An information barrier in Box defines an ethical wall. An ethical wall is a mechanism that prevents exchanges or communication that could lead to conflicts of interest and therefore result in business activities ethically or legally questionable.
This topic contains the following sections:
- Ethical Wall Use
- Information Barriers in Box
- Permissions Between Segments
- Information Barrier Collaboration Impact Report
- Information Barrier Statuses
- Information Barrier User Experience
- Information Barriers and Content Access
- Information Barriers and Existing Collaborations
- Information Barriers and New Collaborations
- Information Barriers and Moving and Copying Files
- Information Barriers and Ownership Transfer
- Information Barriers and Shared Links
- Information Barriers and User Groups
- Information Barriers and Shield Trials
Ethical Wall Use
Ethical walls are used in many industries, and with different types of scenarios, including:
- Isolating a few static internal parties based on business units
- Financial services, where an ethical wall is most commonly employed in investment banks between the corporate-advisory area and the brokering department to separate those giving corporate advice on takeovers from those advising clients about buying shares.
- Property and casualty insurance, where both parties to a claim, such as an airport and an airline, have insurance policies with the same insurer. The claim handling process needs to be segregated within the insurer's organization to avoid a conflict of interest.
- Journalism, where separation is required between editorial and advertising arms.
- Isolating many dynamic internal and external teams based on projects
- Law, where it is necessary to separate one part of the firm representing a party on a deal or litigation from another part of the firm with contrary interests or with confidential information from an adverse party.
- Consulting, where they are used to separate one part of the firm working on a project for a party from another part of the firm working on another project for a competitive party.
Information Barriers in Box
Collaboration is a fundamental function of using Box to manage your content. Box makes that collaboration easy, both through formal invites to collaborate on files or folders and through shared links that provide access to files and folders. Creating barriers to that collaboration runs counter to the Box ethos, yet it is necessary for some industries and use cases, as listed above, and potentially in other industries and use cases as well. An information barrier is the Box functionality you use when you must prevent collaboration and create an ethical wall.
Information barriers are enabled on a per-organization basis. If you would like to use an information barrier, contact your Box support representative.
As part of the process of creating an information barrier, a full Collaborations report is required so you can review all of the collaborations and shares that currently exist and will be removed when you configure and enable an information barrier.
You can have one information barrier enabled per enterprise in Box. That information barrier consists of two components that you configure:
- Permissions between segments
After configuring the permissions, Box Drive prevents exchange of data between groups of users based on the permissions you set.
Information barrier segments (or just segments) are defined groups of users. They are different from user groups, however, because with segments, a user can be a member of one, and only one, segment.
This requirement for uniqueness in segments also means that you can add only individual users to segments, not user groups.
You can define up to 10 segments and add up to 10,000 users to a segment.
The first step in creating information barriers is to define segments. You then will define permissions between each segment.
Permissions Between Segments
For each segment that you create, you define the relationship between that segment and every other segment. These relationships are defined by whether one segment
- can access, or
- cannot access
content owned by another segment. When the relationship between two segments is defined as cannot access, that is an ethical wall. The users in a segment are prevented from viewing or accessing any content owned by the users in the other segment in this case.
You can create multiple ethical walls within a single information barrier, and the number that you can create is a factor of how many segments exist in the information barrier because each segment has a relationship with each other segment.
Information Barrier Collaboration Impact Report
As part of the process to enable an information barrier, you will run a collaboration impact report. This report contains information that will show you what existing collaborations will be removed permanently when the information barrier is enabled. For each file or folder where collaboration will be removed, the following information is provided in the report:
- Owner name, login, and segment
- Item name, ID, type, and path
- Collaborator name, login, segment, and permission
- Collaborator type (user or group), inviter email, and invite sent and accepted date
Information Barrier Statuses
An information barrier can have any of the following statuses:
|Draft||The information barrier configuration is still being worked on and is not in effect.|
|Pending||A temporary state immediately following the enabling of an information barrier. New collaborations and access attempts are currently restricted per the information barrier configuration and existing collaborations that should not be allowed per the information barrier are being removed.|
|Enabled||New collaborations and access attempts are currently restricted per the information barrier configuration. No existing collaborations are violating the IB configuration.|
|Disabled||The information barrier configuration is disabled.|
Information Barrier User Experience
When you enable an information barrier, the experience for users trying to do various tasks in Box may change. This section explains some of those changes.
