Enterprise storage collaboration company Box has unveiled a new service, Box EKM (Enterprise Key Management), that allows customers to use their own encryption keys to encrypt data in Box. By offering the opportunity to bring one's own keys, and by not storing those keys in its own system in the first place, Box is hoping to to knock down one of the longest-standing and toughest arguments against storing sensitive data in the cloud.
Under EKM, files stored in Box are in essence encrypted twice: first with Box's own key, and then a second time by encrypting Box's key with a customer-supplied key. But Box doesn't have access to the customer's keys; rather, those are held in Amazon's AWS CloudHSM service, which uses tamper-resistant hardware security modules made by Gemalto/SafeNet to store keys. The encryption and decryption process for the customer's key is handled entirely outside of Box's hands, and all decryption requests are logged at the HSM and forwarded to the customer.
Both Amazon and Microsoft recently rolled out cloud-hosted key management systems, Amazon KMS, and Microsoft Azure Key Vault. But both of those products concentrate on key management, not on providing a way to encrypt customer data in an existing workflow. Rand Wacker, enterprise VP at Box, noted that EKM could plug into KMS "in a future release" and use keys directly from it, pending customer demand for the feature.
Wacker also didn't feel there was an issue vis-à-vis competition in this particular area from Microsoft. "The competitive landscape [for Box] breaks down into consumer versus enterprise," Wacker said, with Microsoft -- specifically via its OneDrive product, the most direct competition for Box's market -- being more on the consumer than the enterprise side.
Box, being such a familiar name in enterprises, is in a good position to offer this service to a range of customers previously unable to use cloud storage, either because of regulatory restrictions or just plain skittishness. That, however, brings up another question: How difficult it is for an enterprise IT team to provision and roll out EKM, another possible obstacle to adoption?
"There is a lot of setup and interconnect that has to happen between the three organizations," Wacker said, meaning the customer, Box, and Amazon. But he claimed this whole onboarding process only takes "a few hours" for everything to be set up, since no actual hardware (namely, the HSMs) needs to be racked and provisioned.
Costs are based on "the size of the customer's deployment," according to Box's press materials, with general availability for the service set for sometime this spring.