Adding a Box Instance

After completing the necessary configurations in Box, add or register the Box instance in Oracle CASB Cloud Service.

You can register a Box account in Oracle CASB Cloud Service in one of two ways:

  • In monitor-only mode, Oracle CASB Cloud Service notifies you when various security configuration settings in AWS deviate from Oracle CASB Cloud Service's stringent values.

  • In push security controls mode, Oracle CASB Cloud Service sets security control values (for example, values for password complexity, password history, user sessions, and multi-factor authentication) at registration time, and then later provides alerts when these settings deviate from your preferred values.

Adding a Box Instance (Monitor Only/Read Only)

Add or register your Box instance to Oracle CASB Cloud Service to be monitored, without the capability to push security configuration settings.

To register a Box instance with Oracle CASB Cloud Service, you need the user ID and password that belongs to a Box administrator with the appropriate privileges in the account that you want to monitor. This user must be dedicated to Oracle CASB Cloud Service.

Note:

This user must not be set up in Box to use multifactor authentication (MFA).

In monitor-only mode, Oracle CASB Cloud Service notifies you when various security configuration settings in Box fall below Oracle CASB Cloud Service's preferred defaults. Oracle CASB Cloud Service monitors these settings in Box:

  • Password policies, authentication policies, and session settings: These are in the Box business settings page, Security tab.

  • Settings: These additional security settings are in the Box business settings page, Content & Sharing tab.

For more information, see Security Control Values for Box (Monitor Only/Read Only)

Note:

You should not add, or register, the same application instance more than once. An additional registration seriously impacts performance and doesn’t provide any additional information.
  1. Select Applications from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.
  2. Click Add/Modify App.
  3. In the Select an app type page, click the Oracle Cloud Infrastructure icon, and then click Next.
  4. On the Select an instance page:
    1. Enter a name for the instance in the Type a unique name... box.

      Any existing names appear below the name field.

    2. If users of this instance use an identity provider to log in, select The users of this app instance log in using single sign-on... and select the IDP instance from the Select an Identity Provider (IDP) instance list.

      Note:

      The identity provider instance must already be defined.. See Setting Up an Identity Provider Instance.

    3. Click Next.

  5. In the Select monitoring type page, select Monitor only to have Oracle CASB Cloud Service monitor this application using its stringent settings.

    For more information, see Security Control Values for Box (Monitor Only/Read Only). Oracle CASB Cloud Service generates a security control alert in Risk Events whenever it detects a mismatch of any kind between its stringent settings and the actual settings in the Box instance.

  6. Click Next.
  7. In the Enter credentials page, your selections depend on how users log in to Box.
    How the Oracle CASB Cloud Service User Signs In to Box What You Enter in the Credentials Page

    Directly Sign In to Box

    1. Click the Sign in with Box username and password option.

    2. Enter the credentials for the dedicated admin or co-admin that you set up to communicate with Oracle CASB Cloud Service.

      • User name. The username of the Oracle CASB Cloud Service user.

      • Password. The password of the Oracle CASB Cloud Service user.

    Single sign-on through Okta

    1. Click the Single sign-on option button.

    2. Click the Single Sign-on provider drop-down list, and then select Okta.

    3. Enter the credentials for the dedicated admin or co-admin that you set up to communicate with Oracle CASB Cloud Service.
      • Username. The username of the Oracle CASB Cloud Service user.

      • Password. The password of the Oracle CASB Cloud Service user.

    4. Enter the Application ID. You can find this in the Okta console as follows: Go to Applications, Applications, Box.com, General, and under the App Embed Link field, copy the Box application ID portion of the link (for example, in the link https://dev-2222222.okta.com/home/salesforce/0oa4a1a2a3a4a5a6a7/24, the number 0oa4a1a2a3a4a5a6a7 is the application ID).

