Box recently announced Enterprise Key Management (EKM), touting it as being able to "break the last barrier in cloud adoption". But unfortunately, in reality, Box EKM is just not enough. Even they themselves mention in their blog post, albeit in passing, that there were better alternatives like client-side encryption, but they didn't choose any of them because that would mean curtailing Box's productivity functions. If there are better alternatives to data security, that simply makes Box EKM a compromise. And security cannot be based on a compromise.
What Box EKM allows is dedicated key management in the form of hardware security modules (HSMs), which are fully managed by the customer and can be hosted in their own data center or in Amazon Web Services. But, Box needs to have a connection to these HSMs to do its own thing. Data that is uploaded to Box is encrypted using a unique key that in turn is encrypted using the customer key stored in the HSM. So the customer has full control over the encryption/decryption keys, but Box can also access them "with approval". And this is where the catch is - Box still, in reality, has access to the HSM and hence the keys. Unless the data is encrypted by the customer (at its source) before it gets sent anywhere, how can the customer be 100% sure that it is secure?
This is where client-side (or at-source) encryption scores over anything like Box EKM. Client-side encryption allows the customer to encrypt data using his/her own keys before it is sent anywhere (out of its source). The keys are fully controlled by the customer and may not be shared with the party to which the data is being sent to (like Box). Client-side encryption usually creates problems for other capabilities like source-side (aka global) de-duplication and server-based collaboration because the data comes in encrypted at the server and there's no way the server can make any use of it - like finding common patterns for de-duplication or sharing data across users.
Vaultize has tackled these issues with client-side encryption using its patent-pending Vault KNOX technology that enables end-to-end security. This technology allows Vaultize to do client-side at-source encryption along with client-side de-duplication and group-based collaboration. So, customers get all the benefits of client-side encryption without loosing any of the benefits of global de-duplication or collaboration. This achieves high security with high efficiency and high productivity. Vaultize allows customers to own and manage keys through its Data Privacy Option (DPO), which enables compliance with data residency, data sovereignty or data privacy regulations, and completely removes the risk of customer data being given out to authorities.
In addition, Vaultize goes beyond just encryption of data-in-transit and also allows customers to encrypt data-at-rest (through endpoint encryption and remote wiping) and data-in-use (through digital rights management - DRM, mobile data containerization and mobile content management - MCM). Vaultize takes an holistic approach towards data security and protection by securing and protecting the data from source to destination and from cradle to grave.
Download our free whitepaper – Don’t Get Fired For Critical Data Leaks: 6 Essentials For 100% Secure Enterprise File Sharing. You can also try our virtual appliance (for free) at our Free Download page.