Box DLP & DSPM

DLP (Data Loss Prevention) to discover & remediate PDF and files containing sensitive information

Book a Demo

Box DLP & DSPM

Table of Contents

TL;DR:

Data Loss Prevention (DLP) is necessary for Box to protect sensitive information, ensure compliance, and mitigate risks.
Strac is a powerful DLP solution that integrates with Box and offers features like sensitive file detection, redaction, access and sharing controls, app integration controls, and audit and compliance reporting.
Strac helps organizations detect and protect sensitive data, control file sharing, manage app access privileges, and track user activity within Box.

Why is Data Loss Prevention (DLP) aka DSPM necessary for Box?

Data Loss Prevention (DLP) is an important technology that helps organizations prevent the accidental or malicious loss of sensitive information. When applied to cloud storage solutions like Box, DLP serves several crucial functions:

Protection of Sensitive Information: DLP tools can identify and protect sensitive data, such as Personally Identifiable Information (PII), credit card numbers, intellectual property, and confidential company data. Integrating with Box can prevent this data from being inadvertently shared, accessed, or leaked. Box.com supports a wide range of file formats, including documents, spreadsheets, presentations, images, and more. Protecting sensitive data across these diverse formats necessitates a robust DLP solution.
Compliance: Many industries are subject to regulations that mandate the protection of certain types of information. For example, companies in the healthcare sector need to comply with HIPAA regulations that protect patient data. Similarly, depending on the industry, companies have to ahdere to PCI, SOC 2, ISO 27001 or Privacy laws like GDPR, CCPA. A DLP solution helps organizations adhere to these regulations by ensuring that sensitive data is not mishandled.
User Error: Accidental deletion or modification of files and sensitive comments or tasks can pose risks to data integrity and confidentiality within Box.
Data Visibility: DLP tools provide visibility into the data that's being stored and shared. This allows organizations to monitor what data is being uploaded to Box, who is accessing it, and whether it is being shared appropriately.
Risk Mitigation: With a DLP solution in place, if an employee tries to share sensitive data with unauthorized individuals or store it unsafely, the DLP system can block the action, notify administrators, or both.
Automated Policy Enforcement: DLP solutions can enforce data governance policies automatically. For example, a DLP policy might automatically restrict sharing files containing credit card numbers.

In a nutshell, DLP is needed for Box to provide an additional layer of security to protect sensitive data from being lost, misused, or accessed by unauthorized users. It helps companies to safeguard their data, ensure compliance, mitigate risks, and maintain data visibility, all of which are critical in today's data-driven world.

Implementing Comprehensive Data Loss Prevention in Box with Strac

Strac, a powerful DLP solution, offers tailored features to address the unique challenges of data protection in Box.com:

Sensitive File Detection: Strac integrates seamlessly with Box, enabling the detection of sensitive files, comments, and tasks. Users receive real-time alerts and notifications to stay informed about potential data risks.
Comprehensive Data Protection: Sensitive data elements such as social security numbers (SSN), dates of birth (DoB), driver’s license numbers (DL), passports, credit card numbers (CC), debit card details, and more can be configured to detect sensitive files or prevent unauthorized access. Here is the catalog of all data elements https://www.strac.io/blog/strac-catalog-of-sensitive-data-elements
Redaction: Strac provides dynamic redaction capabilities, allowing sensitive data elements within Box.com files, comments, and tasks to be automatically obscured. Authorized users can view the original content securely in the Strac UI Vault, while unauthorized individuals see redacted information.
Access and Sharing Controls: With Strac, organizations can exercise granular control over file sharing in Box. Customizable workflows can be established, requiring owner approval before sharing files, comments, or tasks. This ensures that data sharing remains controlled and authorized.
App Integration Controls: Strac empowers organizations to manage and control the access privileges of third-party applications integrated with Box. This feature ensures that data shared or accessed through these apps aligns with data protection standards and avoids unauthorized access.
Audit and Compliance: Strac generates comprehensive audit reports, providing visibility into user activity within Box. Compliance, Risk, and Security Officers can track file access, comments, tasks, and other activities, facilitating accountability and regulatory compliance.

Is Strac Box DLP published on Box Marketplace?