    5. In the API key field, paste the API key that you created in Security, API.

    6. In the Identity provider URL field, paste the identity URL from Okta under Admin, Applications, Applications, Box.com, Sign On, settings link, Identity Provider Login URL (example: https://2222222.okta.com/app/salesforce/ex12ex34ex56ex7/sso/saml).

    Single sign-on through Ping Identity

    1. Click the Single sign-on option.

    2. Click the Single Sign-on provider drop-down list, and then select Ping.

    3. Enter the credentials for the dedicated admin or co-admin that you set up to communicate with Oracle CASB Cloud Service.
      • Username. The username of the Oracle CASB Cloud Service user.

      • Password. The password of the Oracle CASB Cloud Service user.

    4. In the Username form field text box, enter the username form field parameter that’s used in your Ping Federate login template.

    5. In the Password form field text box, enter the password form field parameter that’s used in your Ping Federate login template.

    6. In the Application ID field, enter the SAML ID for your Box account in PingOne. You can find this in the saasID field in PingOne, under connection parameters.

    7. In the Identity provider URL field, paste the value of the Initiate Single Sign-On (SSO) URL field of the connection parameters in PingOne.

  8. If you want to enable this Box instance to bypass restrictions against third-party applications that exfiltrate data (transmit data back out of your firewall), copy the API key value to a temporary location where it will be available in a few steps.
  9. When you are done entering your credentials, click Test Credentials. It can take a minute or two for the application to receive and accept your credentials.
  10. When testing is done, you see a success message. Click Next.
  11. Click Done.

    When the registration process is complete, your application instance appears on the Applications page. You start to see data for this instance after 30 minutes or so; although a complete synchronization will take longer.

  12. If you copied the API key value so that you can enable the Box instance you just created to bypass restrictions against third-party applications that exfiltrate data:
    1. Copy the API key value from the temporary location.
    2. Log in to your Box account and go to the administrative console.
    3. Click the gear icon Image of the Box Settings icon that opens the Settings menu. in the upper right corner to open the Settings menu, and then select Business Settings.
    4. Click Apps in the row of options below the Box header.
    5. In the Application Settings section, next to Unpublished Applications, select Disable apps by default.
    6. Paste the API key value into the Except for box and click Save.

Next Steps

If you are implementing data protection for this Box instance:

Security Control Values for Box (Monitor Only/Read Only)

Review the AWS security controls that Oracle CASB Cloud Service monitors in monitor-only mode, together with the values for their stringent settings.

After registering the Box instance in monitor-only mode, Oracle CASB Cloud Service scans the following security control values in Box and displays security control alerts if your values are different from Oracle CASB Cloud Service's preferred values. These values correspond to the Stringent setting when you register this application instance in push control values mode.

Note:

A few of the security controls that Oracle CASB Cloud Service monitors for might not be available in your account, depending on whether this is a developer account, an enterprise account, and whether the account has the Box Governance Package.
Security Control Type Security Control Name Oracle CASB Cloud Service​ Baseline (Stringent) Value Description

Password policy                                 

Minimum required characters

10

The larger the value for minimum password length, the harder the password is to crack, particularly if you also require special characters, numbers, and other recommended best practices.

Password policy 

Require number(s)

2

Requiring numbers in users' password or passphrases makes them harder to crack. Box provides the ability to force at least one number in user passwords or passphrases. This is a best practice.

Password policy 

Require special character(s)

1

Requiring symbols (special characters) in users password or passphrases makes them harder to crack. AWS provides the ability to force at least one special character in user passwords or passphrases. This is a best practice.

Password policy 

Require at least one uppercase letter

On

Requiring uppercase letters in users' passwords or passphrases makes them harder to crack. Box provides the ability to force at least one uppercase letter in users' passwords or passphrases. This is a best practice.

Password policy 

Prevent common words / email address as a password

On

Limiting the use of common words and email addresses in passwords makes them harder to crack. This is a best practice.

Password policy 

Password resets: Require users to reset passwords every

30 days

Password expiration limits your exposure to credential compromise by limiting the time available to a hacker to break hashed or encrypted credentials. Password expiration dates limits the time that a malicious actor can keep a foothold in your systems and networks.

