Box has been talking for more than year about letting its customers manage their own encryption keys, allowingthem to store data in the cloud while maintaining control over who gets to access it. <\/p>\n
This isnt a straightforward problem to solve, because Boxs whole business is built on making it easier to share data and collaborate. The strictest security controls could eliminate the reason 44,000 companies are paying Box. <\/p>\n
Today, Box says it has a new product that gets the job done. Called Enterprise Key Management (EKM), the service puts encryption keys inside a customers own data center and in a special security module stored in an Amazon data center. The Box service still must access customers data in order to enable sharing and collaboration, but EKM makes sure that only happens when the customer wants it to, Box says. <\/p>\n
When asked if the service would prevent Box from handing data over to the government, acompany spokesperson said, Unless the customer provides authorization to Box to provide the content thats asked for, Box is prevented from sharing the content. When customers use Box EKM we are not able to provide decrypted content because we dont have the encryption keys protecting the customers content. <\/p>\n
Without EKM, Box could be forced to hand data over to the government without notifying the customer if the government request is valid and requires Box to keep it secret. <\/p>\n
As Box describes it, EKM would make it a lot harder to hide government requests. The service is being used in beta by about 10 businesses, including Toyota and World Bank Group, and will be generally available to Box enterprise customers in the spring for an added fee. <\/p>\n
Box has 48 percent of the Fortune 500 as customers, with millions of individual users, but there are still some customers that cant adopt the cloud, super regulated businesses in financial services, some very large energy companies, some major insurance companies, obviously government agencies and departments, Box cofounder and CEO Aaron Levie told Ars. <\/p>\n
These customers want more control over file encryption, but \"the challenge is a bunch of these solutions essentially break what we're really good at, which is our end user experience,\" Levie said. \"A lot of our in-line security capabilities like virus scanning, content previewing, and information rights management, all the capabilities where we add on top of your content, tend to break down in a world where we're not helping you manage that encryption.\" <\/p>\n
EKM relies on a Hardware Security Module (HSM) made by SafeNet, which is placed inside Amazon's CloudHSM service. Unlike most Amazon cloud services, this one gives each customer dedicated hardware. <\/p>\n
CloudHSM \"allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management,\" Amazon says. \"You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you.\" <\/p>\n
<\/p>\n