You are on page 1of 56

Samsung KNOX Training Product Overview

Enterprise Edition
Published: Oct 31, 2013 Version: 1.32

© Samsung 2013. All rights reserved.

Why did Samsung create KNOX?


© Samsung 2013. All rights reserved.


What Problem Does KNOX Solve?

8% 6% 34%


Android iOS Blackberry Others

9% 11% 20%

Overall Smartphone Share
Nielsen Mobile Insights, June 2012

Enterprise Smartphone Share
Gartner Survey, April 2012


© Samsung 2013. All rights reserved.


Background: Android in the Enterprise…
Top 3 reasons for poor Android acceptance in the Enterprise:  Fear of OS compromise  No protection against data leakage

 Limited policy controls and management


© Samsung 2013. All rights reserved.


What is KNOX?


© Samsung 2013. All rights reserved.


What is Samsung KNOX? Google Android Samsung Secure Android • Lack of security • Open Source Platform • Malware • • • • Security Enhancements Kernel Integrity monitoring MDM Manageability US DoD Approved KNOX is Samsung’s Secure Android Platform 11/21/2013 © Samsung 2013. 6 . All rights reserved.

7 . VPN Support. All rights reserved.Secure Android Platform Samsung KNOX utilizes a multi-layered approach to platform security: • OS Hardening features include: Secure boot/ Trusted Boot Security Enhancements for Android. - Smart Cards support 11/21/2013 © Samsung 2013. On-device Data Encryption. TrustZone-based Kernel Integrity Measurement (TIMA) • Application Security features include: Container for dual persona.

Security Enhancements for Android (SE for Android) protects the system from malicious applications • • 11/21/2013 © Samsung 2013. e.g. Samsung. TIMA monitors the running kernel for any evidence of tampering.OS Hardening • Trusted Boot ensures boot-time integrity by ensuring that all boot loaders and the kernel image are from an authorized source. 8 . All rights reserved.

TIMA monitors the running kernel for any evidence of tampering.g. e. All rights reserved. Samsung. 9 .OS Hardening • Trusted Boot ensures boot-time integrity by ensuring that all boot loaders and the kernel image are from an authorized source. Security Enhancements for Android (SE for Android) protects the system from malicious applications • • 11/21/2013 © Samsung 2013.

10 . Security Enhancements for Android (SE for Android) protects the system from malicious applications • • 11/21/2013 © Samsung 2013. All rights reserved. TIMA monitors the running kernel for any evidence of tampering. e.g.OS Hardening • Trusted Boot ensures boot-time integrity by ensuring that all boot loaders and the kernel image are from an authorized source. Samsung.

11 . Enables strong isolation to separate the code execution into two worlds. The secure world is intended for (infrequent) security sensitive operations.ARM TrustZone • • KNOX uses ARM TrustZone hardware. “the secure world” and “the normal world” (or “the non-secure world”). ® - The normal world is intended for other regular operations. All rights reserved. 11/21/2013 © Samsung 2013.

• The Root-of-Trust is a Samsung certificate that is verified by the hardware.Standard Android Secure Boot HARDWARE PRIMARY BOOT LOADER SECURE BOOT TRUSTED BOOT Secondary Boot Loader 1 Secondary Boot Loader 2 Android Boot Loader SE for ANDROID ANDROID KERNEL Some carriers* Verification ? • Each boot loader verifies the next boot loader in the chain by authenticating its signature using a Public Key Infrastructure (PKI)-based certificate chain. on most Android devices. 12 . the Android Boot Loader does not verify the authenticity of the kernel it is loading Installation of hacked and custom kernels by employees can compromise information security. • However. All rights reserved. 11/21/2013 © Samsung 2013.

All rights reserved. • This root-of-trust may be a US Department of Defense (DoD) issued (approved) certificate that enable deployments KNOX in government installations in the USA and NATO countries.KNOX Customizable Secure Boot • The Root-of-Trust is a Samsung certificate that is verified by the hardware. rather than using the default Samsung certificate. Samsung KNOX allows the rootof-trust to be changed to a government issued or approved certificate. 13 . • For government and military use. 11/21/2013 © Samsung 2013.