Yes, it is published here: https://app.box.com/app-center/strac_dlp/app/SmGHfBzuX0

Sharepoint DLP Use Cases

Practical Scenario

A hospital’s billing and administrative teams use SharePoint Online to store patient invoices, medical reports, and insurance forms. While collaborating with external insurance providers, a staff member accidentally updates the permissions on a SharePoint document library to “Anyone with the link,” exposing potentially thousands of patient files containing PHI.

How Strac's Sharepoint DLP Helps

Continuous Data Discovery: Strac automatically scans existing and newly uploaded documents, identifying PHI (e.g., medical record numbers, Social Security Numbers).
Classification & Labeling: Once identified, files are labeled (e.g., “HIPAA Sensitive”), ensuring that administrators know which documents require the highest level of protection.
Visibility into Access: Strac provides real-time insight into who has access to these sensitive documents. Administrators can instantly see if unauthorized users or broad groups have viewing rights.
Revoke Public Links: If a file is publicly accessible, Strac immediately revokes those links and restores restricted access.
Alerts & Quarantines: When someone attempts to share PHI externally, Strac can alert admins, quarantine the file for review, or completely block the action.
Audit-Ready Reports: All actions are logged, enabling quick incident response and demonstrating HIPAA compliance for audits.

Practical Scenario

A mid-sized investment firm uses SharePoint to collaborate on various client files, including:

Credit card statements (subject to PCI-DSS)
ID documents (Driver’s Licenses, Passports, etc.) used for KYC (Know Your Customer) verification
Banking information such as account and routing numbers

An associate accidentally shares a SharePoint folder containing these files with a newly onboarded client who does not require access to all confidential documents. This folder is also accessible to several internal teams outside the immediate project, creating multiple potential exposure points.

How Strac's Sharepoint DLP Helps

Comprehensive Data Discovery: Strac scans both existing and newly uploaded documents in SharePoint for sensitive information such as credit card numbers, bank account details, and ID documents (Driver’s License, Passport formats).
Classification & Automated Labeling: Once identified, Strac applies meaningful labels (e.g., “PCI-DSS Sensitive,” “PII – ID Documents,” “Banking Info”) to ensure these files stand out and are subject to stricter security rules.
Visibility into Access: Strac provides an immediate view of who currently has access to these sensitive files. This allows admins to spot situations where external clients or internal teams unnecessarily have permissions.
Public Access Revocation: If a labeled document (e.g., containing card data or ID scans) is found to be publicly shared or too broadly accessible, Strac automatically revokes these links or permissions, aligning access with the principle of least privilege.
Alerts, Quarantines, and Blocks: When a user attempts to share a labeled document with outside domains—or with an entire department—Strac alerts administrators or quarantines/blocks the file share, depending on policy settings.
In cases where the share is intentional but needs review, admins can approve or deny the request within Strac’s dashboard.
Audit & Compliance: Every sharing event, label assignment, and access revocation is logged, creating a detailed audit trail. This helps demonstrate compliance with PCI-DSS, KYC, AML, and other regulatory requirements.
Automatic reporting simplifies any regulatory or internal compliance audit, reducing the administrative burden on security and compliance teams.

Practical Scenario

A software company keeps source code, product roadmaps, and design specs in SharePoint. Several teams—including external contractors—use the same SharePoint site. A developer accidentally grants a large group, including some non-disclosure–exempt contractors, access to a folder containing patent-pending code.

How Strac's Sharepoint DLP Helps

Holistic File Scanning: Strac inspects documents, PDFs, and archives for code snippets, system designs, and proprietary business terms to detect potential IP.
Intelligent Labeling: Documents identified as containing IP or trade secrets are automatically classified (e.g., “Proprietary IP”), reinforcing the need for restricted sharing.
Real-Time Access Insights: With Strac, administrators can instantly see who has access to IP-tagged files, enabling them to remove unauthorized users or reduce permission scopes.
Immediate Link Removal: If a contractor or external partner is mistakenly granted access to IP, Strac revokes public or unauthorized sharing before the files can be downloaded.
Alerts & Blocking: Strac’s policies can be configured to alert security teams or block external sharing attempts for files containing proprietary content.
Incident Response & Auditing: Detailed logs of every share request, label change, and access revocation aid in quick incident resolution and help prove due diligence if legal issues arise.