Box: Why We're Configured the Way We Are
The University of Minnesota's Box Secure Storage may function differently than other university or personal Box accounts you have used. For example, Box features in Beta are not available in the University of Minnesota Box. Our instance of Box is configured specifically to protect sensitive data, including Protected Health Information (PHI) and identified research data. By default, free Box accounts do not meet these compliance requirements. If you are working with legally protected data that have specific contractual requirements such as Federal Information Security Management Act (FISMA), Box Secure Storage may not be the correct solution for your situation. Contact HST so we can consult with you and make sure Box Secure Storage meets your needs.
In order to provide this level of security for any University user with data that could benefit from it, Box Secure Storage has several unique security features. These features result in a more restrictive environment than free Box accounts or accounts at other universities, but meet best practices for the secure storage of sensitive information. These specific security features include:
- Duo Multi-Factor Authentication
- Restricted Links
- Security Checks for Box Drive and Box Sync
- Collaborator Review
- Account Inactivity
Data are encrypted on Box's servers ("at rest") and as they are sent over the network ("in transit") for access on the web. Encryption prevents the data from being read by unauthorized users if intercepted over the network or if accessed directly from the server hardware.
Box keeps logs of who opens, edits, or deletes files and when, as well as who has access to a given folder. You can view the most recent file actions and set email notifications when certain actions occur. Logging allows you to track and audit who has accessed or edited specific files and folders. Logs are critical security resources in the event of a data breach and for ensuring access controls are working correctly.
Signing on to Box requires both something you know (your UMN credentials) and something you have (a phone, mobile device, or fob set up with Duo). This multi-factor authentication provides an additional layer of security, helping to ensure your data stay secure if your UMN account is ever compromised.
Files and folders in Box can be shared with colleagues both inside and outside the University by adding them as collaborators on a folder. A variety of permission levels can be assigned to each collaborator, from full administrative to view-only rights. Collaborators can then access the files through their university's Box account or a free Box account. The security settings in Box will follow the owner of the data, so files shared with external Box accounts will be subject to the same security settings as the University of Minnesota's Box instance. Requiring collaborators to sign into an account is critical for logging; if data are shared with an "open link" or even a password protected link, it is not possible to verify who has accessed the file, which thwarts the security benefits of logging.
While files can be shared with a link, access via links are restricted to collaborators on the folder in which the file is located. This provides additional protection if the link was shared beyond the collaborator team and ensures file actions can be logged.
The Box Drive and Box Sync applications provide Desktop access to files stored in Box, allowing you to sync changes between your local computer and Box's cloud storage. However, to ensure the files are only synced to secure devices, Box Drive and Box Sync perform a security check before installing. Devices are required to have 1) full disk encryption, 2) a firewall, 3) an antivirus, 4) minimum OS version (Windows 7 sp1/OSX 10.10/IOS 9). This ensures your files are kept secure. Box Drive is the preferred application for working with files on your Desktop, but you should install Box Sync instead if you have a need to work with files offline.
To help ensure folders do not continue to be shared with collaborators who no longer need access, we will be sending out periodic reminders to review and update your collaborator access.
- You will need to respond to these emails to maintain your Box Secure Storage account.
After one year of inactivity on a Box account, your account will be disabled and the data will be archived. This will help ensure files do not continue to be shared with collaborators indefinitely, especially when projects become inactive.