Demystifying Samsung KNOX

Recently we have seen a lot of buzz regarding Samsung KNOX and its partnership activities with various MDM vendors. So lets dig in more and see what Samsung KNOX has to offer to the current Enterprise Mobility scenario.

KNOX , a SAFE (Samsung For Enterprise) feature, is an Advanced Containerization Solution and this time brought to you by an OEM rather than a 3rd party vendor.  KNOX provides a secure container for Enterprise apps which secures corporate data and at the same time allows the user to access his personal data on the same device. Yes, that's something similar to BlackBerry Balance.
As of now the Enterprise Market is still in a dilemma regarding the use of Androids as a safe BYOD platform but KNOX really can revolutionize the Android scenario this time.

Samsung KNOX incorporates key technologies, such as SELinux and application virtualization, and leverages hardware-level features to provide enhanced security to protect the operating system and applications. Also, its been approved by the US Govt. and the Department of Defence.
 
 
KNOX Features:

1. Platform Security
2. Application Security
3. Mobile Device Management
 
Platform Security
KNOX ensures Platform level security by securing the Android Framework, Linux Kernel, and the boot process. KNOX has three main players to ensure this:
 
 
 
Trusted Boot
The Secure Boot mechanism in Android prevents “unauthorized” boot loaders and operating systems from loading during the startup process. Firmware images, such as operating systems and other system components, that are cryptographically signed by known, trusted authorities are considered as “authorized” firmware. But it had some shortcomings as authorized firmware may have vulnerabilities and later updated to remove the vulnerabilities. Both versions of the firmware will be allowed to boot on the device, however, since both have proper cryptographic signatures.
Trusted Boot in this scenario keeps recorded evidences of the firmware in TrustZone and a check is done at every boot where the recorded instances are measured to track any changes.

TrustZone-based Integrity Measurement Architecture (TIMA)Provides continuous integrity of the Linux Kernel to monitor if ever the kernel is compromised causing the Mandatory Access Control (MAC) policies to be disabled.

Security Enhancements for Android (SE for Android)Invented by NSA in 2000, Security-Enhanced Linux, is used for securing Enterprise Linux assets. Samsung and the NSA R&D team have integrated the same technology into Android which is called as Security Enhancements for Android. SE for Android includes a set of security policy configuration files designed to meet common, general purpose security goals. Out of the box, Samsung KNOX is provisioned with a set of security policy configuration files designed to strengthen the core Android platform and meet general enterprise needs. Samsung KNOX offers management APIs that allow the default SE for Android policies to be replaced with stricter or enterprise-specific policies. These new policies can be pushed to the device.
Application Security
KNOX handles application security in 3 ways:

App Containers:Similar to the Containerization fundamentals, the KNOX container does not allow applications outside the container to access the data residing inside and vice-versa (with some exceptions of granting Read Only access to KNOX container apps to outside apps via policy configuration). For example, the Gallery application outside the container will not display photos taken from the camera inside the container.

 


ODE (On-device Data Encryption ):
This feature allows the Admins to encrypt either the KNOX containers or the entire device. The ODE feature on Samsung devices uses a FIPS 140-2 compliant Advanced Encryption Standard (AES) cipher algorithm with a 256-bit key (AES-256) and offers the levels of security required by government and regulated industries such as healthcare and finance.





Virtual Private Network Support:Samsung KNOX provides highly secure access to intranet portals for employees right onto their devices. Samsung KNOX VPN implementation offers a broad support for the IPSec protocol suite:

- Internet Key Exchange (IKE and IKEv2)
- Triple DES (56/168-bit), AES (128/256-bit) encryption
- Split tunneling mode
- NSA Suite B Cryptography


 

Also,  it gives the flexibiity to IT administrators who now can configure, provision, and manage the use of VPN on a per-application basis which ensures that enterprise data is communicated on a secure connection while keeping the user’s personal data from overloading the company’s Internet connection.

Mobile Device Management
KNOX is an offering from the SAFE (Samsung For Enterprise) MDM. Also, Samsung has joined hands with MDM vendors like SOTI to ensure KNOX is exploited to its core. We can expect this in action with SOTI's much awaited version of MobiControl 11.

SAFE MDM Feature List:
 
 

So what's your take on KNOX? Feel free to share !!!


Till Then
Be Curious !!!!!!

 
 
 
Resource: Samsung KNOX Whitepapers



Comments