Search Google Appliance

Information Technology

Protecting sensitive data in Secure Online Storage at UMass Amherst

Important:
Secure Online Storage at UMass Amherst can be used for storing or sharing most types of university data, using certain additional security measures, including some data that that is considered sensitive data. For specific information see Understand Sensitive Data at UMass Amherst. For information about the different types of sensitive data see Data Classification at UMass Amherst.  For information about what data can be stored in Box, see What types of data are appropriate for my Secure Online Storage at UMass Amherst account?

At UMass Amherst, to store sensitive data in Secure Online Storage at UMass Amherst provided by Box:
  1. Verify that your data is allowed in Box; see What types of data are appropriate for my Secure Online Storage at UMass Amherst account?
  2. Put the data in a folder owned by the appropriate account
  3. Understand and implement the security measures listed below.

A note about Box Sync at UMass Amherst

UMass Amherst and Box, in partnership with Internet 2, have a Business Associates Agreement (BAA) for the management of sensitive data that allows for the storage of this data in the Box Cloud, that satisfies all university and State of MA requirements for the data. This includes the correct liability and indemnification provisions to satisfy compliance with data requirements.
  • A file or document in the Box Cloud is covered by the contract and BAA.
  • The copy of the file downloaded to a Sync folder on a computer is not covered by the contract and BAA.
  • The downloaded Sync copy is a file on a computer, and the security of the computer and the network applies, not Box.
For this reason, UMass Amherst has disabled Box Sync by default. People wishing to use it despite the risk can request that it be enabled. The procedure for doing so will involve reading and understanding the Terms of Service for Sync, and then digitally signing that these Terms were both read and understood.

If you have any questions about the Terms of Service or the security issues involved, please contact security@umass.edu
 

Understanding folder ownership

Although Box itself is a secure platform (for more, see Are files and data safe using Secure Online Storage at UMass Amherst?), individual choices determine how secure a given piece of data is. Folder ownership and settings are key to the security of data in Box. When you log into Box for everyday work, you will interact with a variety of shared and private folders, each with its own level of security set by its owner. At UMass Amherst, role accounts (rather than individual user accounts) are the best folder owners for university data.

Configuring folders to protect data

 

Visual indicators

There is no Box folder icon that will indicate the sensitivity of the data it contains. A folder with sensitive data will appear alongside individual folders and standard collaboration folders in each individual's Box account. Therefore, the folder owner or co-owner needs to give visual cues to the folder collaborators indicating the nature of the contents; descriptions and tags are additional options. You should also know the difference between the different folder icons in Box. None of these visual cues will protect files or folders by themselves, but they can help you prevent inappropriate access by making it clear which information you and your collaborators need to take care with.

Folder icons

Folders in Box appear differently based on whether they are shared or private, hosted at UMass Amherst or hosted externally, owned by you or someone else, and synced or not synced. See the table below for examples. Keep in mind:
  • Do not put sensitive data in externally hosted folders.
  • Do not put sensitive data in a folder owned by an individual. This prevents exposure or loss of the data if an individual account owner leaves the university or changes departments.

Folder type

Folder description

  • Individual folder
  • Hosted on Secure Online Storage at UMass Amherst provided by Box
  • Only you have access
  • Individual folder
  • Hosted on Secure Online Storage at UMass Amherst provided by Box
  • Only you have access
  • The icon indicates the folder is synced; undo for sensitive data
  • Shared folder
  • Hosted on Secure Online Storage at UMass Amherst provided by Box
  • You have some access, but are neither an owner nor co-owner
  • Shared folder
  • Hosted on Secure Online Storage at UMass Amherst provided by Box
  • You are the owner
  • The icon indicates the folder is synced; undo for sensitive data
  • Shared folder
  • Hosted externally to UMass Amherst
  • You have some access, but are neither an owner nor co-owner.

Descriptions

Any file or folder in Box can have a brief description, which will appear below the item name in the folder list view. It is recommended to use the description field to indicate the purpose or nature of an item to collaborators. You may see the option to add a description when creating or uploading an item; to add one to an existing file or folder in Box, in the folder view, either right-click the item, or click the drop-down menu to the right of the item name. Then choose General Info. Enter the description in the "Description:" field, and then click Save.

