SAFELY ENABLING BOX:
THREE “MUST-DO” BEST PRACTICES
© Netskope 2015
Organizations seeking enterprise file sharing and collaboration solutions are rapidly standardizing on Box. Whether a Fortune
500 healthcare organization enabling productivity-enhancing medical imaging workflows, a media organization collaborating on
pre-production content, or a legal firm managing contracts and legal documents, enterprises are using Box to be more productive
and create a competitive advantage in their markets.
Box is enterprise-ready by all objective measures. It is rated “high” in the Netskope Cloud Confidence Index, a yardstick adapted
from the Cloud Security Alliance. The platform boasts key third-party certifications and has made security an utmost priority.
In today’s model of shared responsibility, in which the app vendor is responsible for inherent app enterprise-readiness and the
organization is responsible for how users interact with it, IT needs to maintain visibility and control by governing access, protecting
sensitive data, and detecting and managing threats within the platform and across its ecosystem. Here are three best practices
and their underlying details gleaned from joint Netskope and Box customers for safely enabling Box and its ecosystem in their
enterprises.
There are three “must do” best practices:
Extend your
access and usage
policies to Box
Protect data
in Box and
its ecosystem
Detect and
manage security
threats
2
1. Right-size your administrative privileges. Ensure that you know who your Box administrators
are, and employ a “least privilege” model to what they can do in the platform and its
ecosystem of integrated apps.
EXTEND
YOUR
ACCESS
AND
USAGE
POLICIES
TO BOX
Extend your best identity
and access management
practices to Box and
its ecosystem. Here are
seven that matter:
2. Extend single sign-on to Box and its ecosystem. Manage and secure access to Box and its
ecosystem with a leading single sign-on solution. This will help you provision and de-provision
users easily, ensure that only the right people have access to your most business-critical apps,
and simplify the experience for your users.
3. Consolidate redundant corporate Box instances while allowing personal Box usage. If you are
standardizing on Box, find and consolidate the corporate instances of Box while allowing users
to continue accessing personal instances. Differentiate between instances, and roll up corporate
usage onto your instance so you can more easily monitor activity, enforce policy, and enhance
collaboration.
4. Coach users to your corporate instance of Box. Find unsanctioned cloud apps that provide
similar functionality to Box, or redundant corporate instances of Box, and create an automated
workflow to send coaching messages to users guiding them to your corporate instance.
Make that workflow flexible by allowing users to report a false positive or enter a business
justification (for example, if they are collaborating with a partner in the partner’s app). By
creating transparency and enabling users to provide feedback, your program will have a much
higher chance of success.
5. Enforce access and usage policies granularly. Enforce policies granularly based on user or group,
device, geography, activity, content, and more. For example, if you want to prevent “insiders”
from sharing content outside of the company, enforce a “Don’t share outside of the company”
policy for that group. And if you want people only to upload content to Box but not to other
Cloud Storage and Collaboration apps, set a category-wide policy preventing upload, except to
Box. Remember to extend usage policies you set in Box to ecosystem apps that may share data
with the suite, such as e-signing, content management, and project management workflows.
6. Log all access and usage activity for admins and users. Provide granular, detailed audit logs for
all user and admin activity across Box and its ecosystem. Consider logging access and activities
across all cloud apps in order to identify risky behavior and security incidents involving Box
and other apps. For example, if a departing user downloads confidential content from your
corporate instance of Box, uploads it to a personal Cloud Storage app, and then shares it with
his new employer, you’ll want to identify that in your post-event audit.
7. Enforce access to corporate and personal instances of Box by device type, classification,
characteristics, and status. Provide different levels of Box access based on these device
segments. For example, offer full access for corporate-issued devices but limit to web-only for
personally-owned devices, offer access to your corporate instance of Box for corporate-issued
devices but limit to personal instances for personally-owned devices, or distinguish between
devices that have certain characteristics, such as full disk encryption enabled, and offer broader
access to those.
