Box Security

Owned by Lee Raymond
Last updated: Nov 20, 2012 by Kara.BilottaVersion comment

Go to the source!

This is a direct excerpt from: http://www.internet2.edu/netplus/box/features.html

Assessment of "PI" data and Box.net

EI has contacted the Information Security and Information Steward team for some guidance here.

From Box.net

Security
All of the following security mechanisms were reviewed by CISO representatives from each of the early adopter campuses:

Box hosts its servers at multiple geographically separated, enterprise-grade data centers in the United States with a 99.9% network uptime guarantee, ongoing audits and 24x7x365 monitoring and video surveillance. Data is stored on a secure internal storage cluster behind an enterprise-grade firewall, with redundant connections to multiple Internet backbones. The software passes every request through a carefully audited verification code, which ensures that the user is authorized for the action requested. Box stores local snapshots of data and backs up all data daily to an additional facility in a third location.

All user data is stored in encrypted form. Keys are held by Box under strictest security.

256-bit Secured Socket Layer (SSL) encryption is used on the data between the end user and Box. Indexing of public files by search engines or robots is disallowed, and all filenames are encoded once they arrive on Box's servers.

When you upload a file to Box, it is private by default and encrypted when stored. Your files are only accessible to others if you share them or make them public. You can make any shared file private again, or modify it so a password is required to access it. If you share a file using a link, that link will contain a unique ID made up of a randomly generated combination of letters and integers so humans cannot guess the location of those files. While Box holds the keys to encrypted data, this is held under strictest physical and personnel security and is only used when permission is granted by the member institution.

Box uses proven password and privilege techniques to validate access to all application data. University administrators have full console access to set user privileges, limiting what individual account holders can see and do on Box. The application determines access and presents only data the user has permission to see. For further security, an administrator can set role-based permissions so that some viewers may only view data, not edit it. With the Enterprise edition, Box also displays a list of all the primary actions of each of its users (download, upload, delete, log-in, etc.), giving administrators oversight on usage in their accounts.

FERPA, HIPAA and Grant Requirements
FERPA requirements are supported as of service general availability.

Box does not have a HIPAA Business Associate Agreement in place because all data is fully encrypted and Box will not access the data unless permission is explicitly granted by the institution. In addition, you as the customer have to implement Box (leveraging the tool sets provided) in a manner that is HIPAA compliant. Box cannot guarantee that each customer will leverage the appropriate tool sets to configure and implement Box to ensure HIPAA compliance.

We believe that Box is compliant with most grants, although specifics should be checked by the institution.

To learn more about Box's technology and their efforts to empower customers to be HIPAA compliant, go to https://www.box.net/shared/0uanfcz9nz7ayygj902n.

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.