Box at CPS: Adopt a ‘Zero Trust’ Mindset

Joel de la Garza, chief security officer at Box, knows what media and entertainment companies are going through when it comes to securing their content during its complete lifecycle in today’s modern enterprise environment, where a workforce might be completely cloud-enabled, with no corporate data center.

“From a security perspective, we’re living in a very strange world, where we’re drawn between that perimeter-based, compliance-focused protection of an environment, and this cloud-based world that’s driving the way everything’s moving now,” he said, speaking Dec. 7 at the eighth annual CDSA Content Protection Summit.

“If I brought out our cloud strategy from two years ago, you’d be surprised by how different it was from how we view things now” de la Garza said. “We were thinking about cloud security initially as ‘How do we airlift everything we do in our data centers to Amazon or Google or Azure. It turns out, as you start to move into a cloud-enabled world, the things that break, and the risks that you’re facing are actually radically different than they have been.”

You’re executing content in facilities you don’t have control over, where people not in your company have administrative control, he added, and “the concept of a perimeter is gone, because you’re running your loads and executing your processes in an environment where a bank could be executing processes, or a criminal syndicate could be executing processes. So, it’s a very strange world.

“For us, we had to leave the legacy security model behind, and it was a very expensive lesson, and we made a couple mistakes,” he said, adding that it’s important to understand that not all cloud providers are created equal, and there’s a difference in capabilities between them. And, especially when it comes to infrastructure cloud providers, it’s really important that companies understand an audit, and get to the bottom of the control they’re providing.

De la Garza had one crucial message for content companies and the cloud: adopt the concept of “zero trust,” and lose any idea that you can complicity trust in any relationship, because that’s what attackers are looking for: they leverage those complicate trust relationships in your environment, get ahold of your users’ credentials and devices, and then escalate their privileges along the way.

“It’s really important that you start to think about things like implicit trust, and removing it from your environment,” he added. “It’s not enough to just protect your information when it’s sitting in a storage location. You have to make sure the policies of protecting that data are followed all the way through the data’s lifecycle.”