Adding a Box Instance
After completing the necessary configurations in Box, add or register the Box instance in Oracle CASB Cloud Service.
You can register a Box account in Oracle CASB Cloud Service in one of two ways:
-
In monitor-only mode, Oracle CASB Cloud Service notifies you when various security configuration settings in AWS deviate from Oracle CASB Cloud Service's stringent values.
-
In push security controls mode, Oracle CASB Cloud Service sets security control values (for example, values for password complexity, password history, user sessions, and multi-factor authentication) at registration time, and then later provides alerts when these settings deviate from your preferred values.
Adding a Box Instance (Monitor Only/Read Only)
Add or register your Box instance to Oracle CASB Cloud Service to be monitored, without the capability to push security configuration settings.
To register a Box instance with Oracle CASB Cloud Service, you need the user ID and password that belongs to a Box administrator with the appropriate privileges in the account that you want to monitor. This user must be dedicated to Oracle CASB Cloud Service.
Note:
This user must not be set up in Box to use multifactor authentication (MFA).In monitor-only mode, Oracle CASB Cloud Service notifies you when various security configuration settings in Box fall below Oracle CASB Cloud Service's preferred defaults. Oracle CASB Cloud Service monitors these settings in Box:
-
Password policies, authentication policies, and session settings: These are in the Box business settings page, Security tab.
-
Settings: These additional security settings are in the Box business settings page, Content & Sharing tab.
For more information, see Security Control Values for Box (Monitor Only/Read Only)
Note:
You should not add, or register, the same application instance more than once. An additional registration seriously impacts performance and doesn’t provide any additional information.- Select Applications from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon
to display it. - If you copied the API key value so that you can enable the Box instance you just created to bypass restrictions against third-party applications that exfiltrate data:
- Copy the API key value from the temporary location.
- Log in to your Box account and go to the administrative console.
- Click the gear icon
in the upper right corner to open the Settings menu, and then select Business Settings. - Click Apps in the row of options below the Box header.
- In the Application Settings section, next to Unpublished Applications, select Disable apps by default.
- Paste the API key value into the Except for box and click Save.
Next Steps
If you are implementing data protection for this Box instance:
-
Perform the steps in Updating Data Protection for a Box Instance to enable data protection for this Box instance.
-
If you also want to use a reverse proxy with the data protection for this Box instance, perform the steps in Updating the Reverse Proxy Configuration for a Box Instance.
Security Control Values for Box (Monitor Only/Read Only)
Review the AWS security controls that Oracle CASB Cloud Service monitors in monitor-only mode, together with the values for their stringent settings.
After registering the Box instance in monitor-only mode, Oracle CASB Cloud Service scans the following security control values in Box and displays security control alerts if your values are different from Oracle CASB Cloud Service's preferred values. These values correspond to the Stringent setting when you register this application instance in push control values mode.
