Few would deny the appeal of the cloud for enterprise file storage and sharing, but for some organizations -- particularly those in heavily regulated industries -- security concerns can outweigh those potential benefits.
Enter Box Enterprise Key Management (EKM), a new solution now in beta that aims to give businesses the ability to maintain exclusive control over their encryption keys.
Hard on the heels of its initial public offering late last month, Box on Tuesday unveiled Box EKM, a service that targets security-conscious organizations with technology delivered in partnership with Amazon Web Services and Gemalto.
"In the old days, if you wanted to encrypt and protect data inside your organization, IT could set it up," said Rand Wacker, Box's vice president of enterprise products. "But if you tried to share something across organizations, that's usually where stuff broke down."
Aimed at users in highly regulated industries such as finance, government, legal and healthcare as well as geographies such as Germany, Box EKM is designed to help enterprises reap the rewards of cloud computing while still maintaining control over encryption, he said.
All content stored on Box is already encrypted, Wacker noted. What's new is that Box EKM externalizes management of the associated encryption keys.
"When a customer uploads a file, it's encrypted with a unique key for that file," he said. "What happens today is that the file-specific key is encrypted by an internal key-management system."
With the new capability, however, customers get control over that key and the auditing of it.
The key infrastructure is provided by a dedicated AWS CloudHSM appliance leveraging Gemalto's SafeNet Hardware Security Modules (HSM) for key encryption and protection. Customers retain full control of their keys and cryptographic operations while Amazon manages and maintains the hardware.
Box EKM not only separates encrypted data and the keys used to manage it, but also creates an audit log for the customer's review.
The security controls are designed to be transparent to users while giving customer IT and audit teams full visibility, Wacker said. Neither Box nor Amazon have access, he stressed.
Toyota Motor Sales and World Bank Group are among the organizations testing the new capability, Wacker said.
General availability of the new service is expected this spring. Pricing will be on a per-user basis.
"Right now this targets large enterprises with some pretty hefty resources," said Rich Mogull, CEO with Securosis.
"I do think it is highly appealing for them, especially in financials and other regulated industries," Mogull said. "It's also appealing to enterprises concerned with government or cloud-provider snooping."
Eventually, "bring your own key" will become common in cloud computing, he added, though it could take many years.
"I've heard at least one of the proxy-based encryption vendors for SaaS is doing somewhere around $50M in business, so clearly there is a market," Mogull said -- "especially for something that won't break the SaaS apps functionality like proxies do."