Box – Security Best Practices for External Sharing on Content Collaboration Platforms

The Security Best Practices for External Sharing on Content Collaboration Platforms blog series examines the state of security for external sharing on the leading Content Collaboration Platforms (CCP). Each week we’ll review a different platform and make security best practice recommendations.


Box is a California-based public company that was founded in 2005 by Aaron Levie while a student at the University of Southern California. Unlike some of its competitors, most notably Dropbox, Box began life focused on the enterprise, with the result that many of its security controls are built around the concept of a Box administrator. Box’s stated goal is to be the “central repository for all enterprise content.” As of early 2018, Box has more than 41 million users, across 80,000 businesses, including approximately 60% of the Fortune 500. 

External Sharing Security Issues

Like most growing cloud companies, Box has had a few security issues. One of the more troubling ones was in early 2017 when a researcher discovered a vulnerability connected to Box’s Shared Links feature. This feature generates a URL each time an external user is invited by a managed user to collaborate. The URL can be used by anyone to access the shared file or folder. In some cases it was found that these URLs were indexed by Google and other search engines. By default the links were generated with editor-level permission granting the ability to view, download, upload, edit and rename the shared files. Blue Chip companies like Dell and Ford were found to have files exposed. The issue was quickly addressed by Box but this vulnerability underscores how collaborating beyond the walled garden of your enterprise CCP can be risky. Resolving this vulnerability will continue to be a challenge since enterprises will never have the same level of control over external users as they do over their own managed users.

Four External Sharing and Collaboration Security Best Practices

1 – Know your user types – Our first recommendation, identify your user base and make sure that users are appropriately categorized.  In general, high-frequency, deeply collaborative partners should be managed users since they require more control and oversight, while ephemeral users at partners can be external users, but don’t forget to set “time outs” on shared files.  Train your users to migrate completely to the better security of managed users if they deem it necessary. Converting 90% of a team to multi-factor authentication, but leaving one as a recipient of an “open” link, is a common way to degrade your security.

2 – Use collaborator settings wisely

A collaborator is an individual who has been invited into a folder. External collaborators are individuals who have a Box account but are not under the control of your enterprise Box administrator. While your Box administrator does not have direct control over these types of users there are certain security practices that should be followed. These include controlling a collaborator’s access level. Not every collaborator should have full editing permission, many times ‘view-only’ is more than sufficient. Another best practice is to set a default expiration date for all external collaboration. This way your enterprise can be assured that these relationships are finite and not left open-ended. Finally, it’s a good idea to make “Restrict external collaboration” the default for all your new managed users (see below). This setting forces your users to think about who they should be collaborating with and to seek permission from their Box administrator before this type of sharing can be enabled.

3 – Turn off (or limit) the Shared Links Feature

Shared Links as mentioned earlier allow a user to quickly share content with individuals –  both inside and outside of the enterprise. The external user does not need to have a Box account and Box does not keep a record of where these links are sent. As such Shared Links  are probably the feature most open to abuse when it comes to external collaboration. As with Collaborators there are a range of steps your Box administrator can take to protect your enterprise’s content. These steps include enabling ‘view-only’ access, adding a password and/or an expiration date. The most effective step, however is to consider restricting sharing completely.  We have learned that once a large number of shared links are “in the wild” it is hard to pull back the dangerous ones and keep open the good ones, since reporting is so limited. This and other settings are available in the Content & Sharing tab of the Box Admin Console (see below).

4 – Consider managing the identities of your external users. 

The Collaborative User approach is a very convenient (and free) option, but the security is left up to the recipient of the data, because it is their Box account not yours, and that does not always sit well with truly strict security organizations who want complete control of the security policies for their files.  Also, some corporations prefer not to buy managed user licenses for non-employees.  Resilient Access for Box™ was built to satisfy this need. Resilient provisions users for the sending entity which allows the sender to maintain full control over who and how each external user sees their data.  All of the functionality of the Box experience is maintained for the recipient, but now the security and reporting requirements are easy to customize to meet strict “as good as internal” policies.  See the short two minute video below for more detail on how Resilient can extend an enterprise’s security control to external users.

Play video

Other posts in the Security Best Practices for External Sharing blogseries