Note:
A few of the security controls that Oracle CASB Cloud Service monitors for might not be available in your account, depending on whether this is a developer account, an enterprise account, and whether the account has the Box Governance Package.| Security Control Type | Security Control Name | Oracle CASB Cloud Service Baseline (Stringent) Value | Description |
|---|---|---|---|
|
Password policy |
Minimum required characters |
10 |
The larger the value for minimum password length, the harder the password is to crack, particularly if you also require special characters, numbers, and other recommended best practices. |
|
Password policy |
Require number(s) |
2 |
Requiring numbers in users' password or passphrases makes them harder to crack. Box provides the ability to force at least one number in user passwords or passphrases. This is a best practice. |
|
Password policy |
Require special character(s) |
1 |
Requiring symbols (special characters) in users password or passphrases makes them harder to crack. AWS provides the ability to force at least one special character in user passwords or passphrases. This is a best practice. |
|
Password policy |
Require at least one uppercase letter |
On |
Requiring uppercase letters in users' passwords or passphrases makes them harder to crack. Box provides the ability to force at least one uppercase letter in users' passwords or passphrases. This is a best practice. |
|
Password policy |
Prevent common words / email address as a password |
On |
Limiting the use of common words and email addresses in passwords makes them harder to crack. This is a best practice. |
|
Password policy |
Password resets: Require users to reset passwords every |
30 days |
Password expiration limits your exposure to credential compromise by limiting the time available to a hacker to break hashed or encrypted credentials. Password expiration dates limits the time that a malicious actor can keep a foothold in your systems and networks. |
|
Password policy |
Prevent reusing passwords from |
Last 10 times |
Limiting users' ability to reuse previous passwords and passphrases helps increase their variations and uniqueness over time, and makes it harder for a malicious actor to use password dumps found online and in rainbow tables (a table often used to crack encrypted passwords). |
|
Password policy |
Notify admins when users request a forget password email |
On |
You can configure Box to notify administrators whenever users initiate a password reset flow. |
|
Password policy |
Notify admins when users change passwords in Settings |
On |
You can configure Box to notify admins when users change their passwords. |
|
Password policy |
Require strong passwords for external collaborators |
On |
You can configure Box to require external collaborators to use strong (complex) passwords. Complexity in passwords or passphrases makes them harder to crack |
|
Authentication policies |
The number of failed login attempts before admin is notified |
3 |
You can configure Box to notify administrators after any Box user has had a particular number of failed logins. Multiple and frequent failed logins can indicate a brute-force attack (an attempt to gain control of a password by guessing it). |
|
Authentication policies |
Prevent users from using the "Keep me signed in" feature |
On |
Limiting the duration of user sessions also limits the amount of time a hacker has to hijack the session. |
|
Session policies |
Duration a user can remain logged in without activity before being logged out |
30 minutes |
You can set limits on the amount of time a session can be idle before locking out the user. This limits the amount of time a hacker has to hijack the session. |
|
Settings |
Allow users to sign up on their own |
Off |
You can configure Box to allow users to sign up instead of requiring them to ask an administrator to sign them up. |
|
Settings |
When new users are added, email admins |
Immediately |
You can configure Box to notify administrators whenever someone adds a new user to your Box account. The notification can be immediate or after a delay. |
|
Settings |
Prevent users from changing their primary email address |
On |
You can prevent users from changing their primary email address. |
|
Settings |
Enable external links to |
Nothing, restrict sharing |
You can prevent users from sharing links with people who are external to this Box account. |
|
Settings |
Enable external links with these access options |
People in the folder only |
Box lets you disable the ability of users to share link URLs to anyone the users choose. |
|
Settings |
Default new links to |
People in this folder |
Box allows you to give access to new links to people who already have access to the parent folder or to anyone who is given a link to the folder. |
|
Settings |
Let link viewers |
Preview the shared items only |
You can allow people who have links to items in Box to either preview the items only, or both preview and download the shared item. |
|
Settings |
Allow custom shared link URLs for links with open access |
Off |
You can allow people who have links to items in Box to either preview the items only, or both preview and download the shared item. |
|
Settings |
Show your custom domain in shared link URLs |
Off |
You can prevent users from displaying custom domain URLs when they share links to Box resources. |
|
Settings |
Restrict tag creation |
