I saw the Box’s announcement of their Enterprise Key Management (EKM) feature yesterday. This is a big jump forward for Box and puts them well in the front lines for cloud security among vendors with traction. Matt Weinberger had a good write-up about how Box’s EKM works complete with a Ghostbuster reference.

Chris Walker wrote about Box’s EKM announcement and quoted a tweet I made. The tweet follows but I encourage you to go read his post as it is a good one.

@chris_p_walker Some agencies require govt clearance to have access to encryption keys and/or be US citizen. Box can’t do that for workforce

— Laurence Hart (@piewords) February 10, 2015

I wanted to expand on the quote up above in a comment on Chris’s post then I couldn’t stop typing. I decided to write it here.

The Government has Rules

Obvious right? Let me use the U.S. Citizenship and Immigration Service (USCIS) as an example. I was a contractor there for multiple projects and had to staff many roles on those projects. Let me tell you, it was challenging.

USCIS has a rule that only citizens can access certain data systems. The reason is they don’t want a person for whom they are determining benefits to have access to the data. This is a legitimate rule and aimed to not just stop corruption but to keep any hint of corruption at bay. Defense and Intelligence agencies have requirements for clearances to have access to classified information.

The IT staff has to meet those same requirements. For cloud vendors, it means THEIR admins would have to have clearances and/or be a citizen for the information to be managed. When a Box show came through DC a few years back, attendees were asked about the citizenship of Box’s employees. Encryption was proposed as a solution but was shot down if those same non-citizen, uncleared people had access to the encryption keys.

The EKM solution fixes that problem. All content is encrypted with a customer owned and controlled key so Box employees cannot access the content. They can access metadata, which could be an issue, but not content. The key lives in a secure appliance hosted by Amazon. That is important because it is now beyond the reach of the Box administrators.

It is also important because Amazon has a government cloud that has been through FedRAMP. That means that encryption keys for government agencies could be stored there. In fact, if Box was able to get their FedRAMP certification, then they would be able to operate with impunity in the U.S. Government.

This announcement is huge. I expect that this is just a first step to bigger things.