Box using Box: How we deployed Box Shield internally
The way we work is faster and more distributed than ever before, making the challenge of protecting sensitive data even more complex. As valuable information flows in and out of the organization - across teams, partners, vendors, and customers - the old-school approach to information security isn’t enough.
That’s why we built Box Shield - to help our customers reduce risk and protect the flow of information without slowing down the business. Box Shield is our advanced security offering that helps customers protect their most sensitive data, prevent data leaks using classification-based controls, and detect potential threats such as data theft and malware. Like our customers, it's absolutely critical for us to protect our sensitive data. That includes employee data, customer data, intellectual property and more.
So, how did we deploy Box Shield internally to reduce risk, and what did we learn in the process? Let’s dive right in.
Customer Zero Mindset
With a true “customer zero” mindset, our IT and Security teams were early adopters of Box Shield, deploying the solution a few weeks ahead of the product being generally available to all 2,500 Boxers. Our primary goals for the roll out of Box Shield internally were to reduce risk while maintaining business agility as well as increase security-conscious awareness and behavior. In addition to that, we wanted to collect feedback and understand any areas of improvement ahead of bringing the technology externally.
Defining the right number of classifications is critical
Rather than starting with classification categories out the gate, our team consisting of IT, Security, and Program management professionals first assessed restrictions imposed by teams across the business to protect content. For example, content for internal users only, content shared for external sharing, content with a watermark applied and so on. The project team met with stakeholders across the business to identify relevant classifications for Box. After an initial pass, more than 10 classifications had been identified.
But did we really need 10+ classifications? After a few more reviews, the project team was able to get stakeholder-wide consensus to reduce the number of classifications to just five addressing all previously identified use cases. A critical next step was finalizing classification titles and descriptions. At the end of this thorough exercise, the team landed on the following five classifications and since has been applying to all Boxer content:
- Sensitive [Limited to internal collaborators only]
- Box-Only [Prohibits external access]
- Collaborators-Only [Limited to collaborators only]
- Short-Term Sharing [Permits externally shared links]
- Public [No Limits]
Hanisha Hirani, Program Manager in charge of the internal roll out, explained, "We wanted to prevent any second guessing when applying classification labels to content. We put a lot of effort into choosing the simplest classification labels and applied a consistent syntax to classification descriptions first highlighting the classifications key use case followed by additional details."
Connecting Box Shield with critical apps such as Splunk
Our security team leverages Splunk for security information and event management (SIEM). In addition to deploying Box Shield, we also deployed the Box Shield Add-on for Splunk which allows us to ingest Shield's alerts on suspicious behavior and changes to security classifications directly into Splunk. These events are mapped to the Splunk CIM data models to enable unified reporting.
Following the internal go-live of Box Shield, including connecting it to Splunk, Ben Walter, Sr. Director, Trusted Products and Platforms at Box and executive project sponsor explained, "The introduction of Box Shield has enabled us to better monitor, control and protect content without compromising the user experience. This is particularly important to provide our users frictionless security collaborating from more devices and remote locations than ever before. Box Shield’s adaptive security controls and threat detection enable us to a) significantly reduce the risk around employee negligence or inadvertent disclosures, and b), act on potential issues rapidly."
Security is part our DNA
At Box, we build security into everything we do – not only our products, but also our internal operations that protect our most sensitive data. In this case, our IT and Security teams were able to deploy Box Shield as “customer zero” and with that further strengthened our security posture and take Box Shield to the next level. We learned that rolling out a simple set of classifications empowers employees to make smart, secure choices with content. And that it was easy to integrate Box Shield with existing solutions such as Splunk, to improve monitoring and visibility into potential threats.