admins and co-admins only |
You can control the tags in use in your organization by restricting tag creation to administrators. |
|
Settings |
Enable tag filtering |
On |
Box gives users the ability to filter files and folders by tag and by name. |
|
Settings |
Number of days after which shared links are automatically disabled |
30 days |
Box lets you set an expiration period for shared links. |
|
Settings |
Number of days before you notify users of link expiration |
7 days |
Box lets you specify how soon users are notified after a link expires. |
|
Settings |
Enable Trash |
On |
Box lets you give users the ability to delete files through the Trash function. |
|
Settings |
People who can permanently delete content in Trash |
Admin only |
Box lets you control which users are allowed to permanently empty the Trash folder. |
|
Settings |
Trash is automatically deleted after |
90 days |
Box lets you set a time interval for automatically emptying the Trash folder. |
|
Settings |
Allow users to see all managed users |
Off |
Box lets you restrict the ability of users to view other Box users. |
|
Settings |
Device limits - exempt users from Max # of device logins |
1 |
Box lets you override device pinning, which means limiting the number of devices that users can log in from. |
|
Settings |
Restrict external collaboration |
On |
Box lets you restrict collaboration (sharing files and folders) with users outside of your Box account. |
|
Settings |
Require Apps to use SSL |
On |
Box lets you require SSL to encrypt communications between Box and integrated web applications. |
|
Settings |
Save files on device |
Restrict |
Box lets you prevent users from downloading files for offline use. |
|
Settings |
Require apps password lock |
After 1 minute of inactivity |
Box lets you force users to re-authenticate frequently on mobile devices to prevent data breaches if the device is lost or stolen. |
|
Settings |
Allow external users to collaborate on folders/files |
Off |
Box lets you restrict sharing files and folders with users outside of this Box account. |
|
Settings |
Restrict Invites |
On |
Box allows you to restrict this permission to only owners and co-owners of a folder. |
|
Settings |
Enable Invite links (Allow users to invite collaborators using links) |
Off |
Box allows you to control whether users can invite collaborators using links to Box resources. |
Adding a Box Instance (Push Controls/Read-Write)
Add or register your Box instance to Oracle CASB Cloud Service to be monitored, and with the capability to push security configuration settings.
To register a Box instance with the Oracle CASB Cloud Service, you need the user ID and password that belongs to a Box administrator with the appropriate privileges in the account that you want to monitor. This user must be dedicated to the Oracle CASB Cloud Service.
Note:
This user must not be set up in Box to use multifactor authentication (MFA).In push security controls mode, Oracle CASB Cloud Service checks various security control values in the Box instance, and sets them to the values that you set at registration time. Later, you receive notifications when these security configuration settings change.
Oracle CASB Cloud Service monitors these settings in Box:
-
Password policies, authentication policies, and session settings: These are in the Box business settings page, Security tab.
-
Settings: These additional security settings are in the Box business settings page, Content & Sharing tab.
For more information about the security controls that can be pushed to Box, see Security Control Values for Box (Push Controls/Read-Write).
Note:
You should not add, or register, the same application instance more than once. An additional registration seriously impacts performance and doesn’t provide any additional information.- Select Applications from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
- If you copied the API key value so that you can enable the Box instance you just created to bypass restrictions against third-party applications that exfiltrate data:
- Copy the API key value from the temporary location.
- Log in to your Box account and go to the administrative console.
- Click the gear icon in the upper right corner to open the Settings menu, and then select Business Settings.
- Click Apps in the row of options below the Box header.
- In the Application Settings section, next to Unpublished Applications, select Disable apps by default.
- Paste the API key value into the Except for box and click Save.
Next Steps
If you are implementing data protection for this Box instance:
-
Perform the steps in Updating Data Protection for a Box Instance to enable data protection for this Box instance.
-
If you also want to use a reverse proxy with the data protection for this Box instance, perform the steps in Updating the Reverse Proxy Configuration for a Box Instance.
Security Control Values for Box (Push Controls/Read-Write)
Review the Box security controls that Oracle CASB Cloud Service monitors for push-controls mode, together with the values for their stringent settings.
After you register the Box instance in push controls mode, Oracle CASB Cloud Service sets your selected security control values in the Box instance. Later, it displays security control alerts if anyone changes the values.
The following describes stringent settings. You also can define custom settings.