Password policy 

Prevent reusing passwords from

Last 10 times

Limiting users' ability to reuse previous passwords and passphrases helps increase their variations and uniqueness over time, and makes it harder for a malicious actor to use password dumps found online and in rainbow tables (a table often used to crack encrypted passwords).

Password policy

Notify admins when users request a forget password email

On

You can configure Box to notify administrators whenever users initiate a password reset flow.

Password policy

Notify admins when users change passwords in Settings

On

You can configure Box to notify admins when users change their passwords.

Password policy

Require strong passwords for external collaborators

On

You can configure Box to require external collaborators to use strong (complex) passwords. Complexity in passwords or passphrases makes them harder to crack

Authentication policies

The number of failed login attempts before admin is notified

3

You can configure Box to notify administrators after any Box user has had a particular number of failed logins. Multiple and frequent failed logins can indicate a brute-force attack (an attempt to gain control of a password by guessing it).

Authentication policies

Prevent users from using the "Keep me signed in" feature

On

Limiting the duration of user sessions also limits the amount of time a hacker has to hijack the session.

Session policies

Duration a user can remain logged in without activity before being logged out

30 minutes

You can set limits on the amount of time a session can be idle before locking out the user. This limits the amount of time a hacker has to hijack the session.

Settings

Allow users to sign up on their own

Off

You can configure Box to allow users to sign up instead of requiring them to ask an administrator to sign them up.

Settings

When new users are added, email admins

Immediately

You can configure Box to notify administrators whenever someone adds a new user to your Box account. The notification can be immediate or after a delay.

Settings

Prevent users from changing their primary email address

On

You can prevent users from changing their primary email address.

Settings

Enable external links to

Nothing, restrict sharing

You can prevent users from sharing links with people who are external to this Box account.

Settings

Enable external links with these access options

People in the folder only

Box lets you disable the ability of users to share link URLs to anyone the users choose.

Settings

Default new links to

People in this folder

Box allows you to give access to new links to people who already have access to the parent folder or to anyone who is given a link to the folder.

Settings

Let link viewers

Preview the shared items only

You can allow people who have links to items in Box to either preview the items only, or both preview and download the shared item.

Settings

Allow custom shared link URLs for links with open access

Off

You can allow people who have links to items in Box to either preview the items only, or both preview and download the shared item.

Settings

Show your custom domain in shared link URLs

Off

You can prevent users from displaying custom domain URLs when they share links to Box resources.

Settings

Restrict tag creation

admins and co-admins only

You can control the tags in use in your organization by restricting tag creation to administrators.

Settings

Enable tag filtering

On

Box gives users the ability to filter files and folders by tag and by name.

Settings

Number of days after which shared links are automatically disabled

30 days

Box lets you set an expiration period for shared links.

Settings

Number of days before you notify users of link expiration

7 days

Box lets you specify how soon users are notified after a link expires.

Settings

Enable Trash

On

Box lets you give users the ability to delete files through the Trash function.

Settings

People who can permanently delete content in Trash

Admin only

Box lets you control which users are allowed to permanently empty the Trash folder.

Settings

Trash is automatically deleted after

90 days

Box lets you set a time interval for automatically emptying the Trash folder.

Settings

Allow users to see all managed users

Off

Box lets you restrict the ability of users to view other Box users.

Settings

Device limits - exempt users from Max # of device logins

1

Box lets you override device pinning, which means limiting the number of devices that users can log in from.

Settings

Restrict external collaboration

On

Box lets you restrict collaboration (sharing files and folders) with users outside of your Box account.

Settings

Require Apps to use SSL

On

Box lets you require SSL to encrypt communications between Box and integrated web applications.

Settings

Save files on device

Restrict

Box lets you prevent users from downloading files for offline use.

Settings

Require apps password lock

After 1 minute of inactivity

Box lets you force users to re-authenticate frequently on mobile devices to prevent data breaches if the device is lost or stolen.

