Managing user access and security in a rapidly growing enterprise
Box is the leading provider of intelligent content management solutions that bring people together from around the world to do amazing work. Their cloud platform uses Box AI to help businesses leverage unstructured data — from marketing collateral to financial statements — to unlock insights and automate tasks intelligently. As the company has evolved over the years, so has their security needs and IT environment. Back in 2012, Box was using several platforms to manage complex regulatory compliance and industry standards and to secure data for all of their apps.
Box’s identities were siloed across multiple solutions, making provisioning and compliance inconsistent. In the past, their IT team managed identity manually through custom scripts, but that process proved inefficient, costing them thousands of hours in administrative and development time.
For Box, identity ensures that content flows freely to customers and employees yet remains protected from unauthorized access, playing a key role in their security strategy. Mark Schooley, senior director of IT operations and engineering, explains, “Not only does access have to be secure across all applications, it has to be scalable across a business that's growing quickly.” The company needed a partner that could grow alongside their business, and unify identity management to support their mission into the future. Box decided to go with Okta, beginning a trusted partnership that has lasted for over 13 years.
Unifying identity management while streamlining IT workflows
Early in the partnership, Okta helped Box eliminate silos across 150+ business apps and unify their identity infrastructure. Box adopted Okta Workforce Identity, allowing them to build a strong identity management and security foundation. With Universal Directory, Box manages multiple identity sources, including their HR platform, Workday, in a single place. “It’s a huge time-saver. Universal Directory gives us the flexibility to pull the attributes we want and establish a single source of truth for identity management,” Schooley says. By having a single source of truth, assigning attributes, tasks, and permissions has become seamless. Additionally, the team can now integrate new applications into Okta in only 15 to 20 minutes — a task that used to take days.
With a unified identity, Box’s employees can now access key applications quickly and securely through Single Sign-On (SSO). SSO secures access to Box’s business apps, while also enhancing user productivity through a seamless sign-in process. If a user forgets their SSO password, they can use Okta’s self-service password reset flow, which empowers them to manage access on their own time without IT support.
To further enhance team productivity, Box also leverages automation across their identity workstreams. With the introduction of Okta Workflows, a no-code identity automation tool, Box has been able to upskill their IT team and save time. “Workflows make custom scripting accessible. Instead of spending days learning how to script, now team members can create automation in minutes,” Schooley explains. Workflows has saved the team thousands of hours annually through automations, including account and password support tickets. “As we add more employees to the organization, the time and money we’re saving through automation only increases,” he said.
A secure identity foundation tested by an evolving attack surface
With unified identity access management, Box solved their initial identity challenges and gained a long-term identity partner in Okta. However, as Box continued to expand, their attack surface evolved as well.
“With remote work booming, attackers began exploring paths to bypass traditional security protections and gain access to companies’ sensitive data directly on workforce devices,” explains Akhila Nama, director of enterprise security. “Attackers more frequently began to abuse permanent local admin privileges to gain access to critical data.” Managing these threats required the IT team to devote hundreds of hours to manual, error-prone user-access log reviews. “The longer it takes to identify and revoke unauthorized access, the higher the risk,” Nama says. At the same time, removing all admin access wasn’t an option.
Box had to recognize potential risks, address them quickly, and be sure the risks are mitigated without sacrificing user experience. They searched for an identity governance solution and turned to their longtime partner: Okta. “Okta already had the solution we needed with Okta Identity Governance (OIG). Sticking with them was a huge win for us,” Nama says.
Simplifying governance and identity automation with a trusted partner
The centralized identity governance and unified access management provided by OIG allowed Box to find a middle ground between permanent local admin access and eliminating admin access completely. Box replaced permanent admin privileges with a dynamic framework that provides elevated permissions only when necessary — enforcing zero standing privileges through automated and ad hoc access requests and certifications.
The IT team extended zero standing privilege principles down to end-user devices, allowing Box’s employees to request temporary admin privileges. Box integrated Okta and their device management app, Kandji, to mitigate security vulnerabilities while giving users time-bound admin access. “We gave the end-user the option to gain admin access for just an hour, a day, or even a week,” Nama says. “We've built in enough protections that suspicious admin requests fire off a ticket, alerting IT managers on Slack and Jira in case of an incident.” This improves security while minimizing friction for their users, as self-service access requests bring increased convenience and flexibility, while the IT team maintains the ability to easily manage and revoke privileges.
Additionally, Box secured offboarding and access management through periodic governance initiatives. OIG allows the IT team to easily see who has access to sensitive data at any given time. To verify whether an account still needs access to critical applications, Box uses access certification campaigns to validate permissions and revoke access as needed. These campaigns are set at defined intervals and augmented by step-up MFA challenges initiated by general behavioral triggers, such as if a user logs in from a suspicious location.
By combining access requests and certifications via OIG and Workflows, Box empowers users with temporary admin access only when needed. This strategy allows Box to enforce zero standing privileges, strengthening security posture without sacrificing productivity.
Centralizing identity management to accelerate threat response times
With Okta, Box unified their identity infrastructure, streamlined IT workflows, and implemented governance initiatives to enforce zero standing privileges. Now, Box manages access by automating access requests and certification processes, while still providing a consistent and simple identity experience to end-users. By integrating OIG into their larger identity ecosystem, Box has empowered users with time-bound local admin access and decreased their attack surface through zero standing privileges by limiting potential access points.
Looking ahead, Box plans to extend their identity strategy by focusing on Privileged Access Management and further enforcing zero standing privilege across applications. Nama explains, “In the next couple of years, just-in-time credentials are going to support our passwordless future. That's where I think our next identity journey is going to take us.”
About Box
Box (NYSE:BOX) is the leader in Intelligent Content Management. Box's platform enables organizations to fuel collaboration, manage the entire content lifecycle, secure critical content, and transform business workflows with enterprise AI. Today, Box serves 115,000 companies and 67% of the Fortune 500. As work continues to evolve, the company remains focused on delivering innovation to organizations worldwide and exceeding customer expectations every day.