Note:
A few of the security controls that Oracle CASB Cloud Service monitors for might not be available in your account, depending on whether this is a developer account, an enterprise account, and whether the account has the Box Governance Package.| Security Control Type | Security Control Name | Oracle CASB Cloud Service Baseline (Stringent) Value | Description |
|---|---|---|---|
|
Password policy |
Minimum required characters |
10 |
The larger the value for minimum password length, the harder the password is to crack, particularly if you also require special characters, numbers, and other recommended best practices. |
|
Password policy |
Require number(s) |
2 |
Requiring numbers in users' passwords or passphrases makes them harder to crack. Box provides the ability to force at least one number in user passwords or passphrases. This is a best practice. |
|
Password policy |
Require special character(s) |
1 |
Requiring symbols (special characters) in users password or passphrases makes them harder to crack. AWS provides the ability to force at least one special character in user passwords or passphrases. This is a best practice. |
|
Password policy |
Require at least one uppercase letter |
On |
Requiring uppercase characters in users' passwords or passphrases makes them harder to crack. Box provides the ability to force at least one uppercase character in users' passwords or passphrases. This is a best practice. |
|
Password policy |
Prevent common words / email address as a password |
On |
Limiting the use of common words and email addresses in passwords makes them harder to crack. This is a best practice. |
|
Password policy |
Password resets: Require users to reset passwords every |
30 days |
Password expiration limits your exposure to credential compromise by limiting the time available to a hacker to break hashed or encrypted credentials. Password expiration dates limit the time that a malicious actor can keep a foothold in your systems and networks. |
|
Password policy |
Prevent reusing passwords from |
Last 10 times |
Limiting users' ability to reuse previous passwords and passphrases helps increase their variations and uniqueness over time, and makes it harder for a malicious actor to use password dumps found online and in rainbow tables (a table often used to crack encrypted passwords). |
|
Password policy |
Notify admins when users request a forget password email |
On |
You can configure Box to notify administrators whenever users initiate a password reset flow. |
|
Password policy |
Notify admins when users change passwords in Settings |
On |
You can configure Box to notify admins when users change their passwords. |
|
Password policy |
Require strong passwords for external collaborators |
On |
You can configure Box to require external collaborators to use strong (complex) passwords. Complexity in passwords or passphrases makes them harder to crack |
|
Authentication policies |
The number of failed login attempts before admin is notified |
3 |
You can configure Box to notify administrators after any Box user has had a particular number of failed logins. Multiple and frequent failed logins can indicate a brute-force attack (an attempt to gain control of a password by guessing it). |
|
Authentication policies |
Prevent users from using the "Keep me signed in" feature |
On |
Limiting the duration of user sessions also limits the amount of time a hacker has to hijack the session. |
|
Session policies |
Duration a user can remain logged in without activity before being logged out |
30 minutes |
You can set limits on the amount of time a session can be idle before locking out the user. This limits the amount of time a hacker has to hijack the session. |
|
Settings |
Allow users to sign up on their own |
Off |
You can configure Box to allow users to sign up instead of requiring them to ask an administrator to sign them up. |
|
Settings |
When new users are added, email admins |
Immediately |
You can configure Box to notify administrators whenever someone adds a new user to your Box account. The notification can be immediate or after a delay. |
|
Settings |
Prevent users from changing their primary email address |
On |
You can prevent users from changing their primary email address. |
|
Settings |
Enable external links to |
Nothing, restrict sharing |
You can prevent users from sharing links with people who are external to this Box account. |
|
Settings |
Enable external links with these access options |
People in the folder only |
Box lets you disable the ability of users to share URLs with anyone the users choose. |
|
Settings |
Default new links to |
People in this folder |
Box allows you to default new links to people who already have access to the parent folder or to anyone who is given a link to the folder. |
|
Settings |
Let link viewers |
Preview the shared items only |
You can allow people who have links to items in Box to either preview the items only, or both preview and download the shared item. |
|
Settings |
Allow custom shared link URLs for links with open access |
Off |
You can allow people who have links to items in Box to either preview the items only or both preview and download the shared item. |
|
Settings |
Show your custom domain in shared link URLs |
Off |
You can prevent users from displaying custom domain URLs when they share links to Box resources. |
