Box, which filed for a US$250 million (£165 million) IPO just over a year ago, has enjoyed a rapid ascent in recent years, competing fiercely with Dropbox, Microsoft and others in the consumer and enterprise IT markets and winning millions of customers, including the likes of GE and Procter & Gamble, along the way.
The Redmond City-based firm held its Box World Tour in London last week, an event which saw the announcement of key new partners, including Lancaster and Dundee University, and Ritual Cosmetics. The topic of conversation veered from digital enterprise software to secure content management and collaboration.
Speaking after the event to SCMagazineUK.com, Whitney Bouck, general manager of enterprise and SVP of global marketing at Box, confirmed that Box was looking at opening data centres in the EU. “It's an ongoing investigation, and actually we will at some point, but it depends where and when,” she told SC.
Bouck added that the firm was “still in the process” of checking locations, and making sure servers "stand-up", but reiterated it was “an ongoing process” and that the firm was “not at the point of making an announcement”.
European data centres aren't required under the EU General Data Protection Regulation (GDPR), which is due to come into effect later this year, nor are they required under the current European data protection directive. However, there has been some pressure for US-based firms to have servers in Europe, at least for European customers, to shield them from further NSA surveillance.
The current European Directive stipulates that transfers of data outside the EEA can be done only to countries where there are adequate safeguards in place.
Speaking at the event last week, Box CEO Aaron Levie said that the company plans to build data centres for its web servers outside the US over the next 12-18 months, while Bouck added that Box's Enterprise Key Management (EKM) solution is sufficient for now, putting the private encryption keys in the hands of users and away from the cloud.
“It's bridging the gap for most companies, so they can manage their own encryption keys and they don't have to hand over any assets,” she said.
Some companies found this was more secure than on-premise systems, she said, while refuting the implications of some experts that the keys are leaving the hardware appliance.
On the legal front, Bouck says that Box is “working very closely with the EU and with country governments on EU law and Binding Corporate Rules (BCRs)”, which she says are increasingly replacing the Safe Harbor agreement for data privacy and security.
“My understanding is that Safe Harbor is viewed as a bit outdated now and that BCRs will replace it over time,” she said.
Mike Davis, principal analyst at MSMD Advisor, told SC however that Binding Rules only relate to the 1995 Directive and not necessarily to incoming EU GDPR. "As we do not have the final version of the GDPR as of yet, Box may be compliant by following the Binding Rules, but it is a gamble. Given the EU recent 'upping the ante' with the likes of Google Binding Rules might be moot."
Experts have expressed concerns over existing legislation, including Safe Harbor, in light of the PRISM surveillance programme as uncovered by NSA whistleblower Edward Snowden, and Bouck conceded that all governments can still attempt, via court order, to get user data and encryption keys.
“[You] don't really have a choice in that matter, although fortunately those cases are rare”, said Bouck. Box didn't have any figures on government requests for data at the time of writing.
“It's actually been a very interesting process from [Edward] Snowden until now. Initially, we had zillions of questions on the Patriot Act and other government legislation. That was certainly true for the months that followed,” said Bouck. Most of these questions resolved around security, regulation, transparency and data ownership.
Interestingly though, there's been a greater impact from the major hacks at Target, JP Morgan Chase and Sony, with cloud seen by some as the answer.
“It's fascinating – it's gone from a CIO or CISO matter to a board level discussion and that's a really good thing. It's also changed the conversation on on-premise systems,” said Bouck, adding that there was a realisation that cloud be more secure, contrary to NSA "paranoia" post-Snowden.
The cloud provider claims to be up to speed on security alerts and says that it alerts its users to security warnings and downtimes, through status.box.com and other means. Even though no servers were vulnerable to Heartbleed, the firm sent emails warning users to change their passwords anyway.
The firm has recently started handing out "limitless" bug bounties, via HackerOne, to security researchers finding bugs on its web and mobile platforms.
Rik Ferguson, VP of security research at Trend Micro, said Safe Harbor will not survive in its current form.
“I think it is unavoidable that it will need to be overhauled or replaced. After all it was implemented to bring US organisations into compliance with a Data Protection Directive which is itself in the process of being upgraded – it would be foolish to assume that past compliance equals future compliance.
“BCRs are certainly more flexible than Safe Harbor, but of course pre-existing ones will also probably need to be updated for future compliance. What is important to note is that neither BCR nor Safe Harbor provide any protection from Patriot Act related shenanigans and the level of nervousness around that for EU organisations is only increasing.”
With the Microsoft-US DOJ case still rumbling through the Irish courts, Ferguson said the future of international data sharing and the cloud is still up in the air, with the ruling – when it comes – potentially a “real-game changer for doing business with US-based companies at all”.