All rights reserved.Enterprise features are activated only if the boot process is verified • This ensures that enterprise security is not compromised if the bootloader and/or kernel are replaced by a hacked version.Measurements of the boot loaders and kernel are securely stored in TZ . 14 . . 11/21/2013 © Samsung 2013.Trusted Boot in KNOX HARDWARE PRIMA RY BO OT LOADER TRUSTED BOOT Secondar y Boot Loader 1 Secondar y Boot Loader 2 Android Boot Loader SE for ANDROID ANDROID KERNEL Some carriers* Verification Measurements Tr u s t Z o n e • KNOX implements a trusted boot sequence that extends to the Android kernel.

enterprise features continue to be disabled even if the user reverts back to the original Samsung KNOX kernel. All rights reserved. or container login are disabled by TIMA.About Trusted Boot • If the user replaces the Samsung kernel with a custom or hacked kernel. 15 . enterprise features such as container creation. the device boots as usual. 11/21/2013 © Samsung 2013. • Furthermore. • However.

When warning screen is displayed. All rights reserved. 16 . press the volume up button. Status is displayed in upper left hand corner of the display.How to Check Warranty Status (1/2) • Boot device in ODIN Mode Simultaneously press volume down. - 11/21/2013 © Samsung 2013. home. and power button.

All rights reserved. 17 .How to Check Warranty Status (2/2) Kernel Replaced with 3rd Party Kernel Samsung signed Kernel replaced after Rooting 11/21/2013 © Samsung 2013.

11/21/2013 © Samsung 2013. All rights reserved. Android assigns a unique user ID (UID) to each application and runs it as that user in a separate process: This unique UID-per-app approach sets up a kernel-level Application Sandbox. 18 . This “privilege escalation” flaw allows malicious applications to take control of the device. rooting the device allows applications to run as the privileged “root user” with full access to all system resources. aka Discretionary Access Control (DAC) as a means of securing applications: Because there is only one real user. However.Android Kernel Security Background • Android leverages the user-based access control of Linux.

19 . Renders “rooting” useless and ineffective as even applications that run as the root user are subject to mandatory access controls. Uses policies to create security domains. Architecture prevents a compromise in one domain from propagating to other domains or the mobile operating system. All rights reserved.KNOX SE for Android • Samsung KNOX integrates SE for Android into the platform that uses Mandatory Access Control (MAC). 11/21/2013 © Samsung 2013.

20 . this relies on the kernel itself not being compromised There is a clear need to ensure that the kernel itself is not compromised by exploiting an as yet unknown vulnerability. The TrustZone-based Integrity Measurement Architecture (TIMA) fulfills this requirement. it does not protect the kernel from being compromised when running HARDWARE PRIMA R Y BO O T L O ADER Se c onda r y Boot Loader 1 Verification TRUSTED BOOT Se c onda r y Boot Loader 2 And r oid Boot Loader SE f or AND R OID AND R OID KERNEL Some carriers* Measurements TrustZone • SE for Android protects the system using mandatory access controls: However. 11/21/2013 © Samsung 2013.The Need to Monitor Kernel Integrity • Trusted Boot verifies the kernel image at boot time: However. All rights reserved.

Periodic kernel measurement (PKM) is conducted by hashing kernel code pages and verifying the values against known defaults.TIMA • TIMA monitors the integrity of the kernel using two techniques: Authenticating Linux kernel modules (LKM) as they are dynamically loaded. 21 . All rights reserved. 11/21/2013 © Samsung 2013.

22 .TIMA Measurements The following are some of the key features of TIMA: • TIMA LKM (Loadable Kernel Module) authentication Initial LKM verification + code & data page separation Periodically hash some kernel code pages and verify if the hash values have changed from the default values • TIMA periodic kernel measurement - 11/21/2013 © Samsung 2013. All rights reserved.

23 . All rights reserved.TIMA is also used for Attestation • What is Attestation ? Process where the Samsung verifies that the kernel was never tampered with Check if anything has changed on the device which could affect the KNOX container security When integrity checks of a KNOX device are required (enterprise deployment) Galaxy Note 3 and Galaxy 10.1 tablet • Why we need it ? - • When can Attestation be done ? - • What Devices Support Attestation? - 11/21/2013 © Samsung 2013.

• Meets or exceeds the most stringent requirements of the United States government − Approved for use by the US Department of Defense (DoD) • Enhanced security at the OS level provided by Secure Boot/Trusted Boot. 11/21/2013 © Samsung 2013. 24 . TIMA and SE for Android protect against malware attacks and hacking. All rights reserved.Secure Android Platform Summary • The Samsung KNOX platform fully addresses the shortcomings of the open source Android platform for broad enterprise adoption.