|
Settings |
Restrict tag creation |
admins and co-admins only |
You can control the tags in use in your organization by restricting tag creation to administrators. |
|
Settings |
Enable tag filtering |
On |
Box gives users the ability to filter files and folders by tag and by name. |
|
Settings |
Number of days after which shared links are automatically disabled |
30 days |
Box lets you set an expiration period for shared links. |
|
Settings |
Number of days before you notify users of link expiration |
7 days |
Box lets you specify how soon users are notified after a link expires. |
|
Settings |
Enable Trash |
On |
Box lets you give users the ability to delete files through the Trash function. |
|
Settings |
People who can permanently delete content in Trash |
Admin only |
Box lets you control which users are allowed to permanently empty the Trash. |
|
Settings |
Trash is automatically deleted after |
90 days |
Box lets you set a time interval for automatically emptying the Trash. |
|
Settings |
Allow users to see all managed users |
Off |
Box lets you restrict the ability of users to view other Box users. |
|
Settings |
Device limits - exempt users from Max # of device logins |
1 |
Box lets you override device pinning, which means limiting the number of devices that users can log in from. |
|
Settings |
Restrict external collaboration |
On |
Box lets you restrict collaboration (sharing files and folders) with users outside of your Box account. |
|
Settings |
Require Apps to use SSL |
On |
Box lets you require SSL to encrypt communications between Box and integrated web applications. |
|
Settings |
Save files on device |
Restrict |
Box lets you prevent users from downloading files for offline use. |
|
Settings |
Require apps password lock |
After 1 minute of inactivity |
Box lets you force users to re-authenticate frequently on mobile devices to prevent data breaches if the device is lost or stolen. |
|
Settings |
Allow external users to collaborate on folders/files |
Off |
Box lets you restrict sharing files and folders with users outside of this Box account. |
|
Settings |
Restrict Invites |
On |
Box allows you to restrict this permission to only owners and co-owners of a folder. |
|
Settings |
Enable Invite links (Allow users to invite collaborators using links) |
Off |
Box allows you to control whether users can invite collaborators using links to Box resources. |
Example: Box Controls for SSL, Session Length, and Folder Sharing
View an example of steps to set custom specific security control values.
Organizations frequently require Box files to be encrypted in transit, require user sessions to have a 30-minute timeout, and restrict Box file and folder sharing unless an administrator grants specific permissions to select users and groups.
You can push security controls to Box to require SSL, limit session length, and control folder sharing.
Note:
After configuring these settings in Oracle CASB Cloud Service, you must then configure access rights in Box. Create groups in Box, set the access rights for each folder, and then grant membership to users who are allowed to access the folder.-
In the Oracle CASB Cloud Service console, select Applications, Add/Modify App, Register an app instance.
-
On the Select an app type page, click the Box icon, and click Next.
-
On the Select an instance page, enter a name for your Box instance and click Next.
Names of any existing Box application instances appear below your entry.
-
On the Select monitoring type page, select Push controls and monitoring, and then click Next.
-
On the Select security controls page, select Custom:
-
To limit session duration, expand Session Policies, and set the Duration a user can remain logged in without activity before being logged out to 30 minutes.
-
To force the user of SSL, expand Settings and ensure that Require Apps to use SSL is enabled.
-
To enforce file and folder sharing restrictions, expand the Settings accordion and configure these settings:
-
Set Restrict external collaboration to On (default).
-
Set Allow external users to collaborate on folders/files to Off.
-
Set Enable Invite links (Allow users to invite collaborators using links) to Off.
Note:
After completing this task, to allow users to work on Box files and folders, you must add them to privileged groups in the target Box account. -
-
When your Custom security control selections are complete, select the I understand and explicitly approve. . . check box, and then click Next.
-
-
On the Enter credentials page, select the user sign-on method, enter the required information, and then click Test Credentials.
-
When testing is completed successfully, click Submit.
-
Your security control settings are pushed out to the Box instance. If, at any time someone changes these settings in Box, then you are notified through Risk Events in the Oracle CASB Cloud Service console.
Detecting and Managing Violations of Security Controls in Example
Find violations in Risk Events, view the details, and resolve violations appropriately.
After you set up security controls, you must manage any violations.
After you add the application instance with the example security controls, the service detects when violations occur. You can have Oracle CASB Cloud Service lock out users who are logged in too long, or you can manually lock out the users.