Settings

Allow external users to collaborate on folders/files

Off

Box lets you restrict sharing files and folders with users outside of this Box account.

Settings

Restrict Invites

On

Box allows you to restrict this permission to only owners and co-owners of a folder.

Settings

Enable Invite links (Allow users to invite collaborators using links)

Off

Box allows you to control whether users can invite collaborators using links to Box resources.

Adding a Box Instance (Push Controls/Read-Write)

Add or register your Box instance to Oracle CASB Cloud Service to be monitored, and with the capability to push security configuration settings.

To register a Box instance with the Oracle CASB Cloud Service, you need the user ID and password that belongs to a Box administrator with the appropriate privileges in the account that you want to monitor. This user must be dedicated to the Oracle CASB Cloud Service.

Note:

This user must not be set up in Box to use multifactor authentication (MFA).

In push security controls mode, Oracle CASB Cloud Service checks various security control values in the Box instance, and sets them to the values that you set at registration time. Later, you receive notifications when these security configuration settings change.

Oracle CASB Cloud Service monitors these settings in Box:

  • Password policies, authentication policies, and session settings: These are in the Box business settings page, Security tab.

  • Settings: These additional security settings are in the Box business settings page, Content & Sharing tab.

For more information about the security controls that can be pushed to Box, see Security Control Values for Box (Push Controls/Read-Write).

Note:

You should not add, or register, the same application instance more than once. An additional registration seriously impacts performance and doesn’t provide any additional information.
  1. Select Applications from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.
  2. Click Add/Modify App.
  3. In the Select an app type page, click the icon for the type of application you want to register and click Next.
  4. On the Select an instance page:
    1. Enter a name for the instance in the Type a unique name... box.

      Any existing names appear below the name field.

    2. If users of this instance use an identity provider to log in, select The users of this app instance log in using single sign-on... and select the IDP instance from the Select an Identity Provider (IDP) instance list.

      Note:

      The identity provider instance must already be defined.. See Setting Up an Identity Provider Instance.

    3. Click Next.

  5. In the Select monitoring type page, select Push controls and monitor to have Oracle CASB Cloud Service set your preferred values in the application and subsequently monitor for deviations from these values.

    Oracle CASB Cloud Service generates a security control alert in Risk Events whenever it detects a mismatch between the selections that you make on this page and the settings in the Box instance.

  6. Click Next.
  7. In the Select security controls page, select the type of security controls you want Oracle CASB Cloud Service to push:
    • Standard. Ensure that these values are set to the application's own defaults.

    • Stringent. Ensure that these values are set to stronger-than-default values.

    • Custom. Lets you set the values.

  8. Click Next.
  9. In the Enter credentials page, your selections depend on how users log in to Box.
    How Users Sign In to Box What You Enter in the Oracle CASB Cloud Service Registration Page

    Directly Sign In to Box

    1. Select Sign in with Box username and password.

    2. Enter the credentials for the dedicated admin or co-admin that you set up to communicate with Oracle CASB Cloud Service.
      • User name. The username of the Oracle CASB Cloud Service user.

      • Password. The password of the Oracle CASB Cloud Service user.

    Single sign-on through Okta

    1. Select Single sign-on.

    2. Set Single Sign-on provider to Okta.

    3. Enter the credentials for the dedicated admin or co-admin that you set up to communicate with Oracle CASB Cloud Service.
      • User name. The username of the Oracle CASB Cloud Service user.

      • Password. The password of the Oracle CASB Cloud Service user.

    4. Enter the Application ID. You can find this in the Okta console as follows: Go to ApplicationsApplicationsBox.comGeneral, and under the App Embed Link field, copy the Box application ID portion of the link (for example, in the link https://dev-2222222.okta.com/home/salesforce/0oa4a1a2a3a4a5a6a7/24, the number 0oa4a1a2a3a4a5a6a7 is the application ID).

