Improving cloud security can be as much about changing behavior within organizations as updating technology -- that was the message from the team at Box and the experts they invited to New York recently.

The private gathering was part of the unveiling of Box Shield, which offers new security controls for Box. The event included conversations about cloud security with insight from the likes of Gartner and others.

Box CEO Aaron Levie related the need for advanced ideas in security to the evolution of his company. When Box got its start more than 14 years ago, he said, the aim was to make it easy to access and share data from any device at anytime from anywhere. Change became necessary, though, as the company and the cloud matured. Levie joked that initially there was a risk that Box might have contributed to the shadow IT problem. When the company pivoted in 2007 to focus entirely on the enterprise market, he said new considerations were made out of necessity to securely manage, share, and organize content. “Fundamentally, we have to reinvent content management for the cloud age.”

Part of that reinvention, Levie said, included trying to provide end users with the type of interface they wanted, otherwise they might turn to outside, unauthorized software -- the shadow IT problem.

Levie said he sees security increasingly become a core focus across many sectors beyond banking and financial services, where compliance and data privacy have been central for a very long time. “Now we’re seeing this be top of mind in every single industry -- life sciences, media, entertainment, sports, real estate,” he said. “Every single industry has sensitive data that is being shared and managed.”

The strategy at Box, he said, has adapted with the transformation under way in business, where the rules are fundamentally changing. For example, many work and business processes are extending beyond the organizations’ boundaries as contractors, customers, partners, and colleagues exchanging data digitally. That also can increase exposure to threats. “This is the first big challenge of security today,” Levie said.

How security is handled, though, can make or break employee productivity, he said. Onerous security measures might sway employees to choose tools that make it easier to get work done even if it conflicts with the rules. Employees who are unsatisfied with user experience might download their own software despite the escalation of risk. The potential for such exposure seems to be escalating. “The intellectual property we work with is now digitized and that digital content is being shared across numerous devices,” Levie said.

Such trends, he said, raised the need for new, secure methods of content management for the future of work and the cloud. “The way organizations collaborate and manage data is going to be essential to responding to these mega-shifts happening in business,” Levie said. “You can’t solve this problem and modernize how we work with legacy approaches.”

The burden of improving security rests in many hands, according to Neil MacDonald, vice president and distinguished analyst with Gartner. He said there is a tendency to frame security questions around whether AWS, Microsoft Azure, or other cloud services are adequately protected. “That is not where the issue is.”

Neil MacDonald, GartnerImage: Joao-Pierre S. Ruth

How things are set up and configured, he said, are the crux of the matter. That includes knowing who can do what and when. If organizations lose sight of that as they undergo transformation, they can invite in trouble. “This is where mistakes are being made,” MacDonald said.

Those mistakes may increase in the years to come. MacDonald offered up a projection, based on Gartner research, that 99% of cloud security failures expected to occur through 2023 will be the responsibility of the customer rather than a service provider that has been hacked. The way systems and processes are set up and configured can be a root cause of vulnerability, he said.

In some instances, a series of factors fall into place that creates gaps in security that are exploited. Such was the case with the recent breach at Capital One, MacDonald said. “There was a vulnerable application that was in production.”

He said in the Capital One instance, the server-side request forgery protection was not activated, which then led to a snowball effect that culminated in the breach.

Organizations should review their operations and ask themselves if they are monitoring for unusual behavior, especially when sensitive data was involved, MacDonald said. Enterprises should also examine their configurations for excessive risk, he said, such as users who have more permissions than they need. Improved such monitoring can help differentiate malicious activity from the normal functions. “The clouds are secure,” MacDonald said. “Are you using them securely?”