Information Barriers and Content Access
Information barriers prevent access to information when you define cannot access permissions between user segments. So for example, say you have an information barrier configured as follows:
- 2 segments, segment A and segments B
- User A in segment A, user B in segment B
- Segment A can access segment B, segment B cannot access segment A
User A has no restrictions on accessing any of user B's content. However, user B cannot:
- Preview any file owned by user A
- Share any item owned by user A
- Edit any item owned by user A
- Delete any item owned by user A
- Be invited as a collaborator to any folder owned by user A or any item in any folder owned by user A
- View content at a shared link for any item owned by user A
- Upload content to a folder owned by user A
- View a list of item names in a folder owned by user A
- View a snippet of any content owned by user A in search results
- View the names of any content owned by user A in the All Files list, search results, notifications, or Recents.
Information barriers enforce access restrictions based on the content (file or folder) owner. If a user is in a segment that cannot access another segment, then the user cannot access the content owned by any user in that second segment.
Information Barriers and Existing Collaborations
While a segment includes only users explicitly, it also includes implicitly the content owned in Box by the members of that segment. So when you create an information barrier, Box analyzes the users in each segment and the content that all the users own, and of there are any existing collaborations or shares that cross the potential information barrier, they will be removed when the information barrier is enabled.
Information Barriers and New Collaborations
When a user creates a collaboration on a file or folder and incudes a user that is prevented from access that file or folder because of an information barrier, the collaboration will be prevented and an error message will explain why and list any users that must b removed before the collaboration can be made.
Information Barriers and Moving and Copying Files
When a user moves or copies a file or folder to a folder where access is prevented because of an information barrier, the move or copy will not be allowed and an error message will state that the action is prevented by security policy.
Because collaborators in the file/folder will stay as collaborators in a move, the information barrier will retroactively check if any existing collaborators should not access the destination folder owner’s segment and remove them accordingly. Note that there is a chance that violating collaborators could still access the content before the check is done, but all user access events will be recorded and made available via Event API.
Information Barriers and Ownership Transfer
Because you can only transfer ownership of a folder to someone who's already collaborated directly on this folder and an information barrier doesn’t allow restricted users to be invited, there is only a rare scenario to consider when ownership transfer happens while the information barrier is in Pending status while it is being enabled. In that status, violating collaborators may have not been removed and an ownership transfer between users in different segments who are also both collaborated on the folder can occur. The information barrier enablement process will retroactively check for such collaboration violations, and if they exist, remove them. The ownership transfer will occur, however.
For example, User A and User B are collaborated on a folder. User A and User B get put into different segments in an information barrier and access between the two segments is restricted. The information barrier is enabled and is scanning for existing collaborations that must be removed, which would include this one. During this time, before the information barrier becomes fully enabled, User A transfers ownership of the folder to User B. When the information barrier becomes fully enabled, User B will be the folder owner and User A will not be able to access the folder's contents.
Information Barriers and Uploading Files
When a user uploads a file to a folder where access is prevented because of an information barrier, the upload is blocked and an error message will state that the action is prevented by security policy.
Information Barriers and Shared Links
When a user creates a shared link with People with the link or People in your company permission and if an information barrier is enabled, they will see a message that some users will be restricted from accessing the content because of a security policy.
Information Barriers and User Groups
When a file or folder is added to a group and an information barrier prevents access between any members of the group, the addition is blocked and an error message will state that the action is prevented by security policy.
Information Barriers and Shield Trials
An information barrier is not available in Shield trials. To run a test of an information barrier, create a sandbox, and then create and configure the information barrier in the sandbox.
- Creating an Information Barrier
- Creating a User Segment for an Information Barriers
- Configuring Permissions Between Information Barrier Segments
- Editing an Information Barrier
- Enabling an Information Barrier
- Disabling an Information Barrier