    5. In the API key field, paste the API key that you created in SecurityAPI.

    6. In the Identity provider URL field, paste the identity URL that from Okta under AdminApplicationsApplicationsBox.comSign On, settings link, Identity Provider Login URL (example: https://2222222.okta.com/app/salesforce/ex12ex34ex56ex7/sso/saml).

    7. In the Identity provider URL field, paste the identity URL that from Okta under AdminApplicationsApplicationsBox.comSign On, settings link, Identity Provider Login URL (example: https://2222222.okta.com/app/salesforce/ex12ex34ex56ex7/sso/saml).

    Single sign-on through Ping Identity

    1. Select Single sign-on.

    2. Set Single Sign-on provider to Ping.

    3. Enter the credentials for the dedicated admin or co-admin that you set up to communicate with Oracle CASB Cloud Service.
      • User name. The username of the Oracle CASB Cloud Service user.

      • Password. The password of the Oracle CASB Cloud Service user.

    4. In the Username form field text box, enter the username form field parameter that is used in your Ping Federate login template.

    5. In the Password form field text box, enter the password form field parameter that is used in your Ping Federate login template.

    6. In the Application ID field, enter the SAML ID for your Box account in PingOne. You can find this in the saasID field in PingOne, under connection parameters.

    7. In the Identity provider URL field, paste the value of the Initiate Single Sign-On (SSO) URL field of the connection parameters in PingOne.

  10. If you want to enable this Box instance to bypass restrictions against third-party applications that exfiltrate data (transmit data back out of your firewall), copy the API key value to a temporary location where it will be available in a few steps.
  11. When you are done entering your credentials, click Test Credentials.

    It can take a minute or two for the application to receive and accept your credentials.

  12. When testing is done, you see a success message. Click Next.
  13. Click Done.

    When the registration process is complete, your application instance appears on the Applications page. You start to see data for this instance after 30 minutes or so; although a complete synchronization will take longer.

  14. If you copied the API key value so that you can enable the Box instance you just created to bypass restrictions against third-party applications that exfiltrate data:
    1. Copy the API key value from the temporary location.
    2. Log in to your Box account and go to the administrative console.
    3. Click the gear icon Image of the Box Settings icon that opens the Settings menu. in the upper right corner to open the Settings menu, and then select Business Settings.
    4. Click Apps in the row of options below the Box header.
    5. In the Application Settings section, next to Unpublished Applications, select Disable apps by default.
    6. Paste the API key value into the Except for box and click Save.

Next Steps

If you are implementing data protection for this Box instance:

Security Control Values for Box (Push Controls/Read-Write)

Review the Box security controls that Oracle CASB Cloud Service monitors for push-controls mode, together with the values for their stringent settings.

After you register the Box instance in push controls mode, Oracle CASB Cloud Service sets your selected security control values in the Box instance. Later, it  displays security control alerts if anyone changes the values.

The following describes stringent settings. You also can define custom settings.

Note:

A few of the security controls that Oracle CASB Cloud Service monitors for might not be available in your account, depending on whether this is a developer account, an enterprise account, and whether the account has the Box Governance Package.
Security Control Type Security Control Name Oracle CASB Cloud Service Baseline (Stringent) Value Description

Password policy                                 

Minimum required characters

10

The larger the value for minimum password length, the harder the password is to crack, particularly if you also require special characters, numbers, and other recommended best practices.

Password policy 

Require number(s)

2

Requiring numbers in users' passwords or passphrases makes them harder to crack. Box provides the ability to force at least one number in user passwords or passphrases. This is a best practice.

Password policy 

Require special character(s)

1

Requiring symbols (special characters) in users password or passphrases makes them harder to crack. AWS provides the ability to force at least one special character in user passwords or passphrases. This is a best practice.

Password policy 

Require at least one uppercase letter

On

Requiring uppercase characters in users' passwords or passphrases makes them harder to crack. Box provides the ability to force at least one uppercase character in users' passwords or passphrases. This is a best practice.

