Box gets customer-managed key encryption
Box's EKM uses Amazon Web Services' Hardware Security Module (HSM), a device that sits on customers premises to hold keys to encrypted data. Previously, customers relied on Box to encrypt their data and Box held the keys; now, customers get to hold the keys on their own premises.
"Yes this is significant news," says Adrian Sanabria, a security analyst at 451 Research Group. "I'd say that client-side encryption has been a major obstacle to increased cloud/EFSS (Enterprise File Synch and Share) adoption."
+ MORE AT NETWORK WORLD: How the cloud is changing the security game +
Box launched the beta of the program after developing it for more than three years, CEO Aaron Levie wrote in a blog post (read the full blog post announcement here). Interested customers will deploy AWS's HSM; once the hardware is installed on customers' premises then any data that is sent to Box will be encrypted and Box will send the keys to decyrpt the data to the customer for storage in the HSM. The HSM comes with unchangeable audit logs, allowing customers to keep track of exactly when the keys are used.
Sanabria says in the absence of EFSS vendors like Box and DropBox giving customers the opportunity to hold their own encryption keys that a market of third-party vendors has sprouted up to provide these services. Box coming out with its own answer could siphon off some of that market, which includes vendors like nCrypted Cloud, SafeMonk, Sookasa, PKWARE's Viivo and others, he says.
But, EKM will not be cheap. Box didn't announce specific pricing details yet but AWS's HSM starts at about $5,000 with monthly payments of around $1,300, Sanabria notes. That will relegate Box's EKM to its largest customers; Sanabria estimates those who spend more than $30,000 monthly will likely be most interested in this service.
It also may not satisfy the most security-conscious customers. While Sanabria says EKM greatly reduces the chances of a data leak when using Box, it does not eliminate it. If Box were to be compromised a hacker could theoretically access customer data before Box sends the encryption keys to the customer's HSM. A rogue employee at Box is an omnipresent threat. EKM is also a Box-specific solution; customers may prefer a service that can manage keys across multiple vendors.
451 encryption analyst Garrett Bekker reckons these reasons will keep a market of third party security vendors alive for the most security-sensitive customers. For Box customers who want some protection but don't need a Cadillac, it could be attractive.
Box competitors are quick to poke holes in the offering as well. Intralinks, which also has its own cloud-based enterprise collaboration offering, provides customers a key holder device directly. Customers who use Box's EKM partner with Amazon, who in turn partners with another company named SafeNet. Suddenly a key management solution from Box gives customers two new partners. "For something as important as the keys used to encrypt a customer's data, that seems like two extra steps that, again, add risk and vulnerability," Todd Partridge, director of Strategy, Intralinks said in a statement.