3
2
PROTECT
DATA IN BOX
AND ITS
ECOSYSTEM
Protect sensitive content like
personally- identifiable information
(PII), protected health information
(PHI), payment card information
(PCI), and source code in Box and
across the ecosystem. Here are five
considerations:
1. Find and secure sensitive content in Box. Perform a retroactive scan and
identify sensitive content at rest in Box whether it was uploaded yesterday
or two years ago. Use best-in-class DLP that includes content fingerprinting,
exact content matching, and, if you do business in foreign countries,
international support. Classify that content according to your sensitive
content profiles. Once you understand what content is there and who’s
got access, take action to secure it by disallowing public access, reducing
sharing permissions, filtering and limiting access for certain individuals,
encrypting it, quarantining it for review or further analysis on-premises,
making a copy for legal hold, and so on.
2. Find and secure sensitive content en route to or from Box. Identify sensitive
content on its way to or from Box, and block, alert, require user justification,
encrypt, or quarantine that content based on user, group, location, device,
etc. For example, allow download of sensitive content from Box but disallow
upload to another app and/or a personal instance of Box, allow download
of sensitive content to corporate-issued devices but not personallyowned ones, or allow download of sensitive content by employees but not
contractors.
3. Protect data across your Box ecosystem. When you enforce your DLP
policies in Box, extend those policies across all of the apps that integrate
and share data with Box. Apps such as e-signing, content management, and
project management workflows are prime candidates. For example, if you’re
enforcing a “Don’t download to unmanaged mobile devices” policy in Box,
consider enforcing it in a workflow app that may route that same content
to users outside of Box. Take similar action (block, quarantine, etc.) on DLP
violations in those apps.
4. Integrate with on-premises DLP and incident management solutions. If
you have on-premises DLP and incident management solutions, enable
automated workflows to shuttle suspected DLP violations from the cloud to
your on-premises solution via secure ICAP for further analysis. This reduces
false positives, increases accuracy, and enhances the value of your existing
DLP investments. Also, enable automated incident management workflows
such remediation ticketing when a cloud DLP violation occurs.
5. Alert and coach users. Except in certain situations (e.g., certain types of
legal hold), it is always a good idea to alert users. If you are quarantining
files containing suspected DLP violations, alert file owners or collaborators.
If you are blocking an activity, say why. Give users an opportunity to
provide feedback, such as reporting a false positive or entering a business
justification.
4
DETECT AND
MANAGE
SECURITY
THREATS
Identify and remediate internal
and external security threats
surrounding Box and its
ecosystem. Here are three
things to remember:
1. Protect Box from risky users. Institute protections against
risky users, including ones who have had their account
credentials compromised in a data breach. According to
Netskope, 13.6 percent of enterprise users have had their
credentials stolen in a breach outside of their organization.
Know who those users are and make sure they have
updated their Box passwords. Better yet, if you have a
single sign-on program, initiate an automated workflow to
change those users’ login credentials automatically.
2. Quarantine content uploaded by risky users. Quarantine
content uploaded by risky users, including those whose
account credentials have been compromised. From there,
you can conduct a workflow to verify the authenticity of
the content and ensure that the action is intended by the
user and not malicious.
3. Detect anomalous behavior in Box and its ecosystem.
Detect anomalies
that could signal security threats,
data leakage, or even the presence of malware.
Prioritize anomalies from highest to lowest risk.
Focus on activity-
based anomalies such as excessive
downloading
or sharing, users logging in from multiple
locations or devices, and failed logins. View activity trails
surrounding anomalies in context (e.g., user, group, device,
location, app, content) to understand how the anomaly
happened, determine remediation, and report on it for
security and compliance. Use this information to enhance
your policies.
5
By extending the best practices you employ in your environment
today to Box, its ecosystem, and your other business-critical apps,
you can safely enable the cloud for
your enterprise.
Want to learn more? Contact
us to see a Netskope for
Box demo today!
GET STARTED
© Netskope 2015 all rights reserved. 08/15 EB-83-1
6