Password policy 

Prevent common words / email address as a password

On

Limiting the use of common words and email addresses in passwords makes them harder to crack. This is a best practice.

Password policy 

Password resets: Require users to reset passwords every

30 days

Password expiration limits your exposure to credential compromise by limiting the time available to a hacker to break hashed or encrypted credentials. Password expiration dates limit the time that a malicious actor can keep a foothold in your systems and networks.

Password policy 

Prevent reusing passwords from

Last 10 times

Limiting users' ability to reuse previous passwords and passphrases helps increase their variations and uniqueness over time, and makes it harder for a malicious actor to use password dumps found online and in rainbow tables (a table often used to crack encrypted passwords).

Password policy

Notify admins when users request a forget password email

On

You can configure Box to notify administrators whenever users initiate a password reset flow.

Password policy

Notify admins when users change passwords in Settings

On

You can configure Box to notify admins when users change their passwords.

Password policy

Require strong passwords for external collaborators

On

You can configure Box to require external collaborators to use strong (complex) passwords. Complexity in passwords or passphrases makes them harder to crack

Authentication policies

The number of failed login attempts before admin is notified

3

You can configure Box to notify administrators after any Box user has had a particular number of failed logins. Multiple and frequent failed logins can indicate a brute-force attack (an attempt to gain control of a password by guessing it).

Authentication policies

Prevent users from using the "Keep me signed in" feature

On

Limiting the duration of user sessions also limits the amount of time a hacker has to hijack the session.

Session policies

Duration a user can remain logged in without activity before being logged out

30 minutes

You can set limits on the amount of time a session can be idle before locking out the user. This limits the amount of time a hacker has to hijack the session.

Settings

Allow users to sign up on their own

Off

You can configure Box to allow users to sign up instead of requiring them to ask an administrator to sign them up.

Settings

When new users are added, email admins

Immediately

You can configure Box to notify administrators whenever someone adds a new user to your Box account. The notification can be immediate or after a delay.

Settings

Prevent users from changing their primary email address

On

You can prevent users from changing their primary email address.

Settings

Enable external links to

Nothing, restrict sharing

You can prevent users from sharing links with people who are external to this Box account.

Settings

Enable external links with these access options

People in the folder only

Box lets you disable the ability of users to share URLs with anyone the users choose.

Settings

Default new links to

People in this folder

Box allows you to default new links to people who already have access to the parent folder or to anyone who is given a link to the folder.

Settings

Let link viewers

Preview the shared items only

You can allow people who have links to items in Box to either preview the items only, or both preview and download the shared item.

Settings

Allow custom shared link URLs for links with open access

Off

You can allow people who have links to items in Box to either preview the items only or both preview and download the shared item.

Settings

Show your custom domain in shared link URLs

Off

You can prevent users from displaying custom domain URLs when they share links to Box resources.

Settings

Restrict tag creation

admins and co-admins only

You can control the tags in use in your organization by restricting tag creation to administrators.

Settings

Enable tag filtering

On

Box gives users the ability to filter files and folders by tag and by name.

Settings

Number of days after which shared links are automatically disabled

30 days

Box lets you set an expiration period for shared links.

Settings

Number of days before you notify users of link expiration

7 days

Box lets you specify how soon users are notified after a link expires.

Settings

Enable Trash

On

Box lets you give users the ability to delete files through the Trash function.

Settings

People who can permanently delete content in Trash

Admin only

Box lets you control which users are allowed to permanently empty the Trash.

Settings

Trash is automatically deleted after

90 days

Box lets you set a time interval for automatically emptying the Trash.

Settings

Allow users to see all managed users

Off

Box lets you restrict the ability of users to view other Box users.

Settings

Device limits - exempt users from Max # of device logins

1

Box lets you override device pinning, which means limiting the number of devices that users can log in from.

Settings

Restrict external collaboration

On

Box lets you restrict collaboration (sharing files and folders) with users outside of your Box account.

