Box Enterprise Key Management (EKM), currently in beta, gives businesses the ability to maintain exclusive control over their encryption keys. The technology is currently being delivered via Amazon Web Services and Gemalto.
"In the old days, if you wanted to encrypt and protect data inside your organisation, IT could set it up," said Rand Wacker, Box's vice president of enterprise products. "But if you tried to share something across organisations, that's usually where stuff broke down."
Aimed at users in highly regulated industries such as finance, government, legal and healthcare as well as geographies such as Germany, Box EKM is designed to help enterprises reap the rewards of cloud computing while still maintaining control over encryption, he said.
Box, which IPO'd last month, and has its European HQ in London, already makes sure all content it stores is already encrypted, Wacker noted. What's new is that Box EKM externalises management of the associated encryption keys.
"When a customer uploads a file, it's encrypted with a unique key for that file," he said. "What happens today is that the file-specific key is encrypted by an internal key-management system."
With the new capability, however, customers get control over that key and the auditing of it.
The key infrastructure is provided by a dedicated AWS CloudHSM appliance leveraging Gemalto's SafeNet Hardware Security Modules (HSM) for key encryption and protection. Customers retain full control of their keys and cryptographic operations while Amazon manages and maintains the hardware.
Box EKM not only separates encrypted data and the keys used to manage it, but also creates an audit log for the customer's review.
The security controls are designed to be transparent to users while giving customer IT and audit teams full visibility, Wacker said. Neither Box nor Amazon have access, he stressed.
Toyota Motor Sales and World Bank Group are among the organisations testing the new capability, Wacker said.
General availability of the new service is expected this spring. Pricing will be on a per-user basis.
"Right now this targets large enterprises with some pretty hefty resources," said Rich Mogull, CEO with Securosis.
"I do think it is highly appealing for them, especially in financials and other regulated industries," Mogull said. "It's also appealing to enterprises concerned with government or cloud-provider snooping."
Eventually, "bring your own key" will become common in cloud computing, he added, though it could take many years.
"I've heard at least one of the proxy-based encryption vendors for SaaS is doing somewhere around $50M in business, so clearly there is a market," Mogull said -- "especially for something that won't break the SaaS apps functionality like proxies do."