All rights reserved. 25 .Application Security 11/21/2013 © Samsung 2013.

All rights reserved. Support for Smart card authentication 11/21/2013 © Samsung 2013. 26 .Application Security • KNOX provides a multi-faceted application security approach by providing…. Protection of applications from malware attacks and data leakage. Security for data in-transit (DIT). Encryption for data at-rest (DAR).

The attachment can be uploaded to a public cloud such as Facebook or Dropbox. • For example.What is Data Leakage? Data leakage issues occur when mixing personal and business use on the same mobile device. - The SD card can be stolen and file exploited. The unsecured file is vulnerable to theft by malicious apps. - 11/21/2013 © Samsung 2013. 27 . All rights reserved. The file can be transferred to a PC via USB. when an email attachment or file received is downloaded and stored in memory or SD card.

applications. and widgets. IT access is limited only to the container.Application Container Solution The KNOX Container is a virtual Android environment within the device. All rights reserved. launcher. 28 . • Eliminates the “data leakage problem” associated with Bring Your Own Device (BYOD) and Corporate-Owned Personally Enabled (COPE) Samsung KNOX for Employees using personal mobiles for work KNOX Container also provides the user reassurance that their personal applications and data are safe and separate and private from their work environment. complete with its own home screen. • KNOX Container Environment Personal Environment 11/21/2013 © Samsung 2013.

11/21/2013 © Samsung 2013. 29 .Psuedo-Sandbox • Applications running inside a container cannot interact with applications outside the container. applications running outside a container cannot interact with applications inside a container. All rights reserved. • Similarly.

In BYOD mobility models. the Container feature confines enterprise management functions to the business environment. 11/21/2013 © Samsung 2013. - Feature-rich management. Liability concerns mitigated by Containerization. No wipe of personal data. No passcode. 30 .Containers for BYOD • Employee concerns solved by KNOX: IT policies not enforced on personal usage. Protection against malicious apps. No encryption. • IT concerns solved by KNOX: Robust security. All rights reserved. No apps restrictions.

Gen Y) to enable device for personal use. - - Using the KNOX Container allows IT to enforce strong controls on business use and relax controls for personal use..e. email. and browsers). games. social networking.Containers for COPE Some enterprises are now enabling corporate owned devices for personal use (COPE) Faced with pressure from younger generations of employees (e. 11/21/2013 © Samsung 2013.g. Ability to use open networks without VPN.. They seek the ability to user personal apps (i. 31 . All rights reserved.

Data can be exploited using USB or rooting techniques to steal data from a lost device. 11/21/2013 © Samsung 2013.The Need for Protecting Data-at-Rest • Enterprises must ensure that data stored on mobile devices is secure as devices can easily be lost or stolen. - Hackers can even root a temporarily misplaced device and install malware that steals data. All rights reserved. 32 .

- The key used for encryption is derived from the user-supplied password or passcode.Solution is Full Device Encryption • KNOX On-Device Encryption (ODE) allows the encryption of data on the entire device. - 11/21/2013 © Samsung 2013. Full device encryption may be activated by the user. or remotely by the IT admin as a policy setting. ODE uses a 256-bit AES cipher algorithm. 33 . Encryption spans the device’s internal storage as well as external SD Card. All rights reserved.

All rights reserved. 34 . Data must be secure when using both cellular and Wi-Fi connectivity. Compliance regulations and other factors require protection of data while in-transit. VPN is crucial for personnel that travel or do field work.The Need for Securing Data-in-Transit • • • • Secure mobile access to server-based enterprise applications is a fundamental mobility requirement. 11/21/2013 © Samsung 2013.

35 . Juniper. strongSwan Checkpoint. All rights reserved. applications NSA Suite B algorithms X. … RSA token support High security applications Broad industry support 11/21/2013 © Samsung 2013.509 support with OCSP-based certificate checking Cisco.KNOX VPN Solution • KNOX provides a comprehensive IPSec-based VPN solution for the most demanding enterprise requirements: Connectivity Flexibility Full device VPN with split-tunnel mode Per-app VPN for BYOD/COPE deployments Up to 5 simultaneous VPN connections Multiple admin support Automatic tunnel re-establishment FIPS-mode configurable by MDM CAC support for US Govt.