Settings

Require Apps to use SSL

On

Box lets you require SSL to encrypt communications between Box and integrated web applications.

Settings

Save files on device

Restrict

Box lets you prevent users from downloading files for offline use.

Settings

Require apps password lock

After 1 minute of inactivity

Box lets you force users to re-authenticate frequently on mobile devices to prevent data breaches if the device is lost or stolen.

Settings

Allow external users to collaborate on folders/files

Off

Box lets you restrict sharing files and folders with users outside of this Box account.

Settings

Restrict Invites

On

Box allows you to restrict this permission to only owners and co-owners of a folder.

Settings

Enable Invite links (Allow users to invite collaborators using links)

Off

Box allows you to control whether users can invite collaborators using links to Box resources.

Example: Box Controls for SSL, Session Length, and Folder Sharing

View an example of steps to set custom specific security control values.

Organizations frequently require Box files to be encrypted in transit, require user sessions to have a 30-minute timeout, and restrict Box file and folder sharing unless an administrator grants specific permissions to select users and groups.

You can push security controls to Box to require SSL, limit session length, and control folder sharing.

Note:

After configuring these settings in Oracle CASB Cloud Service, you must then configure access rights in Box. Create groups in Box, set the access rights for each folder, and then grant membership to users who are allowed to access the folder.
  1. In the Oracle CASB Cloud Service console, select Applications, Add/Modify App, Register an app instance.

  2. On the Select an app type page, click the Box icon, and click Next.

  3. On the Select an instance page, enter a name for your Box instance and click Next.

    Names of any existing Box application instances appear below your entry.

  4. On the Select monitoring type page, select Push controls and monitoring, and then click Next.

  5. On the Select security controls page, select Custom:

    • To limit session duration, expand Session Policies, and set the Duration a user can remain logged in without activity before being logged out to 30 minutes.

    • To force the user of SSL, expand Settings and ensure that Require Apps to use SSL is enabled.

    • To enforce file and folder sharing restrictions, expand the Settings accordion and configure these settings:

      • Set Restrict external collaboration to On (default).

      • Set Allow external users to collaborate on folders/files to Off.

      • Set Enable Invite links (Allow users to invite collaborators using links) to Off.

      Note:

      After completing this task, to allow users to work on Box files and folders, you must add them to privileged groups in the target Box account.
    • When your Custom security control selections are complete, select the I understand and explicitly approve. . . check box, and then click Next.

  6. On the Enter credentials page, select the user sign-on method, enter the required information, and then click Test Credentials.

  7. When testing is completed successfully, click Submit.

  8. Your security control settings are pushed out to the Box instance. If, at any time someone changes these settings in Box, then you are notified through Risk Events in the Oracle CASB Cloud Service console.

Detecting and Managing Violations of Security Controls in Example

Find violations in Risk Events, view the details, and resolve violations appropriately.

After you set up security controls, you must manage any violations.

After you add the application instance with the example security controls, the service detects when violations occur. You can have Oracle CASB Cloud Service lock out users who are logged in too long, or you can manually lock out the users.

  1. In your Box account, mimic a user who is logged in for more than 30 minutes.
  2. In the Oracle CASB Cloud Service console, select Risk Events, and search for events related to your application instance.
  3. Click anywhere in an event of interest to expand it.
  4. Determine whether the event appears to violate your security settings.

    For example, look for the Box user whose session is longer than 30 minutes.

  5. If the event is of interest:
    • Select Action, View Incident.

    • In the View Incident dialog box, click Edit Incident.

    • In the Edit Incident dialog box, click Resolve.

    • In the Incident#... dialog box, if Oracle CASB Cloud Service or another system can resolve the incident automatically, then the Auto remediation option is available. To delegate remediation to Oracle CASB Cloud Service, select Auto remediation. If the Auto remediation option is not available, or you want to fix the Box instance setting manually, then select Manual remediation.

    • Click Resolve Incident. If you selected Manual remediation, then remember to fix the Box instance setting manually.