While Box itself has very strong security protections, the security and handling of content you put in Box are your responsibility as a user.
There are two sources of requirements that you should check that will influence what information you can store in Box and how you handle it:
- Funding or research contracts that may prohibit storage in the cloud or limit who you can share the associated information with, and
- University policies such as the Tufts Information Stewardship and Information Classification Policies and the Tufts Box Use Guideline.
This article is for you if you plan on, or are using Box as a common shared storage location (similar to the Tufts Q and R network share drives).
Methods for Sharing Files and Folders
Box gives you two options for sharing files and folders - invitations to collaborate and shared links.
Regardless of whether you are inviting people or sharing a link, the guiding principle you should always use when granting access is to give out only the “minimum access that is necessary.”
For more information on how to invite people to collaborate or provide shared links to others, see the page on Sharing Files and Folders.
Important Things to Keep in Mind
- Changes that are made to a shared item affect everyone that the item is shared with.
- If a file or folder is deleted, only the person who deleted it can restore it from the Trash.
- If you move/copy an item into a new folder, it automatically adopts the sharing settings of that folder.
- When you grant access to a folder, all subfolders and files inherit the same security settings and collaborators as the parent folder. If you create a subfolder and add new collaborators to the subfolder, the new people cannot access the parent folders unless you grant access to those folders.
Before you share anything in Box, think about the following:
- What are you sharing? Does it contain sensitive information?
- Who are you sharing it with? Should they have access to this? And for how long?
- How are you sharing it? What will those people be able to do with this information?
- Share as little as possible with as few people as possible and grant them the minimum necessary permissions.
Sending invites, as opposed to shared links, is the preferred method for sharing sensitive content because it can be done on a person-by-person basis.
Do NOT invite people as Editors unless they absolutely need the ability to edit the data. Otherwise, they should be using a role that does not grant editing permissions. When you are inviting people, you will have to do it in batches based on their desired permission levels. For example, you will need to send out invitations to your Editors and Viewers separately.
Remember that the sharing privileges you set for a folder will automatically apply to the subfolders and files it contains.
Be aware that the possible invitee permission levels are different for files and folders. For both files and folders, Editor is the default selection.
For more information, see the Box Community article on collaborator permission levels.
- Invite as few people as possible and give them the minimum necessary permissions.
- For sensitive files, invite people as Viewers. Do NOT invite people as Editors unless it is absolutely necessary.
- For sensitive folders, invite people as Previewers or Uploaders. Do NOT invite people as Co-owners, Editors, Viewer Uploaders, or Viewers unless it is absolutely necessary.
Use caution when enabling shared links to files/folders with sensitive information. If they are not set up correctly, those links can potentially be used by people who shouldn't have access.
- Be very careful about giving people editing access through shared links!
- Keep your audience in mind when you decide where to share the link. Consider what is being shared and who should have access to it.
- For files/folders with sensitive information, click on the People with the link down-arrow and select People in your company to limit access to people who have Tufts logins.
- For files/folders with highly sensitive information, you can also select Invited people only. In this case, only people who have been invited as collaborators to the file/folder or a parent folder will be able to use the link.
- To prevent unwanted downloading, select Can view only.
- Under Link Settings, set a link expiration date to cut off access at a particular time.
- Under Link Settings, set a password for the file/folder for an added layer of security. Make sure you only share the password with people who need it and through a secure method.
- Under Link Settings, do NOT set a custom URL path, especially one that will be easy for other people to guess. Instead, use the URL generated by Box.
It is good practice to go back once in a while and review the sharing settings for sensitive files and folders.
- Disable shared links to files and folders when they are no longer needed.
- Periodically review the list of people who have been invited as collaborators on files and folders. Adjust their permissions as necessary. Remove collaborators who have left Tufts or no longer need access.
In Box, you can access additional folder settings by clicking on the More Options button for that folder and selecting Settings. Many of these settings are meant to make your data more secure and increase the privacy of you and your collaborators.
- Only folder owners and co-owners can send collaborator invites - Check this box to limit the ability to send invites to folder owners and co-owners.
- Restrict collaboration to within Tufts University - When possible, check this box so that only people with Tufts University logins can be invited as collaborators.
- Only collaborators can access this folder via shared links - For sensitive folders, check this box so that shared links only work for people who have been invited as collaborators to the folder or a parent folder.
Although making local copies of things or marking them for offline use in Box Drive can seem convenient, it also exposes your data.
To mark a folder containing sensitive information for offline use, the device should be Tufts-managed with strong controls. If the device is portable, and if the folder contains any Sensitive Personal Information, then the device must have full-disc encryption configured. The same restrictions apply for downloading of a file. The Sensitive Personal Information that is permitted to be in Tufts Box are Social Security numbers, any other government-issued identification number, an individual's financial account, or a biometric indicator for identifying an individual.
- Do NOT make local copies of sensitive files or folders on your devices or mark items for offline use.
- When inviting people as collaborators, do NOT give other people permissions on files or folders that allows them to download items or mark them for offline use.
- For files, invite people as Viewers where possible.
- For folders, invite people as Previewers or Uploaders where possible.
- When using shared links, avoid giving people the ability to download sensitive files or folders. Instead, select Can view only when setting up the shared link.
Box gives you the ability to set default file and folder permissions for the content that you own.
To access shared link settings, click on your profile icon at the top right of the page, select Account Settings, and then go the Sharing tab. In the Shared Links section, you can control what access options are available for your content, what the default access for newly created shared links will be and what permissions link viewers (who are not invited collaborators) will have for the content they access.
- Shared Links can be viewed by – This determines what sharing options are available when you generate new shared links. Select People with the link, people in your company, and people in this folder. Selecting something else will restrict your ability to collaborate effectively.
- Allow Shared Links for – Select Folders and files.
- Default permission – Select People in this folder or file so that new shared links are only accessible to invited collaborators by default. This can be overridden for individual files and folders when enabling shared links.
- Link viewers can - Determines what non-collaborators accessing your content via a shared link can do with the content. Select Preview, download, and edit. Otherwise, Box will not allow you to give people download privileges through shared links.
- When accessing Box from off-campus, always use the Tufts VPN. For more information, see the Tufts VPN User Guide.
- When you are on campus, if using wireless, always use Tufts Secure.
- Remind other people who are going to be accessing sensitive information that you share with them to do the same.