CIC VENDOR SPOTLIGHT

CIC
CREATIVE INTELLECT CONSULTING LTD

Box Platform Review: Executive Summary

A flexible content platform for next generation apps and
the digital workforce

Clive Howard, Research Analyst, Bola Rotibi, Research Director,Creative Intellect Consulting

A Creative Intellect Summary points

Consulting Spotlight Review
The platform is important to future growth of Box’s
strategy. It is through the platform that customers can
integrate and extend Box into their existing IT estate and
develop new custom applications for both employee
facing applications, as well as front office customer facing
processes running on the Box Platform. With a strong
focus on security and compliance, Box addresses many of
the critical concerns when considering a cloud platform
service provider.
This report charts the evolution of Box’s business strategy
and provides a profile and review of the Box Platform
in meeting the enterprise content needs of the digital
workforce.
l CIC direction and analysis
l Evolution of Box’s business and a growing
product portfolio targeting a broad audience
base
l Proof points of Box as a true enterprise vendor
l The business and operational value of the
Box Platform services with an outline of its
industry leading security credentials
l Building the modern organisational unit to
drive application success

© Creative Intellect Consulting Ltd August 2016 Page 1

CIC directions and analysis
Box has spent a considerable amount of time and money
on its core product, which has evolved rapidly from a pure
file sync and share application, to a collaboration tool and
platform that allows customers to integrate and extend the
core Box proposition. Unlike many others in the file sync
and share market, Box has heavily focused on
business customers; especially the enterprise.
This required some significant capital
expenditure, but that has paid off with
the company’s success, both in the
number of enterprise customers it has
gained and also the extent to which
customers have adopted the solution.
The platform also gives non-Box
customers a back-end service
proposition, with those same strong
capabilities around security, management,
governance and compliance, file viewing and
workflow. Developers from across the increasingly
broad developer ecosystem will find themselves building
applications for use cases, for which Box will be a better
proposition than many other similar services. At the most basic
level, many applications require some form of content storage,
and while there are many cloud-based services that could
KEY
CAPABILITIES
The platform provides organisations and developers with
some key capabilities:
l Take advantage of key security certifications, especially if
targeting certain industries
l A single repository for content that can serve line of business
specific experiences
l Growing ecosystem of potential customers and monetisation
opportunities, through a curated marketplace
l High quality developer experience – documentation, SDKs and
support – with additional community engagement
l App Users make using the Box Platform invisible to third party
application users and reduces barriers to entry (i.e. having to create
multiple Box users)
© Creative Intellect Consulting Ltd August 2016
meet this requirement, there are very few with the additional
capabilities that Box provides; most notably around its ever-
growing number of industry security certifications.
That Box is investing in its platform is both an important step
in its maturity as a vendor and in continuing its strong growth
as a business. The company’s ambition is for every application
to use its platform in some respect, however, there
are an ever increasing number of options
for developers, with respect to content
storage. While Box has capabilities that
better the majority of these, many
developers may not recognise that in
the early versions of their application
and others may not need them. But
there will be key use cases that Box will
be ideal to address and the company
will need to reach these developers.
The company has made a number of sensible
acquisitions and product decisions, that has led
to a product regarded by many as leading within its
industry. The platform enables customers and noncustomers
of the product to get value from the investments in the
underlying technology that Box has invested in.
key considerations
KEY
CONSIDERATIONS
For organisations looking to harness the capabilities of
the Box Platform, there are some key considerations that
they should address:
l Make sure to have the correct skills in development and
architecture, to take advantage of a cloud based platform
l Ensure leadership that understands the critical success factors
required of the modern application
l Have in place the necessary processes (DevOps) and
methodologies (Agile), to take advantage of the benefits that cloud
platforms present
l Ensure to have the roles or processes in place to promote
applications, in order to grow users and drive success
l Understand where application requirements are best served
(short and long term), but the most appropriate cloud service
Page 2
Box’s business evolution
Box currently has 62,000 customers, with 46 million users.
Some of the company’s most notable customers have
SSAE16 Type II, ISO 27001:2013, ISO 27018, HIPAA
invested wall-to-wall in Box, with seat numbers running
and HITECH, PCI DSS 2.0 Level 1 and PCI DSS 3.1as
into the tens of thousands and leaving in no doubt that
a Service Provider., FINRA/SEC 17a-4, FIPS 140-2
Box, today, is a leader in the enterprise SaaS market. The
Level 1, FedRamp, FISMA ATO, and for international
company’s 1,600+ partner ecosystem has also grown
markets, G-Cloud Framework 7, TÜV Rheinland Cloud
to include some of the largest, global enterprise service
Certification, Asia-Pacific Economic Cooperation
providers, such as Amazon Web Services, IBM GBS,
(APEC) and Cross-Border Privacy Rules (CBPR.)
Accenture, Cognizant, Tech Mahindra and Atos.

