At Box, we take the security of our customers' data incredibly seriously, and today we want to share a few important best practices when sharing content with "public/open" permissions on Box. This is especially important if you are using public Custom URLs to share files and folders, as these links can potentially be found by people you did not intend to provide access. We also want to share product improvements we're making in the near and long-term to ensure the security of customer data.
Today, Box offers a variety of methods for securely sharing content, including collaborating with users directly via their email address and generated shared hyperlinks to files and folders. Box Shared Links allow you to share hyperlinks to content stored in Box with people both inside and outside the company, and we provide a variety of security controls our users can choose based on the sensitivity of the content they are sharing. In addition to user-level security controls, company Box administrators can apply enterprise wide security controls on Shared Links, and you can always configure access controls on a Box Shared Link as follows:
- People with the link (public/open) - Anyone with the link can access the item and no Box account is required. Only use for content you intend to be publicly available.
- People in your company - Users within your same Box enterprise and users who have a Box account with the same email domain will be able to access content.
- People in this folder/file - Only Box users who have been invited to the specific item (folder or file) can access the content.
While Box has many methods for users and enterprises to lock down content to a limited set of recipients, our public/open link setting enables content to be shared more widely, and it's important to understand how and when these features should be used.
Sharing Public/Open Links from Box
Sometimes, users want to share files or folders with external parties or more broadly, and will set shared link (that are 32 randomly generated alphanumeric characters) permissions to public/open. As with other cloud sharing platforms, a secured shared link is generated and only accessible to any party that has been directly shared with. Additionally, users and enterprises can enable advanced security controls on these links, such as password-protection and expiration policies to auto un-share content at a certain point.
While these links can only be discovered by the users that they're directly shared with, if you create an open shared link and post it on a publicly accessible webpage, then as with any other web URL, this link will be indexed by search engines like Google. If you do not want open shared links to be indexed by a search engine, then these links should not be posted on public websites.
Custom Shared URLs on Box
The "Custom Shared Link" feature is a means of changing default secure shared links to more easily discoverable, user-defined web addresses. This feature is intended to be used only for content that customers are looking to make easily accessible to large groups (publicly or privately) using a customized URL. For instance: if you're a car company distributing public press releases for a product launch or a media agency sharing a portfolio of content, custom shared links make it easy to publish content to your audience.
This feature is not meant to be an alternative to secure sharing within Box, either by directly inviting a collaborator via email or by sharing a secure shared link. When using this feature and sharing with "open/public" permissions, it's important to not put any sensitive or private information into the files or folders that are shared as these custom shared URLs can be easily guessed by outside parties.
Improvements We're Making for Shared Link Security
We're always striving to improve the protection of our customers' data, and to ensure that users are sharing content exactly as they intend. To that end, we're working on a variety of ways to improve the usability and security of Box, and today, we are taking immediate actions to improve the functionality of public shared links, including:
- End-user security awareness in-product: we will be adding more user education to the link settings tool on Box to make the potential implications of public link access even more clear, and advising that no sensitive content ever be shared with this level of permission.
- Improved admin policies for public shared links:
- We are changing the default setting in the Box Admin console to disabled public custom shared link URLs until a company Box Admin decides to enables it.
- The default access level for shared links in Admin console will be set to "people in your company," and this default can only be changed by a company's Box Admin. As a result, in a default configuration of Box, end users will need to expressly change the shared link setting to "people with the link"s (public/open) to make the link externally accessible.
- More stringent controls to reduce unintended content access: we are working on a variety of methods to limit the unintended discovery of open/public links and prevent content access by external parties.
Longer term, as we announced at BoxWorks last fall, Box is working on a series of innovations to improve security around content classification and external collaboration. These include Box Shield, which aims to reduce risk from user behavior by preventing accidental data sharing and detecting anomalous content access patterns, and two-factor authentication for external collaborators. Further, we continue to partner with leading security platforms to help augment Box's security capabilities and protect customer content.
We recommend that all of our customers regularly review Box's sharing settings to configure their Box account in a way that is best suited to their sharing use-cases, and leverage the full breadth of capabilities we offer for advanced content security and privacy. Finally, to reduce risk to sensitive content, we recommend that:
- Administrators configure Shared Link default access to 'People in your company' to reduce accidental creation of public (open) links by users.
- Administrators regularly run a shared link report (as described here) to find and manage public custom shared links.
- Security Administrators leverage third-party SIEM or log tools to consistently review suspicious content activity across your enterprise.
- Users do not create public (open) custom shared links to content that is not intended for public consumption.
- Users only post shared content with open shared links on public web pages if you want the content to be indexed and available by Google and available for public consumption.
For more information on shared links best practices and many other topics, you can always visit the Box Community, or reach out to your Customer Success Manager to discuss further security options within Box.
Chief Customer Officer