Case study: Calico enables zero-trust security and policy automation at scale in a multi-cluster environment for Box

Box is a content cloud that helps organizations securely manage their entire content lifecycle from anywhere in the world, powering over 67% of Fortune 500 businesses. As a cloud-first SaaS, the company provides customers with an all-in-one content solution within a highly secure infrastructure, where organizations can work on any content, from projects and contracts to Federal Risk and Authorization Management Program (FedRAMP)-related content.

Box has two types of operations: cloud-managed Kubernetes clusters in hybrid, multi-cloud, and public cloud environments, and self-managed Kubernetes clusters in co-located data centers. The company runs multiple clusters with sizes of 1,000 nodes and larger. As one of the early adopters of Kubernetes, Box began using Kubernetes much before Google Kubernetes Engine (GKE) or Amazon’s Elastic Kubernetes Services (EKS) was born, and has been on the leading edge of innovation for Kubernetes in areas such as security, observability, and automation.

In collaboration with Tigera, Box shares how Calico helped the company achieve zero-trust security and policy automation at scale in a multi-cluster environment.

ICYMI: Watch this recording from the 2022 CalicoCon Cloud Native Security Summit, where Tapas Kumar Mohapatra of Box shares how Box moved into automated dependency mapping and policy generation with API v3

Case study highlights

Once Box moved to Kubernetes, the content cloud opened a shared Kubernetes infrastructure model with a multi-cluster architecture for its services. As the service owner, the Box Kubernetes infrastructure team needed to be the central service provider and overseer to their internal customer user base, the application development team.


Since not all application developers are Kubernetes experts or have the necessary policy-writing expertise, Box’s shared Kubernetes infrastructure and multi-cluster architecture was met with a number of challenges:

  1. Maintaining a zero-trust posture, enforcing granular workload access controls, and gaining observability into all workload and policy communications on a shared infrastructure in an ephemeral environment with thousands of microservices
  2. Troubleshooting and ensuring all deployed security policies can run on multiple clusters and are discoverable to other endpoints
  3. Achieving and maintaining continuous compliance with regional regulations, including PCI DSS, SOC 2, and FedRAMP
  4. On-demand compliance reporting


Quickly realizing workarounds were too time-consuming and costly, the company searched for a security provider to solve these problems, with four major goals:

  • Maintain a zero-trust posture for all workloads
  • Gain visibility into all workload and policy communications and reduce troubleshooting times
  • Automate multi-cluster security policy creation and management
  • Ensure continuous compliance with regional regulatory requirements


After implementing Calico Enterprise, Box achieved zero-trust security and gained observability for all workload communications. The company now has a fully automated policy lifecycle that Calico continuously monitors to ensure compliance with regional regulatory requirements for the company’s shared infrastructure spanning multiple clusters in co-located data centers, and public clouds in different regions.

“Tigera helped Box enforce zero-trust security, workload observability, and cross-regional compliance for our shared, multi-cluster Kubernetes infrastructure.”

—Tapas Mohapatra

Sr. Manager, Site Reliability Engineering, Cloud & Kubernetes at Box

Read the case study: Calico enables zero-trust security and policy automation at scale in a multi-cluster environment for Box

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!