Key to its success has been investing in what matters most to

its enterprise customer base. This began with ensuring strong The company has added to this, with capabilities such
security throughout its service, demonstrated by the extensive as workflow automation and investments in mobile –
list of industry certifications that includes the following: including mobile apps and mobility management.

Box has also invested heavily in integrations with critical enterprise applications, most notably Microsoft Office 365. The
company currently has a dedicated Office 365 integration team and the benefits of this are being seen in the number of Office
365 rollouts, where the customer has chosen Box over Microsoft’s OneDrive for Business. In some published case studies,
customers have replaced Microsoft SharePoint with Box.

The company has added further capabilities to help enterprises move to a cloud-based service and support ECM. These include:

l KeySafe (formally Box Enterprise Key Management,) which allows organisations to

control the encryption keys that protect the content that they store in Box, without
impacting the end user experience

l Governance capabilities, such as support for eDiscovery and legal holds, automation
of retention schedules and the enforcement of policies

l Private Network Connections for companies with concerns going over the
public internet to take advantage of MPLS connections provided by AT&T and NTT
Communications. This allows for direct connection from the Box data center to the
customer sites, for better performance and enhanced security

l In 2016, Box released Box Zones, which enables customers to specify geographic
regions, initially in Germany, Ireland, Japan and Singapore, in which their files are stored

© Creative Intellect Consulting Ltd August 2016 Page 3

Platform is the third pillar on which Box’s future will be built
In the CIC 2013 Box profile, we focused on what was then the emerging Box Platform. The platform provides third parties,
including customers, with the ability to integrate with the Box product and underlying core services. A key component of this
platform strategy was making available Application Programme Interfaces (APIs) in the form of RESTful Web Services.

Today, Box considers itself to be “API first” in terms of its own development. What this means is that Box’s own developers build
the product as APIs first and then layer its own client applications on top, to use those APIs. These are the same APIs that are
made available to third parties. At the time of writing, Box is receiving 6 billion API calls per month from third party integrations.
The Box Platform has attracted over 75,000 registered developers. The platform is Box’s third key strategic imperative, along
with EFSS and ECM.

Under the hood of the Box Platform

Box’s Platform strategy is twofold: The first is to enable customers of its core Box application product to integrate with, and
extend, Box to fit their organisation’s individual needs, using its REST API. In short, this allows customers to directly leverage
underlying core platform functions and services. The second is to expand Box’s footprint within the enterprise, to easily and
seamlessly extend processes across employees, partners, customers and consumers together, and across organizational
boundaries outside of the enterprise.

The business and operational value of the Box Platform services

Through the platform, Box can be used as the repository for all of an
organisation’s files, providing enterprise grade security and content
management capabilities, while enabling other applications to provide the
use case appropriate capabilities, by which these files are interacted with.

Box offers developers a prebuilt collection of capabilities that can be easily

included, within any application that requires file storage and content
management facilities. With an ever increasing number of applications
being built, not just by traditional IT organisations within enterprises and
ISVs, but also by less IT savvy businesses and by individual developers,
this is a productivity bonus. At the same time, Box significantly reduces
the overhead created by the need for an organisation to provision
infrastructure for multiple file storage solutions.

As a cloud based solution, Box can reduce this requirement (both capital
and operational expenditure) to potentially zero. This effectively allows
application developers, using the Box platform, to focus on delivering the use cases and differentiating experiences that the
business needs. They will not need to spend time on configuring infrastructure, content storage and management systems and
other non-value adding operational overheads.

