By Joel de la Garza, Chief Security Officer, Box –
As more enterprises move critical services to the cloud, the traditional security model starts to break down. As a company, Box is living between two worlds, with a workforce that is fully cloud enabled and a product that runs in traditional data centers. Over the years, we’ve worked to develop a set of principles that help guide the way we secure our business. We used the Tao Te Ching by ancient Chinese philosopher Laozi as a guide, structuring our program around several pillars that adjust over time. We refer to our framework as the “Tao of Zero.”
Zero Trust: We start first from the concept of “Zero Trust.” This is not a new concept, it has been around in some form since the mid-1990s. Zero Trust is the belief that you should eliminate all implicit trust relationships in your environment. As we’ve seen from almost every hacker attack, intruders will use implicit trust relationships in your environment to jump from one area to another. As they move from area to area, or machine to machine, they work to establish persistence.
To defend against this sort of movement it is important that traditional perimeter based controls be rethought. It is a best practice to secure all devices and networks to the same level as anything you would put onto the public internet. By implementing a strategy of having policy follow content and pushing your security controls to your endpoints, you can move towards a Zero Trust position.
While building layers of security controls is important, data protection is equally critical. Our second principle, “Zero Knowledge,” is based on an almost religious belief that our customers’ data belongs to our customers and we should have zero knowledge of it. Achieving a Zero Knowledge world requires a tremendous investment in encryption.
Encryption of data in both transit and storage is paramount for protecting content in a cloud enabled world. It is also important that the encryption be applied directly to the data.
While encryption of the storage layer is a good preventative measure, encryption at the application level is even more critical.
As most security professionals know, the more security you apply to a solution, the worse the user experience becomes. It is often the case that the most secure solutions have the poorest user adoption. It is due to this unwritten law of security that we must always take user experience into account. We must have Zero Tolerance for bad user experience.
There are countless examples of security requirements getting in the way of user experience, driving users away from approved solutions and into “shadow IT.” The security team should strive to make the only way the secure way, but also work to eliminate friction.
While there are many challenges in moving to the cloud, the benefit is clear. This transformative moment in tech allows us the space to re-evaluate our legacy security strategies and move towards a nimbler model that can help us address these evolving risks. At the end of this journey we will likely find ourselves more innovative and safer.