On February 10, 2015 Box announced the beta release of Enterprise Key Management (EKM). Put simply, EKM addresses cloud security concerns by giving customers control over the encryption keys used to access content stored on Box. It’s add-on functionality, at an additional cost, that’s going to remove one of the barriers to cloud adoption. This is a very, very good thing.
For those customers that have been dithering about whether or not to move content to the cloud because of security concerns, EKM ought to alleviate those concerns. Of course, those customers will have to be willing to commit to Amazon Web Services (AWS) if they want to avail themselves of EKM. However, it’s a beta folks and I’d bet that Box is actively working on other options.
With this announcement there’s a bunch of organizations that, all of a sudden, have no excuses left. That’s not to say that organizations should put everything into the cloud; they shouldn’t. There’s tons of content that organizations deal with on a day-to-day basis that makes absolutely no sense to move to Box. Take a look at transactional data that’s generated by utilities, communications providers, and financial companies; there’s nothing to be gained, yet, by moving all those transactions into Box. However, those same organizations, along with most others, deal with tons of content that is perfectly suitable due to its purpose in business processes. Think about loan/mortgage applications, cell phone contracts, and applications for utility services; all of these could easily be moved to the cloud. And now (well, when EKM gets to general release) it can be done with just that little bit extra assurance of security. Which brings me to another point, which I’ve made before …
Organizations are going to have a mixed bag of content repositories for the foreseeable future. Once EKM goes to general availability I’d love to have a bar chat about which is more secure; Box, on-premises, or the hosted private data centre. Based on what I know about some orgs I’ve worked with, I’d rather they put their content in Box, with or without EKM. I digress …
My point is that hybrid is a reality and that everyone involved in managing content (vendors, customers, regulators, legislators) is going to have to figure out how best to deal with access, security, collaboration, and everything else that goes into managing content as an asset. Part of that is understanding that not all content is created equal and can be treated the same. For me the end game has to be putting the users at the center and not forcing them into Cirque de Soleil-like contortions to gain access to the content they need to execute the task at hand. If Box’s track record is anything to go by, I’m optimistic that they haven’t lost sight of ease of use with the EKM beta.
The title of Aaron Levie’s (Box CEO) post announcing EKM is Breaking the Last Barrier to Cloud Adoption with Box Enterprise Key Management (and I thought I liked long titles). Uhm, no. Hell, EKM won’t even break down the last legitimate barrier. There is still a lot of Fear, Uncertainty, and Doubt (FUD) to overcome in getting organizations to move to the cloud (not a legitimate barrier). Organizations worry about data sovereignty, sometimes legitimately. Some contexts just don’t lend themselves to a smooth cloud experience (from twitter this am, via Laurence Hart “Some agencies require govt clearance to have access to encryption keys and/or be US citizen. Box can’t do that for workforce” – he’s not wrong. Laurence expands on the quote in this post.).
If I were Box I’d handle the above like this:
- FUD – time, tide, and attrition are your friend – patience, Grasshopper.
- Legitimate data sovereignty issues – influence and wait for legislation; partner up to build/lease/coopt some friggin’ data centres.
- Illegitimate data sovereignty issues – see FUD
- The point that Laurence brought up – don’t sweat it. You can’t play there now anyways.
Box’s announcement about Enterprise Key Management is significant, and it’s a really good thing. However, it’s not the last hurdle and I’d bet money they know that. But it does take away one excuse that that ditherers and FUDders have been hanging on to.
And for those of you who are about to bring up AWS outages – IT’S A BETA!!!
Pingback: Box Makes a Huge Leap in Security | Word of Pie
“And for those of you who are about to bring up AWS outages”
Your data centre will go down, their data centre(s) will go down. Plan for it and mitigate it. In my experience, yours will go down more than theirs.
How TF are Box (or anyone, for that matter) going to “influence” a change to the Patriot Act?? And before anyone cries “FUD!!!1”, the Microsoft email case in Ireland* has already all but proven that the “paranoid” Europeans weren’t really that paranoid after all. Delegating key administration to Amazon is especially dumb in this regard, given that Amazon is also a U.S. company – in fact it opens up two separate avenues for the U.S. government to use to get a customer’s data.
To avoid the Patriot Act in any real sense, Box needs to figure out a way to run their foreign operations as independent, local companies; start offering on-premises solutions so that their foreign customers are able to physically defend their data from the U.S. government; or give up on ever managing anything but “light and fluffy” content that the U.S. government isn’t likely to be interested in. I only see one realistic option for them on this list (hint for the slow: it’s the last one).
Peter, read my post on the topic. It discusses the issue that was being addressed which has zero to do with the Patiot Act. http://wordofpie.com/2015/02/11/box-makes-a-huge-leap-in-security/
Which is precisely my point – the fact that this “big” announcement *doesn’t* address the Patriot Act makes it vastly less than a “very, very good thing”.
Pingback: Security 2015 or Why I Sometimes Hate My Clients | The Info Gov Guerrilla
Pingback: Box Announces Governance – Another Step Towards #ECMnext | The Info Gov Guerrilla