min read
Jun 17, 2024

Box Security: What’s Built in and What Needs to Be Added

Box security

The idea behind Box is simple, and therein lies its beauty. The average company uses dozens of SaaS applications to create, manage and collaborate on content. That’s a lot to keep track of, so Box lets you centralize all the SaaS content apps you use with its Content Cloud.

This centralization is helpful for productivity, but what about security? Well, the good news is that all these apps and assets are in one place, making it potentially easier to secure. The bad news is that all these apps and assets are in one place, making it potentially easier for threat actors to access wider swaths of your content ecosystem if you don’t wisely implement Box security.

How Do You Wisely Implement Box Security?

This post takes a penetrating look at what security measures are included in Box out-of-the-box. 

We’ll also point out the areas where you may need to supplement the built-in Box security in order to truly secure your content assets and applications, including:

  • Visibility
  • Sensitive data discovery and classification
  • Data access governance
  • Historical remediation
  • Threat detection and response

Visibility: Do You Know Where Your Box Integrations Are?

Box lets you integrate over 1500 SaaS apps with its Content Cloud, ensuring that you should never really need to leave Box to accomplish any content-related task for your company. But this proliferation of connected apps comes with a challenge: visibility.

If you can’t detect it, you can’t protect it. (Or defend against it.) 

Fortunately, Box does provide an Admin Console that gives insights into user activity and Box platform activity. 

Identifying Sensitive Data: How Sensitive Are Your Antennae? 

Effective protection of sensitive data starts with the ability to pick it out from among the terabytes to petabytes of data in your systems. Sensitive data discovery then leads to sensitive data classification: what kind of sensitive data it is, and what that means for preventing its loss or exposure.

Box’s Shield component is able to identify and classify sensitive data in both new and historical content. Box Shield uses sensitive data discovery methods based on PII, custom terms and file types.

This capability of Box Shield is a tremendous asset to overall Box security. That said, classic sensitive data discovery tools that operate based on regular expressions, specific terms or file types have a tendency to generate false positives and/or false negatives. 

To accurately and effectively identify all of your sensitive data within the Box Content Cloud, you may need to implement a sensitive data discovery solution that is able to process context. NLP-based data discovery tools are a well-known example of context-aware data analysis.

Data Access Governance: Can You Keep Trespassers Out?

If an manufacturing facility leaves a door unlocked at night, it shouldn’t be surprised to find trespassers in the morning. Whatever else your company does, it is also a manufacturing facility for data. If you want to keep your data assets untouched by the wrong hands, you must have a way to create and enforce granular policies on who gets to access what.

Box takes data access governance seriously - and does a good job of it. They provide granular access controls, with seven levels of permissions from which to choose when sharing assets:

  • Co-owner
  • Editor
  • Viewer uploader
  • Previewer uploader
  • Viewer
  • Previewer
  • Uploader

(We won’t go into the details on each permissions level, but Box defines all the roles and their abilities here.)

This seven-layered permission structure is much more specific than the usual three that Google Workspace or Microsoft OneDrive make readily available:

Permission structure

Drive and OneDrive do let you tweak the extent of those permissions when you drill down further, but even then they aren’t as granular as Box:

Permissions extent

Other boons to data access governance in the built-in Box security include the abilities to:

  • Set link expiration dates
  • Set link passwords
  • Restrict external collaboration
  • Watermark assets based on data classification
  • Watermark assets with rasterized or vector-based watermarking

Historical Remediation: Can You Fix the Past?

Everyone knows you can’t fix the past. Except, that is, when it comes to access permissions. Even if you’ve been generating SaaS content assets for years without being particularly on top of your data access governance, with the right tools you can close all those holes. 

What tools do you need?

  • The first is a sensitive data discovery and classification tool that can identify sensitive assets, at scale, in historical content.
  • The next is a data access governance tool that can identify the access permissions on each of those assets and assign a level of risk (e.g. shared company-wide, shared externally, shared publicly).
  • Once you’ve identified the sensitive assets and the risk their current level of access poses to your data security, you need a remediation tool that can make the relevant permission changes at scale

Box Shield enables you to discover and classify both new and historical content assets. Both manual and automated workflows are available for this classification work. 

Box Shield does not, however, give you the ability to actually change the permissions on those assets at scale. This is a shortcoming in Box security, and should be supplemented with a solution that enables bulk historical remediation for SaaS assets.

Threat Detection and Response: How Fast Can You Deal With Intruders?

If you can’t detect it, you can’t protect it. (Yes, we did say that earlier. But it bears repeating.)

Box security requires the ability to detect identity and data security threats as soon as possible after they manifest. Box Shield does use machine learning to analyze account access patterns, user behavior and app activity, identifying abnormalities and sending your team alerts. 

Detection, however, is only the first required step to protecting your systems and assets from threat actors. The second critical step is response: taking action to stop the threat. And with SaaS systems, where data can be accessed, copied and taken out of your control in minutes, you need to be able to respond fast.

Unless you plan to have an information security team member standing at attention 24/7, waiting for alerts to come in so they can deal with them immediately, the speed needed for true Box security demands automation. If your Box security solution has automated remediation workflows, when a particular threat is detected, it can respond at the speed required to keep your assets secure.

Think Out of the Box

If you’re one of the 100K+ companies who use Box to store and manage content, it behooves you to take Box security seriously. Take advantage of the built-in Box security, but make sure to supplement it where needed with other SaaS data security tools or solutions to keep your data under your control


Is Box considered secure?

Box has many security features to protect customers’ data assets, including:

  • Encryption in transit and at rest
  • Automatic classification of sensitive data
  • Machine learning-based malware protection
  • Strong, granular data asset access controls

Even these built-in Box security features, however, do not guarantee that your data will be secure. It is important to figure out where the Box security features fall short, and supplement them with other solutions.

Is Box owned by Microsoft?

No, Box is an independent company that is not owned by Microsoft. Box was cofounded in 2005 by Aaron Levie and Dylan Smith, who now serve as CEO and CFO, respectively.

Is Box safer than Google Drive?

Both Box and Google Drive have data safety and security features, but Box has more extensive safety than Drive in the following areas:

  • Granular user permission roles/levels: 7 in Box; 3 in Google Drive
  • Shared link expiration: Available to everyone in Box; available to developers only in Google Drive
  • Passwords for shared links: Available in Box; not available in Google Drive 

Are Box files private?

By default, any new folder created in Box - and any files you create within that folder - are private. Their continued privacy, however, depends on if and how you give other users access to them.

Is Box a secure way to share files?

With granular access controls that offer seven levels of user roles, password protection for file share links, expiration for file share links, and watermarking, Box provides a secure way to share files.

Get updates to your inbox

Our latest tips, insights, and news