Box KeySafe Aims To Simplify Encryption Key Management For SMBs

Box announced a new product today called Box KeySafe that should help simplify encryption key management, putting it in reach of small to medium sized businesses (SMBs) who require encryption, but want to avoid the complexities associated with Box’s higher end Enterprise Key Management product.

Many highly regulated industries have wanted to move to the cloud, but security and governance requirements held them back. Last year, Box took a step to remove that security road block when it developed Box Enterprise Key Management.

That allowed these big companies like investment banks, energy companies and healthcare organizations to use Box services while having very precise control over the encryption keys. It was a good solution for these larger organizations with large IT teams, but it took weeks to set up the dedicated encryption key management server on Amazon Web Services and that put it out of reach of smaller firms..

Box CEO Aaron Levie says the company kept hearing from companies like law firms and banks that they wanted this same functionality, but didn’t want to deal with whole management part of it.

That led to the development of today’s product, Box KeySafe. It’s similar to its enterprise cousin, but it no longer requires a dedicated encryption key server. Instead, Box has set up that management component as a cloud service on Amazon Web Services, which reduces the setup time to about an hour instead of weeks, Levie explained.

This is significant because much like those large companies looking to control their data in the cloud, many SMBs have been held back by the same requirements. For companies that might have foregone a cloud service like box, encryption key management enables them to use it. That means it has the potential to expand the market for Box services, which could help Box’s depressed stock price.

The way it works is like a safe deposit box. It requires two keys to open. Box encrypts the file with one key. The customer encrypts it with another they control — and the encryption activity gets logged in an auditable report. If a customer demands proof that the company has maintained control over the content, it has this data point to show that it has.

From a legal standpoint, if government or law enforcement officials came to Box demanding to see certain files, Box would have to send them to the file owner because they own the encryption keys that control access to all of the content stored in Box. Box can’t see the encrypted material anymore than a bank can open a safe deposit box without the owner’s key.

What’s more the encryption key management process will be offered as a service in Box’s Developer Edition, which exposes various Box functions as services for developers, who can build Box content management, security or key encryption into their applications without explicitly using Box.