called Syncdocs encrypts files users store on Google Drive, but it comes with some tradeoffs. If you forget your password, there is no known way to recover your data or password, Syncdocs says in an FAQ. This also removes the ability to access files in the Google Drive browser interface, so you need a secure program on your PC to access them, the company says. We are working on Web browser access, but it will not be as secure.

WatchDox, an enterprise file sharing and collaboration company that competes against Box, offers both cloud storage and virtual appliances that customers can use to secure data on their own hardware. In one scenario, customers can control encryption keys in a hardware security module that is in the customer's facilities but connects to the cloud storage in WatchDoxs data centers, similar to the service Levie wants to build. WatchDox described this capability to Ars last year, but it doesnt appear to be as heavily advertised as WatchDoxs other services.

A new company called Tresorit last year also started offering cloud-based collaboration with encryption being taken care of on customer's devices before being uploaded to the cloud. Additionally, CipherCloud adds security features to Box "while giving you exclusive control over your encryption keys." Once uploaded to Box, files can be accessed and decrypted by authorized users.

See the rest here:
Box wants to let businesses control cloud encryption keys “this year”

Related Posts
This entry was posted in $1$s. Bookmark the permalink.