Box and Watchdox take different approaches to security -- which is right?

Follow Me

September 14, 2012 5:05 PM

Employees are increasingly turning to services like Box and Dropbox to share and collaborate on documents. They're great for convenience. But a lot of IT departments worry that using these services could end up exposing confidential data.

Dropbox is primarily marketed as a consumer service. But Box is increasingly pitching its service to enterprises, and the security question comes up a lot.

In an interview with IDG Enterprise, Box CEO Aaron Levie emphasized that the company is always working on security, while also trying to make sure the service doesn't get too hard to use.

The Huge BYOD Risk You're Probably Ignoring
Stay on top of CITE: Subscribe to the InCITE newsletter.

Box already offers fairly granular access control settings -- users or admins can let users to upload files to a folder but not view any files in it, read files but not download them, restrict sharing, and so on. Administrators can also set permissions across all users in a business or enterprise account, and set expiration times for sharing on particular files. (More details can be found in this whitepaper on Box's site.)

Other features are coming soon. "There's a whole bunch of stuff we're working on for security that administrators can enable for their employees," Levie told us, without disclosing details. There's also a lot of back-end work that Box does but never talks about, like hardening its data centers.

But there's a problem with this approach. What happens to security once a file leaves the Box system?

That's the problem Watchdox set out to solve. Watchdox's approach is to embed access control settings directly into files, so they persist no matter where the file travels.

Watchdox is now extending its technology with an SDK that will let corporate developers build iOS apps on the Watchdox security platform. In its press release, Watchdox specifically mentioned Box alongside Dropbox as a "shadow IT service."

Those sound like fighting words. But Watchdox Chief Product Officer Ryan Kalember insists, "It's the only way to do it. There's no way to constrain where the bits will travel."

With Box, an organization could lock down sensitive documents by making them available only as previews. But then users wouldn't be able to annotate, share, or look at those documents offline. "The collaboration features are basically hamstrung," says Kalember.

Technically, the Watchdox approach is similar to what Microsoft did with its Information Rights Management (IRM) technology. But that product relies on Microsoft products like Outlook and Rights Management Server (RMS), which limits its use.

Watchdox took the 160-plus permissions settings enabled by IRM and mapped them to its own solution. "When you have a document protected by Watchdox, we show it to to Microsoft Office as if it were protected by RMS. But we have no ties to the RMS server. That means we can support Adobe documents, mobile apps," and so on.