Cloud content management and collaboration company Box Inc. is helping customers to enable “zero-trust” policy enforcement by revamping its Box Device Trust service.

Box officials said the sudden shift to working at home has created a new security challenge for organizations, which need to keep their most valuable content secure while ensuring it can be accessed by employees’ devices outside of corporate boundaries.

Box believes the answer lies in the zero-trust security model, which was initiated by Google LLC and involves shifting access controls from the network perimeter to individual devices and users.

With zero trust, access control is no longer based on whether users are requesting access from inside or outside of the corporate network. Instead, it assumes that users requesting access from inside the network are just as untrustworthy as those seeking remote access.

As a result, access requests are granted based on details about the particular users, their jobs and the security status of the device they’re using. That allows employees to work securely from any location without the need for a traditional virtual private network.

Box Device Trust 2.0 is “a built-in device security posture assessment” that enables customers to specify granular ownership or security requirements for managed and personal devices in order to access files and documents stored in Box. The requirements for access are determined by Box’s users but could include things such as domain membership, device certificates or checks for disk encryption, antivirus software, operating system versions and device passcodes.

In a blog post announcing the revamped service, Jacques Besancon, Box’s senior product manager of threat detection, and group product marketing manager Eric Ren said Device Trust enables “flexible, enterprise-grade device security.” Features include robust device ownership validation, which requires the presence of an existing or dedicated client certificate signed, and more flexible ownership checks, allowing devices to meet one or all security requirements in hybrid information technology environments.

“If an employee loses their phone and it doesn’t have disk encryption or a passcode, your sensitive business content can easily fall into the wrong hands,” Besancon and Ren wrote. “With Device Trust, you don’t presume that personal devices are secure. You can verify the security posture before granting access to Box.”

The service also enables companies to track endpoints used to access box and test their security posture requirements via a new “audit mode,” Besancon and Ren said.

“The new “audit-only mode” allows admins to test Device Trust and evaluate the current state before rolling it out across their Box instance,” Besancon and Ren wrote. “In this mode, employees will still be able to access Box if their device fails the checks, but admins will be able to evaluate the test results. In early June, detailed reports will be available in the admin console, and results will be logged in the Box Events Stream and available via API.”

Constellation Research Inc. analyst Holger Mueller said this was an important addition to Box as security is of the utmost importance when it comes to document management. “With Device Trust adding new security measures, Box makes document management safer, and thus it makes the future of work safer for enterprises too,” he said.

Box said Device Trust 2.0 is available now for all Box Enterprise users at no additional cost.

Image: Box