Box Sync Guidelines

Summary of Recommendations

  1. Enable passcode lock on smart devices
  2. Disable Bluetooth connectivity
  3. Enable Box for Smart Devices application password
  4. Install whole disk encryption on laptop computers
  5. Remove lost laptop or smart device from list of trusted application on Box

Overview

One useful feature of Box is the ability to take Box documents with you to and to view them on any computer where Box applications are installed, for example your laptop or smart device (including smartphones, e-readers and tablets).

(To learn more about Box Sync, go to https://berkeley.box.com/business/features/box-sync/.) 

Box Sync automatically synchronizes content you designate between your laptop and/or desktop computers and Box account, while Box for Smart Devices are mobile apps that allow you to view, share and download content from your Box account.  The flexibility afforded by this feature set also introduces additional risks to the documents you store on Box.  For example, by using laptop and Box for Smart Device application, it replicates the files to all those devices so there is an increased likelihood that a document could get into the wrong hands if your laptop or smarphone were lost or stolen. 

Smart Device Security

Box for Smart Device allows users to mark their most frequently used files for offline viewing. (Please refer to UC Berkeley Cloud Service Data Use Agreement for what types of files are appropriate to use on Box.)  Such functionality also means that a local copy of the file will also be stored on smartphone devices. 

Recommendation #1: Enable passcode lock on smartphone devices

One of the easiest ways to strengthen the security of your files on smartphone devices is to enable a password to access the device.  This will prevent illicit users from picking up an unattended device and browsing or sharing your files on Box.


Figure 1- Smartphone devices passcode lock

Recommendation #2: Disable Bluetooth connectivity

In addition, we recommend turning off Bluetooth connection unless specific accessories requiring Bluetooth are needed (e.g., headset, keyboard, etc.) because Bluetooth also creates a vulnerability that malicious users may take advantage of.  You will also save your smartphone's battery life by disabling Bluetooth when not needed.

Apple iOS Device Instructions

  1. Set a passcode. Open the Settings app and navigate to General > Passcode Lock as shown to the right. To set a 4-digit PIN, click “Turn Passcode On” and set the PIN. Enter the PIN again to confirm it.
  2. Set an idle time lockout. (This setting determines the amount of time your device can be idle before a passcode is required to unlock it. Shorter times are better.  We recommend 3 minutes.) Open the Settings app and navigate to Settings > General > Auto-Lock and set the timeout length.
  3. Turn off Bluetooth.  Open the Settings app and navigate to General > Bluetooth. Switch off “Bluetooth”.

Android Device Instructions

  1. Set a passcode. Navigate to Home > Menu > Settings > Location & Security > Set unlock pattern, then Select "Next" and then "Next". Draw your pattern, click "Continue" then repeat the pattern to verify. (Note: when drawing the pattern you cannot touch the same dot twice.) Click "Continue" once more to set the pattern.
  2. Set an idle time lockout. Navigate to Home > Menu > Settings> Sound & Display > Screen timeout. Set the screen timeout length. Shorter times are better. We recommend 3 minutes.
  3. Turn off Bluetooth. Navigate to Home > Menu > Settings> Wireless Connections and uncheck Bluetooth.

Recommendation #3: Enable Box for Smart devices application password

Lastly, Box for smart devices also provide a passcode for additional security.  Both Apple’s iOS and Android based smartphones have features to lock your device.  The instructions below will walk you through the settings to enable Box application password for smart devices.

Box for Smart Device App Passcode

  1. Launch Box Sync App on smartphone device (iOS and Android).  Navigate to Settings tab
  2. Click Passcode Lock > Turn Passcode On
  3. Enter your 4 digit passcode and confirm


Figure 2 - Box Mobile App passcode lock setting

General Smart Device Security Recommendations

  1. Connect to secure Wi-Fi networks and disable Wi-Fi when not in use.
    1. Avoid joining unknown Wi-Fi networks.
  2. Update mobile devices frequently. Select the automatic update option if available.
  3. Take appropriate physical security measures to prevent theft or enable recovery of mobile devices.
    1. Use tracing and tracking software (e.g., ComputraceLookoutMobileMeSTOP).
    2. Never leave your mobile device unattended.
    3. Report lost or stolen devices immediately.
    4. Remember to back up data on your mobile device on a regular basis.
  4. Use appropriate sanitization and disposal procedures for mobile devices.
    1. Delete all information stored in a device prior to discarding, exchanging, or donating it.
  5. Know what you're downloading.
    1. Make sure you download apps from reputable developers.
    2. Be cautious when opening e-mail and text message attachments or clicking on links.

Laptop Security

Laptops with Box Sync app installed must adhere to Berkeley campus Minimum Security Standard for Network Devices (MSSND), along with encryption technologies to help protect sensitive data.

Recommendation #4: Install whole disk encryption on laptop computers

For Windows computers running Windows Vista or Windows 7 Enterprise or Ultimate Editions, BitLocker is free encryption tool that provides industry standard full disk encryption capabilities.  Instructions on how to install BitLocker can be found at http://technet.microsoft.com/en-us/library/cc766295%28v=ws.10%29.aspx.

For Mac OS computers running v10.3 (Panther) or later, FileVault is a free utility from Apple that provides encryption capabilities.   There are two version of FileVault, instructions for installing FileVault can be found at

http://docs.info.apple.com/article.html?path=Mac/10.6/en/8736.html
http://docs.info.apple.com/article.html?path=Mac/10.7/en/flvlt002.html

Another free alternative to either BitLocker or FileVault is TrueCrypt, which works on modern version of Windows (Windows 2000 or later) and Mac OS X.  Instructions on how to use TrueCrypt can be found at http://www.truecrypt.org/docs/.

Lost Laptop or Smartphone Device

Recommendation #5: Remove lost laptop or smart device from list of trusted application on Box

Report a lost or stolen device immediately to law enforcement authorities.  If the device also has Box Sync application installed, you should login to Box web UI to remove lost device from trust connections.


Figure 3 - Box account settings

  1. Login to Berkeley.box.com.  Go to My Accounts > Account Settings
  2. Click on Security Tab
  3. Under Trusted Access Management, find the appropriate application associated with the lost device (e.g., “Box for iPhone” or “Box for Android” application).  Click on the “x” box on the right to forget that application.

    Note: When in doubt about which application was from the lost laptop or smart device, click “Forget All” to force all of your Box sessions to re-enter your password.


Figure 4 - Box Trusted Access Management

Additional Resources

Box

  1. Box Sync Best Practices, http://success.box.com/best-practices/box-sync/">http://success.box.com/best-practices/box-sync/
  2. Box Sync Tutorial Video http://success.box.com/videos/box-sync/">http://success.box.com/videos/box-sync/

UC Berkeley Documentation

  1. UC Berkeley Box Knowledge Base (https://kb.wisc.edu/berkeley/search.php?q=box)
  2. UC Berkeley Cloud Service Data Use Agreement (http://security.berkeley.edu/content/UC-Berkeley-Cloud-Service-Data-Use-...)
  3. UC Berkeley Box Glossary