Security classification has been around for a long time. The latest vendor to jump into this space is Box. They have added security classification to Box Governance, a product that they launched last year. The goal is to make it much easier for companies to identify and secure sensitive data. This is a smart move by Box as it plays to the concern of many security teams around the oversharing of sensitive data.
The availability of security classification was announced in a blog by Jon Fan, Senior Director, Product Management, Box. In his blog he writes: “Box Governance is our most widely used add-on offering to date! That’s why today, we’re making it even more powerful by adding security classification. Now, for the first time, Box customers will be able to automatically identify sensitive content in Box and enforce security policies based on a predetermined confidentiality level.”
What does security classification enable?
The press release highlights four areas where Fan believes customers will gain from using security classification:
Easily classify all content in Box: Customers will use their own security taxonomy to mark-up data. Fan believes that by tying it to their security requirements they can then easily search for data by security level. This will not be as easy for many customers as it sounds. It is very easy to overcomplicate the different levels of security classification. This makes it hard to use effectively. Companies may also struggle to map their existing security requirements to a security taxonomy.
Get clear visual indicators for confidential information: Admins can choose to display a visual indicator that makes it clear when a piece of content is confidential. Box has been clever here. Users will get a label that tells them the security classification of content when they attempt to preview it. IT admins can also add a customised advisory message when the user rolls their mouse over the content.
Add and trigger security policies: This will get the attention of IT security teams. It allows admins to deploy policies that control data sharing. It is also possible to keep data contained within certain folders. The problem is that users are very good at getting around these controls. It will be interesting to see just how well Box can prevent content sharing. For IT admins the short-term impact will be more users asking for access to content that has now been denied them. With companies increasingly using a collaborative approach to work it could create problems with access controls.
Leverage partners to automate classification: This automatically detects the security classification of content as it is uploaded. It combines Data Loss Prevention policies from Netskope and Skyhigh Networks with classification metadata from TITUS. It comes with two settings; confidential and internal. This is going to be key to many companies rolling out this feature. Admins do not have the time to go through existing data. The ability to detect data as it moves around and automatically apply security classifications is good news. How many other Box partners will announce support for this feature?
Conclusion
It’s hard to escape the feeling of déjà vu when talking about security classification of data. Every large enterprise will have experienced several failed attempts to make this work. Box has been clever by bringing in partners to help automate the classification of data as it is uploaded. If this works then Box may well have cemented its lead over other content management platform vendors.