© Creative Intellect Consulting Ltd August 2016 Page 4

Standards ease adoption and availability
Box Content API uses the highly popular Representational
State Transfer (REST) approach, where data is formatted
using JavaScript Object Notation (JSON). The familiarity and
simplicity of REST and JSON makes working with the API
straightforward, especially for developers with experience of
using such interface services. For authentication, Box offers
two different approaches for building custom applications:
the open standard OAuth 2.0, for creating applications for
Box users, and JSON Web Tokens (JWT) and App Users, for
creating applications where a developer does not want to
require a Box user account.
To make working with the Box API even
easier, Box has developed and
maintained a number of Software
Development Kits (SDKs.) These
cover some of the most popular
development technologies
and platforms, including:
Web SDKs for Java, Microsoft
.NET, Python, Ruby, Chrome
and Salesforce (APEX);
mobile SDKs for Apple iOS,
Google Android and Microsoft
Windows; and a collection of
Mobile UI kits that enable easy
inclusion for functionality, such
as file navigation and manipulation,
collaboration and previewing of files, by
providing developers with pre-built UI elements.
In a crowded marketplace of cloud platform services, it is
important for Box to drive visibility within the developer
ecosystem. One way in which it is doing this, is to have the
platform appear in third party marketplaces for services.
An example of this is through the company’s partnership
with IBM, whereby the Box Platform appears within IBM’s
Bluemix cloud offering.
© Creative Intellect Consulting Ltd August 2016
Industry leading security credentials
Security is a critical concern, especially with reassuring many
customers that cloud is a safe environment. Box provides
a fully encrypted environment, with 256-bit SSL for all
connections, to ensure data in transit is highly protected and
256-bit AES for all data on servers. To prevent encryption
keys from being stolen or compromised, Box stores the keys
separate from the data and ensures that they are changed
frequently. Customers can also store their own keys, if they
so choose, via Box KeySafe service.
Support for multiple single sign-on vendors and integration
with Active Directory (AD) makes it easy to
integrate user accounts with enterprise log-
ons. Box customers can enforce their
internal password policies on their
users accessing content on the
Box Platform. Active Directory
and LDAP integration ensures
that enterprise administrators
can secure and audit data
access. Support for SAML
2.0 provides a foundation
for federated access security.
On top of this, Box has native
multifactor authentication
support.
Box recognises the importance
of security and has taken a number of
steps to address this, including the numerous
certifications. However, it also understands that security
considerations extend beyond its own capabilities.
Developers building apps also need and have a responsibility
to ensure best practice security within the code that they
write. To assist with this, Box provides a number of security
guidelines. The guidance provided to developers targeting
Apple iOS and Google Android should prove particularly
beneficial, especially given the concerns that some
organisations have with respect to mobile security.
Page 5
Developer experience and opportunities
Given the capabilities, and in some respects the complexity, of what Box offers, the platform provides a high quality developer
experience. The documentation is clean, clear and concise, including a detailed API reference and a change log (helpful for
managing application updates required by changes to the API). API calls can be tested from the command line, or through a
Chrome browser extension, which is useful for both development and debugging purposes. There are a decent number of code
examples within the documentation and the SDKs are hosted on the popular github code repository.

For those looking to build capabilities on top of the platform, that could
be useful to other Box customers, there is a Box App Gallery. This is a Box
approved marketplace (similar to the Apple App Store) that includes the
ability to monetise applications.

Building the modern organisational unit to drive

application success
This approach considers the entire application life-cycle, and not just from the
perspective of technical roles, such as architect and developer, but including
the broader business. For becoming a modern technology business.

To create the modern application requires skills in cloud and working

with APIs, but also the ability to be successful within a fast moving (Agile)
environment. It also requires an appreciation for other key considerations,
such as User Experience.

Taking a user centred approach, where the application user (whether internal or external) is a primary stakeholder, will be new
to many organisations, but is critical to creating applications that will derive maximum value for the business.

Taking the Box Platform as a stand-alone offering presents capabilities that could be embraced by many developers and
development organisations. Storage, security, management and access to content is a key component of many applications,
whether they target the desktop, mobile or the growing IoT market. This presents Box with great potential for attracting new
customers and partners, who would not necessarily adopt the core Box product.

From a development perspective what is important about platforms is that:

l They are easy to work with, irrespective of the technology that developers are using

l They can be used across different client application types (for example desktop, web, mobile)

l They are secure and meet any organisational governance requirements

Creative Intellect Consulting is an analyst research, advisory and consulting firm focused on software development, de-
livery and lifecycle management across the Software and IT spectrum along with their impact on, and alignment with,
business. Read more about our services and reports at www.creativeintellectuk.com
Forward distribution is forbidden without written consent. If you wish to forward distribute please contact bola@creativeintellectuk.com

© Creative Intellect Consulting Ltd August 2016 Page 6