Box Product Security
Box is a file sharing and collaboration tool that has built its business on enabling enterprise companies to transition away from legacy shared drive systems, to the cloud-hosted Box platform. Along the way Box has faced a never-ending string of objections from potential buyers in the areas of security. As a result, Box has continued to create demonstrable security practices and the marketing campaigns to promote their objectives.
Box focuses heavily on Security as a core feature of their product, this can be seen clearly in their security page:
From the very outset there is a focus on centralizing control for the enterprise IT administrator.
Box checks the boxes for incident response, disaster recovery and uptime. Additionally, they have added certifications for PCI, HIPAA, FedRamp, Finra as well as compliance and support for data silos within restricted countries.
They recognize the global apprehension with US based services by acknowledging their accreditation with several global compliance organizations. Finally, Box offers integrations with cloud-based ecosystem partners to aid with areas like eDiscovery and DLP.
Box has implemented the majority of the product security features we mentioned including:
Configurable password policies (though this feature is only available to Enterprise account admins):
Session duration to manage how long uses can stay logged in to the website without activity.
Throughout these settings they seem to select the secure defaults (though sometimes allowing their customers to bypass security by changing certain settings.)
They discuss their security posture as it relates to ops and development, but their isn’t a ton of information beyond their assurance that they follow best practices.