13 Box Security Best Practices

By on Aug 10, 2016

As one of the most widely used file sharing SaaS platforms, Box was built from ground up with Enterprises’ security needs in mind. There are a lot of out-of-the-box features that Box admins should utilize to make the most of Box’s built-in security capabilities while complimenting them with 3rd party solutions like a CASB. For example, we all know the wisdom behind requiring users to set long, and complex passwords, but that’s just the start. Below is a list of some of the best practices enterprises should be aware of when onboarding users to Box to ensure their data stored in Box is protected.

1. Ensure all internal users are managed users

There are two ways for admins to add a Box user to the company account (managed user): manually add the user or give users the ability to add themselves. Regardless of which method is used, it’s always a best practice to add users as managed users, especially if they share the same email domain. Admins have far greater control over managed users. They can:

  • Determine maximum storage limit for the user
  • Gain access to a managed user’s account
  • Specify which applications they have access to
  • Receive notifications of password reset
  • Terminate user access while retaining content
  • Create groups of managed users and apply specific permissions
  • Receive notifications of unauthorized browser logins

2. Ensure partners who collaborate on sensitive data are managed users

Most industry and government data protection regulations (such as HIPAAFISMA, etc) apply to enterprises as well as their partners. According to one of our recent Cloud Adoption & Risk Report, the average enterprise connects with 1,555 business partners via the cloud, including suppliers, distributors, vendors, and customers, underscoring the need to convert those partner Box users into managed users.

Here’s how to add a managed user:

  1. Sign into Box
  2. Click the admin console
  3. Under managed user, click the “+ user” option
  4. On the next window, you’ll be able to enter the name of the user, an email address (which will serve as their username), as well as the storage limit. Within this same window you can control access permissions such as which folders they have access to, add them to groups, etc.
  5. Once user’s account has been configured as desired, click Add User.


Box Security Checklist

Download to learn key questions in each of the four pillars of cloud security, as defined by Gartner, that you should be able to answer when evaluating the use of Box.

Download Now

3. Ensure managed user roles are configured so they have minimum access while being able to fulfill their job duties

Admin – privileged user accounts should be assigned sparingly, and only when an enterprise has a large number of Box users to manage. An organization should also have the ability to monitor privileged user activity to prevent inappropriate access to data as well as unwarranted escalation of privileges.

Co-admins – There are a few differences between an admin and a co-admin privileges, the biggest of which is that the latter can’t change an admin’s account permissions. Other differences include:

  • They can’t view billing information or login to an admin (or co-admin’s) account
  • They can’t reset, or in any way change, an admin’s account setting, nor can they access the Silent Mode tool, which lets an admin stop notifications for a set amount of time.

As a best practice, it is highly recommended to customize each co-admin’s permissions.

Group admins – Assign this role when a user only needs to manage a subset of other users. Group admins can run reports, add other managed users into group, and manage member/folder permissions for that group.

4. For co-admins, avoid giving them “login to user account” permission unless absolutely necessary.

One of the most expansive permissions is the ability to login to other users’ accounts. A rogue co-admin poses a major data exfiltration risk. The more likely, but equally damaging situation would be if a co-admin had their login credentials compromised. As the massive eBay breach of 2014 highlighted, cyberattackers prefer to gain unauthorized access to a service through the front door.

5. When terminating an employee Box account, the preferred method is to set them as “inactive” instead of deleting their account.

When users are deleted from Box, all the content they own also gets deleted. To avoid that, an admin could transfer the terminated user’s files to another user. Though the latter method will preserve the files, it creates additional steps and the account deletion becomes permanent. A less permanent, but equally effective way of terminating a user’s account is to set it to “inactive.”

6. Don’t give users the permission to change their usernames

Since a user’s Box username is their email address, allowing users to change their username gives them the ability to change it to a personal email address. This can potentially pose a security risk if their personal email is compromised. A hacker could then initiate a password reset and gain access to the Box user’s account.

7. Turn on a failed login attempt limit and set the failed attempts to “no more than 5 attempts”.

Failed login attempts often result from an employee mistyping their password or inputting an old password. In rare instances, it could also be a sign of an attempt at unauthorized account access, especially when the attempt occurs at a location that the employee doesn’t reside in or work from.

8. Turn off persistent login

Box users might not like the inconvenience of having to re-login to their Box accounts every time they close their browser, but consider this: if a Box user loses their device while logged into Box, it can expose an enterprise’s sensitive data and could possibly make them non-compliant with internal policies and industry regulations.

9. Turn on login verification

When a user attempts to login from a new location or a new device, they should be required to enter a secondary code (sent to them via SMS) to authenticate their identity. This is yet another way an organization can protect itself from unauthorized access due to compromised accounts.

10. Enforce secure collaboration

According to McAfee (formerly Skyhigh Networks) research, 15.8% of all documents uploaded to cloud-based file sharing services (such as Box) contain sensitive information, which includes personally identifiable information (PII), protected health information (PHI) and payment data. Combine that with the fact that the average company connects with 1,555 business partners via the cloud and the need for enforcing secure collaboration policies becomes ever more clear. Box admins need to be able to see which files are being shared with external partners, personal email addresses, or blacklisted domains, and instantly scan the files’ content to ensure PII, PHI, or other content subject to eDiscovery/litigation hold requirements aren’t being shared inappropriately.

11. Utilize the latest User Behavior Analytics (UBA) to detect insider/outsider threats

When a user who has been granted access to a file containing highly sensitive data downloads it, that action might appear innocuous and deemed part of the user’s day-to-day activity. However, if that file is then uploaded to a high risk cloud service, this activity should raise alarm bells because it could be a sign of an insider threat. Box admins need to have cross-cloud visibility to protect against threats such as data exfiltration originating from a rogue insider. Likewise, if a user logs into Box from a certain location, then minutes later logs into Box from some location miles away, alarms should go off to report a suspected compromised account. User Behavior Analytics can help achieve this by leveraging machine learning to set a baseline for a user’s normal behavior and then detecting activities that deviates from this norm as a possible security threat.

12. Turn on two-factor authentication

One of the most effective ways to thwart a cyberattack originating from a compromised Box account is to turn on two-factor authentication. It isn’t fool proof, as was proven by recent reports of hackers bypassing Google’s two-factor authentication. Savvy criminals go to great lengths in using social engineering to get a user to hand over their two-factor authentication code willingly, which leads to…

13. Educate, educate, educate. Do it from the start, do it often

Organization who understand cybersecurity have started to take an “assume breach” stance towards cybercrime. By assuming a breach has occurred, or will inevitably occur, organizations can begin to take preventative measures, starting with educating every single employee from day 1, about the plethora of cyber threats and data security risks they face. And, this must be ongoing, with full understanding that IT and IT security departments aren’t the sole owners of information security. Security is an enterprise-wide responsibility.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs