The technical controls in place at UNMC for the Box data storage implementation. Please note these controls described below apply to the Box Service (not just for UNMC).
To ensure the security of your data within Box, we have implemented the following technical measures:
- User Identification: Box accounts uses an individual user's email address to validate their identity and do not support multiple accounts using the same email address. Box supports multi-factor authentication which uses a one-time unique validation code in conjunction with a user's credentials.
For Box’s network, authentication is required to access resources on Box's production and corporate networks. The production network requires a separate login / password from the corporate network, and users must authenticate with two-factor authentication for both the corporate and production environments separately. Box has also implemented monitoring to detect unmanaged systems that log onto our networks. - Passwords: Users are required to create strong passwords that meet specific complexity requirements including 14+ character length, 180 day expiration, complexity, lockout after 3 failed attempts and cannot contain the user ID in the password.
Box natively provides account management functions and security features that are configurable within the Admin Console of a customer's Box account, including options for configurable password parameters, multi-factor authentication, single sign-on (SSO), session lock and device pinning. For more information on configurable password parameters, please refer to the following Box Support Article: https://support.box.com/hc/en-us/articles/4402040225427-Enterprise-Settings-Security-Tab [support.box.com] - Firewalls: Box uses a web application firewall (WAF) in blocking mode. The Web Application Firewall (WAF) also protects against Layer 7 (cross-site forgery, XSS, SQL Injection, etc).
- Encryption: Box's standard encryption utilizes a FIPS 140-2 Level 1 validated module. Box's encryption certification is Cryptographic Module Validation Program #3514. The certificate is available at https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3514 [csrc.nist.gov] Note that this is through a third party, which is why our name does not appear on the page. Through this FIPS 140-2 validation process, Box demonstrates compliance with NIST 800-57, 'Recommendation for Key Management'. Content transmitted to and from the Box service via the Box web application, mobile applications, and desktop clients is encrypted using TLS 1.2+ in transit and AES-256-bit at rest.
- Virtual Private Network (VPN): In order to access the systems supporting the Box Service, Box personnel must traverse the corporate network using two-factor authentication (via a yubikey) over VPN in order to authenticate to the production bastion.
- Intrusion Detection System (IDS): Box uses Zeek (formerly known as BroIDS) for network intrusion detection. Suspicious activity that is detected generates alerts to the Security team. Alerts by the network intrusion detection system (NIDS) are reviewed in near real-time by the Security team and suspicious activity is blocked or resolved.