One of the strongest messages coming out of Boxworks 2019 was the undeniable focus on security for Box. While security has always been at the core of the Box offering, the realignment of the messaging and the launch of Box Shield is in many ways a reaction to the new reality of the doing business in a digital world.
Ever since the internet opened the flood gates in the firewalls of business, all industries have struggled to find the right balance of control and constraints with collaboration and flexibility. The early knee jerk reactions of many legacy IT organizations was no access is the best access approach. Business needs and changing demographics of the user base have been straining at this resistance for a decade. Perimeter bolt on defenses have grown up to answer IT’s need to monitor, alert and interdict where appropriate.
The problem with this approach is it often lacks the most important information needed to understand a content related event. How do you know whether or not it is a genuine issue? The information needed is context. Who is the user? How do they normally work? Some provide behavioral analytics but they do not understand the relative value of the content in question among the terabytes of data in the system. What IS the content in question and does it matter?
In order to really understand these dynamics you have to get closer to the content itself and the system managing it. You cannot simply look at the data as it traverses the firewall. This deeper understanding is in essence what Box Shield seeks to do. By adding capability to analyze and understand the behavior of collaborators and the content they access relative to the other activities in the system, Box Shield is able over time to better and more quickly identify anomalies in behavior and alert or even stop data leaks as they are happening.
This in no way replaces the need for the perimeter systems as they cast a broader net across systems that have nothing to do with content. That horizontal capability will always be a part of the story but the addition of this capability to the core of content management systems is a natural evolution of the feature set beyond authorization models that users should expect and demand of systems that manage their content.
The traditional content management community of products has not always done a good job at distinguishing the concepts of authorization based on role from policy enforcement based on classification of the content. We call it all security but owners of the requirements are often separate entities.
As the policy enforcement aspects of products like Box become more capable, restrictions and constraints that we might have tried (and failed) to enforce through permissions in the old world might better be controlled at the policy level. You should therefore no longer assume that permissions models are the right way to enforce these restrictions.
Box Shield then may be the beginning of a trend that not only elevates the security posture of cloud content management but allows you to rethink your approach and expectations of cloud content providers as a whole.
Disclaimer: As an employee of Box, this post contains commentary on products I work with in the day job. The opinions are my own and not those of the company.