Tags

Tags help visually indicate the purpose or nature of items in Box, and are also useful for filtering and searching. Tags can be applied to files as well as folders. You must tag each item manually (i.e., tags do not automatically propagate to contents or subfolders), but you can select more than one item at the same level and tag them all at once.

Note: Simply tagging a file as "sensitive" does not meet the requirements for storing sensitive data if the files are not stored in the appropriate account.
 
To apply tags: Right-click the file or folder and choose Add/Edit Tags.
In the new window that opens, enter your tag, or select from among the tags that you've previously applied.
 

Folder security settings

Before inviting collaborators, the folder owner or co-owner must set the proper security restrictions to protect the data in the folder.

  1. Right-click the folder, or from within the folder, click More.
  2. Select Properties, and then Security.
  3. Set the following options:
  • Restrictions:
    • Only Owners and Co-owners can send collaborator invites (checked): Restrict the ability to invite collaborators to only owners and co-owners. This is the single most important setting for securing your files and folders. Only individuals who own the content should be in full control of who is able to access the content.
    • Restrict collaboration to within Umass Amherst (depends): This setting determines whether or not this folder and its content will allow collaborators outside of UMass Amherst, which will vary by your project needs. It is your responsibility to share data with only those who should have access to the data.
    • Hide collaborators (unchecked): does not recommend hiding collaborators with sensitive data; it is more secure to know exactly who has access to files and folders.
    • Disable commenting for this folder (unchecked): As sharing and collaboration is the goal of using Box, does not recommend disabling the ability to comment on folders. Keep in mind that all roles (except Uploader) have the ability to view comments.
  • Membership:
    • Allow people who can access this folder from a shared link to join (unchecked): This option is only useful if you are sharing with "People with the link" or "People in your company." Do not check this for any folder containing sensitive data.
  • Shared Links:
    • Restrict shared links to collaborators only (checked): Shared links provide quick access directly to files and folders by only clicking the link. This setting limits access to shared links to those who already have access to the content as collaborators. This is an important access control for any folder you are trying to secure and monitor. Leave the drop-down menu set to For both files and folders.

Collaborator permission levels

To share data, invite others into the appropriate folder as collaborators. To protect sensitive data, always make an intentional choice about the permission level of each collaborator in each folder, giving each person the lowest level necessary to accomplish his or her tasks.

It is recommended that you invite collaborators at a level no higher than Viewer Uploader. Note that the default setting (Editor) is higher than this recommendation. Viewer Uploader is adequate for editing tasks.
Box uses waterfall permissions, i.e., collaborators will have the same permission level in subfolders as they do in the top folder. For details, see Sharing files on Box.
Action Co-owner Editor Viewer Uploader Previewer Uploader Viewer Previewer Uploader
Download Yes Yes Yes No Yes No No
Comment Yes Yes Yes Yes Yes Yes No
Delete Yes Yes No No No No No
Create tasks Yes Yes Yes No Yes   Yes No
Tag Yes Yes No No No No No
Invite people Yes Yes No No No No No
Edit folder name Yes Yes No No No No No
Edit folder properties Yes No No No No No No
Preview Yes Yes Yes Yes Yes Yes No
Send view-only links Yes Yes Yes No Yes No No
Upload Yes Yes Yes Yes No   No Yes
View items in folder Yes Yes Yes Yes Yes Yes Yes
Sync folder Yes Yes No No No No No
Set access permissions Yes Yes No No No No No
Restrict invitations Yes No No No No No No
View access stats Yes Yes No No No No No
Create/edit Box Notes Yes Yes Yes No No No No
View Box Notes Yes Yes Yes Yes Yes Yes No
 
Collaborator permission levels can be seen in Box Help as well.
 

Using Box with sensitive data

Everyone who interacts with sensitive data in Box, including owners, co-owners, and other collaborators, must help keep it secure. If you put sensitive data in Box, you are responsible not only to abide by the following policies and guidelines, but also to make sure that anyone with whom you share the data is aware of them.

Editing sensitive data

The most secure way to edit files in Secure Online Storage for UMass Amherst is to use the online Box Edit; you can edit Microsoft Office files directly and securely within the Box browser interface.

Box apps

Only a subset of Box Apps are approved for use with university data. Apps not listed in the approved list may not be used to share or maintain any of the university's sensitive data, because they are not covered by the university's Box agreement.

Related documents