Some businesses object to the use of cloud storage of electronic data because of a fear that employees of the storage provider (or others) could access the businesses’ data stored in the cloud.  Even if the data is encrypted, this fear can still exist if the cloud storage service holds the key necessary to decrypt the data. 

In a 2015 post, I wrote about the options available to encrypt data through a method that will prevent the cloud storage provider from accessing the data.  At that time, the user needed to retain the services of a third-party encryption service such as Sookasa or Boxcryptor to encrypt data before it was loaded into the cloud.  This is a functional approach, but it is cumbersome because the user must hire two separate service providers to get the job done – a cloud storage provider and a separate encryption provider.

The New Year brings increased ease of use for customers of Box, which is one of the major cloud storage providers.  Box now offers its “KeySafe” service to customers who wish to prevent Box from being able to decrypt the customer’s data.  To allow customers to do so without having to retain a third party service to store data encryption keys, Box partnered with Amazon Web Services (“AWS”).  Customers who elect this level of protection will have an additional layer of encryption placed on their data stored in Box.  The first level is the standard encryption that Box places on all customer data.  Box will retain that decryption key.  The second level of encryption will be performed with the customer’s decryption key, which will be stored with AWS.  Box will not have access to the customer’s key.

An analogy to explain this approach is the two-key method of launching nuclear missiles.  To avoid the risk of one rogue person performing a missile launch without authority, two authorized people must activate the launch by each inserting and turning their key in the launch mechanism.  Box’s Keysafe approach is similar.  To access the data, both the key maintained by Box and the key maintained by AWS must be used.  Box states that only the customer will be able to make that happen.

This new security feature in Box should be appealing to businesses with a heightened need to secure their data or the data of third parties.  For example, health care providers or law firms handling particularly sensitive client information.