Article Published: 2016-08-12
Author: Jeremy Phillips
Subject: recommendations and cautions about using
The Box Best Practices Workgroup, composed of IT and administrative professionals from across UC Davis, met in Spring 2016 to develop a set of recommended practices and configurations for using Box in an institutional context, such as a department, workgroup, or lab. The recommendations address security, sharing, managing access, common practices, etc.
The full whitepaper can be found here: https://ucdavis.box.com/v/box-best-practices
In summary, the recommendations are:
- When storing business, research, or other organizational data, use a departmental account that is not tied to an individual.
- Larger organizational units should create a single departmental Box account, then create separate delegated folders for each business/research unit within the larger organization.
- Leverage Box groups by assigning permissions to groups rather than to individuals.
- Use uConnect Active Directory/Box group sync to manage membership of Box groups.
- For sensitive content, restrict the use of shared links to collaborators.
- For sensitive content, either limit most users to the Viewer Uploader access level or use folder settings to explicitly restrict inviting collaborators to folder Owner and Co-Owner access levels.
- Grant permissions at the lowest level in the folder tree rather than at the root level.
- Use a naming convention where all folders are prefixed with the root department name or abbreviation to distinguish them from user-created folders.
- Clearly delineate folders that are intended to be public from folders that are intended to remain private via a naming convention.
- Grant Co-Owner rights only when there is a demonstrated business need, and use Editor or lower access levels in most cases.
- Use the “Only folder owners and co-owners can send collaborator invites” security setting to prevent Editors from inviting additional users to collaborate.
- Use the “Restrict collaboration to within UC Davis” security setting to prevent collaboration with external Box accounts.
- To prevent users from creating and sharing links with other users outside of your department or outside of UC Davis, use the “Only collaborators can access this folder via shared links” security setting.
- Train users to avoid creating separate files for different versions and instead leverage Box version history.
- Most departmental uses of Box do not require separate backups.
- To request permanent deletion of data prior to the 90-day Trash expiration, submit a request to IT Express. Once data reaches the 90-day Trash expiration or is permanently deleted from Trash through a request to IT Express, that data is not recoverable.
- Departmental Box administrators should carefully consider the pros and cons of Box Sync and set a clear policy regarding its use.
- If users will be encouraged to use the Box web interface, best practice is to ensure that Box Edit is installed.
- Departments that have standardized on Windows and Office should consider deploying Box for Office. Organizations that work with sensitive data and that use email for transmitting that data as attachments should deploy Box for Office and train users to use Box shared links to retain more control over shared data.
- With the Box mobile apps, implement reasonable mobile security practices including PIN, password, or fingerprint access along with automatic locking after a short period of inactivity.
- For departments that need to migrate large or even moderate amounts of data (e.g., more than 20GB) to Box, use the Box FTP service rather than the web interface to quickly transfer the data.
- Use an FTP client that supports the encrypted FTPS or FTPES protocols. Do NOT use unencrypted FTP to Box.
- When using Box FTP, set a secure Box external password or passphrase, as this credential grants full access to all data stored within the associated Box account.
- Migrate individual business units or workgroups separately, rather than attempting to move the entire department at one time.
- Leverage the free training resources provided by Box to ensure that users are fluent in the use and features of Box.
- Set a policy and expectation that all work-related data must be stored within the department-managed Box folder structure.
- Set policies and expectations regarding what can and should be shared publicly and what should remain private.
- When files will be shared publicly or even with a university-wide audience, ensure that policies, practices, and training regarding appropriate metadata controls are in place.
- Carefully evaluate the kinds of sensitive data that might be stored in Box in the context of departmental business needs, and set policies and procedures regarding what data is appropriate to store in Box, what technical AND administrative controls should be applied to data in Box, and how employees are expected to handle data, generally.
- Be careful when restoring a local Box Sync folder from backup to ensure that Box Sync does not overwrite newer versions store on Box with older versions restored from backup.
- Do NOT configure multiple cloud storage sync utilities to attempt to synchronize same local folder.
Please see the full whitepaper, linked above, for implementation details and additional discussion on each recommendation.