• Protects consumer privacy by not sending personal application data via the enterprise network. All rights reserved. including web-based (SaaS) apps.Per-app VPN • The Per-app VPN feature enables IT admins to selectively enforce secure VPN connectivity only for enterprise apps. • Eliminates personal applications congesting enterprise VPN resources. 11/21/2013 © Samsung 2013. 36 .

Smart Card support • Samsung KNOX supports US Dept. 37 . - Authentication Signing Encryption Other applications may also utilize the CAC card via well-defined PKCS 11 APIs • KNOX also support two-factor authentication for the device lock screen using the CAC. 11/21/2013 © Samsung 2013. selected Reserve. DoD civilian employees. All rights reserved. Requires a compatible Bluetooth® CAC reader such as the baiMobile™ 3000MP Bluetooth ® Smart Card Reader. • The browser. email and VPN clients use credentials on the CAC card if configured by the IT admin. and some contractors. of Defense issued Smart Cards aka Common Access Cards (CACs) Used by active-duty military.

• Extensible access to Smart Cards enables KNOX devices to be used in high security environments 11/21/2013 © Samsung 2013. • Automatic container encryption and policybased full-device encryption allow the enterprise to secure corporate data on the device. 38 . • The Per-app VPN feature provides a flexible way for enterprise IT to manage mobile application access into the corporate network. All rights reserved.Application Security Summary • The KNOX Container technology allows enterprises to create a secure zone in the device to protect against malware and data leakage.

Enhanced Management Policies 11/21/2013 © Samsung 2013. 39 . All rights reserved.

KNOX Enhanced Management • The Samsung KNOX platform can be managed using a Mobile Device Management (MDM) with additional KNOX MDM policies. 600 500 KNOX Policies 400 300 200 SAFE Policies 100 0 MDM 1.0 MDM 2. for security. 40 .0 MDM 4. and Container management.0 MDM 3. enterprise integration.0 11/21/2013 © Samsung 2013. All rights reserved.

Restrictions Container Integrity Mgmt. All rights reserved. Smart Card Geofencing Customization • 11/21/2013 © Samsung 2013. VPN Integrity Result Audit      SE for Android Certificate Mgmt.                Accounts Browser Email SSO Attestation Applications Firewall Password License Mgmt. KNOX introduces new policies primarily in the areas of security and enterprise integration. 41 .IT Policy Support • KNOX offers a rich set of policies that enable comprehensive management of the device and/or the container.

42 .KNOX Enterprise Services 11/21/2013 © Samsung 2013. All rights reserved.

Samsung KNOX Enterprise Features • Samsung offers a variety of Enterprise Features that enhance KNOX security and productivity: SSO AD-based Management Integrity Management App Store - Theft Recovery 11/21/2013 © Samsung 2013. 43 . All rights reserved.

• • 11/21/2013 © Samsung 2013. Password sprawl can cause Helpdesk issues related to password resets. • Entering passwords repeatedly is cumbersome and negatively affects the user experience.Enabling SSO for Mobile Apps • Almost all enterprise apps require authentication. 44 . All rights reserved. Caching passwords in apps is not safe.

Employees get a single destination and one-click access to all of their work applications. All rights reserved. 45 . • Samsung KNOX platform includes SSO support for apps within a Container 11/21/2013 © Samsung 2013. Eliminates the need for users to remember multiple passwords or create weak. easyto-remember passwords that don’t meet corporate password policies.SSO • SSO enables authentication with a single account to quickly access a broad range of enterprise services.

46 .Managing Mobile Devices without MDM • • An enterprise is not interested in an MDM solution. Enterprise IT wishes to leverage their existing Active Directory infrastructure to manage their mobile devices. 11/21/2013 © Samsung 2013. All rights reserved.

apps and data are sanitized from the personal environment. contacts. browser. 47 .Active Directory-based Management • AD-based Management is ideal for enterprises that don’t have an MDM or don’t want to use Microsoft Exchange™. Email. Allows IT Admins to have complete control over the KNOX Container. * requires Centrify Corp.’s AD-based Management Solution 11/21/2013 © Samsung 2013. • Allows customers to use Active Directory to manage Containers. calendars. All rights reserved. and offer policybased access to mobile applications. Samsung devices.

etc. The app and associated data is secured within the business persona. Dropbox. • 11/21/2013 © Samsung 2013. 48 . All rights reserved.App Store • The App Store in the KNOX Container is preloaded with a variety of business apps from Independent Software Vendors (ISVs) such as Salesforce™.

49 .App Store • A rich set of business applications are available in the App Store BOX 11/21/2013 © Samsung 2013. All rights reserved.

After an app has been wrapped.g. without changing the functional intent of the code.. it undergoes basic QA testing. 50 . the service supplies the details so the app can be modified and resubmit for wrapping. If an error is detected during the QA process. the wrapped app can be added to the enterprise app store and made available for download. If the testing is successful.Support for Custom Enterprise Apps • Enterprises can offer private apps (e. All rights reserved. an employee phone directory) that are pushed to devices using an MDM/MCM • MDM/Reseller representatives and IT Admins can perform automated “App Wrapping” on behalf of enterprise customers using Samsung’s cloudbased app wrapping service. The service “Containerizes” the app and reassembles the Android Package (APK file). • • - 11/21/2013 © Samsung 2013.

51 . Samsung KNOX includes a built‐in anti-theft solution and an associated subscription service that provides both tracking and recovery in the event a device is stolen. All rights reserved.Theft Recovery (1/2) • • An unfortunate consequence of the rapid growth of smartphones is the equally rapid rise in the theft of mobile devices. The Persistence Service is dormant until the user subscribes to the theft recovery service and installs the Mobile Agent Once the service has been activated. any malicious attempts made to remove the Mobile Agent (by accident or on purpose) will automatically invoke a restoral operation A process will be initiated for the Agent to self-heal and automatically reinstall itself onto the device - - 11/21/2013 © Samsung 2013. • The solution consists of two components: the embedded Persistence Service that resides in the device firmware. and the Mobile Agent installed in the Android OS.

All rights reserved. 11/21/2013 © Samsung 2013. Theft Recovery personnel can transmit commands to the Mobile Agent to activate monitoring and tracking and coordinates with law enforcement to recover the device. 52 .Theft Recovery (2/2) • When a device is stolen….

App wrapping service supports integration and deployment of enterprise apps Theft Recovery Service locates and recovers lost or stolen KNOX devices. 53 . from small businesses through large and regulated enterprises AD-based Management allows enterprises to leverage their existing AD infrastructure to manage mobile devices. Samsung KNOX App Store offers a rich assort of enterprise business apps available from within the KNOX Container environment. SSO Service enables the use of a single set of credentials to access multiple applications. All rights reserved. 11/21/2013 © Samsung 2013.Enterprise Features Summary • Samsung KNOX offers an assortment of accompanying features that allow the device to integrate into any enterprise.

App Store. 54 . All rights reserved. NIST FIPS 140-2 VPN and device encryption secure data in-transit and atrest • • • • • KNOX MDM policies enable IT administrators to better manage devices and offer improved support by being able to remotely configure various features. Integrity Management. Enterprise features include AD-based management. and enterprise features. 11/21/2013 © Samsung 2013. KNOX Containers allow enterprises to create a secure zone in the device for corporate applications. SSO. The enhanced security at the OS level provided by Secure Boot/Trusted Boot.What is KNOX Summary • Samsung KNOX fully addresses the shortcomings of the Android platform and enables broad enterprise adoption with its multi-tiered security model. SE for Android and TIMA protect against malware attacks and hacking. and Theft Recovery. device management capabilities.

) Samsung KNOX Flash Simulator Samsung KNOX White Paper For additional Samsung Galaxy S4 information: • • • Samsung Galaxy S4 Flash Simulator Samsung Galaxy S4 User Manual Manuals and Troubleshooting Guide 11/21/2013 © Samsung 2013. All rights reserved. etc. 55 .Additional resources For additional Samsung KNOX information: • • • • Samsung KNOX Web Portal Samsung KNOX Support (FAQs.

pricing. and capabilities of the product are subject to change without notice or obligation. 56 . All rights reserved.Thank you for supporting Samsung KNOX. features. Samsung reserves the right to make changes to this document and the product described herein. 11/21/2013 © Samsung 2013. specifications. and other product information provided in this document including. design. but not limited to. Notice: All functionality. at anytime. performance. without obligation on Samsung to provide notification of such change. the benefits. components. availability.