Securing Box Accounts

Login Activity

Applications and devices used to log in to your account are tracked and displayed under Account Settings -> Security. You should periodically check the list of accounts and instruct Box to "forget" the ones that are no longer current or necessary. Any applications you do not recognize should also be removed from this section.

Box Support Access

Under Account Settings -> Security, there is an option to enable Box technical support to access the contents of your Box account. Make sure this feature is not enabled. If there is an active access grant listed, click on the Revoke button to terminate it. This functionality should not be used if your Box account contains any confidential data. Technical support can be obtained through the ITS Help Desk.

Default Link Security

Under Account Settings -> Content & Sharing, you can specify how new links should be shared by default. Open is the least restrictive and least secure. Open links are usable by anyone who is sent or can determine the specific link. Open links can be set to auto-expire and require passwords, but this is not set on an open link by default. The most restrictive option is collaborators only. This level requires that people be explicitly invited to access the link. Third party Box applications may require specific levels of access and, as there is little quality control or review of third party applications, some may break with more secure sharing configurations. Set the default link sharing as restrictive as you can for your specific needs. Category I data should never be shared via an open link without a password set.

Notifications of New Login Activity

Under Account Settings -> Notifications, make sure that Login Activity under General Emails is checked. This will allow Box to send you an email whenever your account is logged into from a new application or host. You may also wish to enable other notifications here if you are working with confidential data.

Approved Box Apps for Category I data

The following Box applications may be used with University data of any classification (including Cat I):

  • Box Edit
  • Box for Android
  • Box for Android Tablet
  • Box for BlackBerry
  • Box for BlackBerry PlayBook
  • Box for Chatter
  • Box for Courier
  • Box for iPad
  • Box for iPhone
  • Box for Office
  • Box for Outlook
  • Box for TouchPad
  • Box for Windows Phone
  • Box FTP Server
  • Box SimpleShare
  • Box Sync for Mac
  • Box Sync for Windows
  • Email
  • Web Documents
  • XML Viewer

What about other applications?

While all Box applications are enabled and made available to you, many third party applications for Box are not compliant with the University's security policies. These applications may transfer data outside of Box and onto application servers managed by companies with whom the University does not have a contract in place to protect the data. These third party servers may not be securely configured or managed. The University's contract with Box does not extend to any other companies or their Box applications. Hence, all third party applications not explicitly approved for Category I data above may only be used with Category III data.

If you would like to use a third party Box application with Category I or II data, you must first contact the Information Security Office at so that a security assessment of the application can be performed.