The protection of enterprise data on employee mobile devices has become a growing priority within most companies. Having the ability to fully meet security standards and protocol, all while offering a positive user experience, is the main goal and turns out to be quite the balancing act.
Samsung KNOX is and Android-based security platform that was created in order to enhance the security of Androids current open-source platform. It has the ability to address the mobile policy of any business, without compromising employee privacy and experience. Before reading any further, it's important to first understand what a Mobile Device Management (MDM) Solution is:
The management and protection of the mobile devices used within a corporate network - both Corporate-Owned Personally Enabled (COPE) devices and Bring Your Own Devices (BYOD). This typically includes the remote distribution of applications, data and configuration settings by the IT administrator of a company. Not only are these solutions used for security purposes, but they also aim to optimize and enhances the user experience and productivity.
The Samsung KNOX platform has three key features:
Operating System Security
Secure Boot is a security procedure that prevents unauthorized operating systems and software from loading during the start-up process. For example, prevents rooted devices from accessing the network.
Trusted Boot acts as a back up and addresses the limitations of the secure boot. It records measurements in order for TrustZone applications to make security-critical decisions.
Security Enhancements for Android (SE for Android) enforces Mandatory Access Control (MAC) policies to isolate applications and data within the platform, which provides an extra layer of security.
Security Enhancements for Android Management (SEAMS) provides enterprises with the ability to replace individual SELinux policy files, and is intended for specialized environments.
TrustZone-based Integrity Measurement Architecture (TIMA) closes any vulnerability that comes with SE for Android. It leverages hardware features to ensure that it can't be disabled by malicious software and performs non-bypassable monitoring of the Android kernel.
TrustZone-based Client Certificate Management (CCM) allows for the storage and retrieval of digital certificates, as well as other functions like encryption, decryption, signing and verification. CCM also has the ability to generate a Certificate Signing Request (CSR) and the related public/private key pairs in order to obtain a specific digital certificate.
TrustZone-based Key Store provides applications with services that generate and maintain cryptographic keys. The keys are then further encrypted with a unique hardware key that can only be decrypted from within TrustZone itself.
TrustZone-based On-Device Encryption enables enterprises to ensure that all device data is secure in the event that the operating system is compromised. This feature is only available if the IT administrator activates encryption at the MDM level.
KNOX Container provides a virtual environment that isolates enterprise applications and data in a secure zone within the device, with separate home screen, launcher, applications and widgets. IT is in control of the data that is shared within the container, so it is up to them to decide on the flow of information and find the proper balance between user productivity and security. A two-factor authentication process adds another layer of security that requires a fingerprint scan, as well as a PIN, password or pattern in order to access the container.
BYOD: Bring Your Own Device
Virtual Private Network Support (VPN Support) enables a company to offer its employees an optimized and secure pathway to access corporate resources from either a Bring Your Own Device (BYOD) or a Corporate-Owned Personally Enabled (COPE) device.
SmartCard Framework stores important certificates on the Common Access Card (CAC) and allows users to identify themselves by scanning a Smart ID card through a reader attached to the device. KNOX allows hardware applications to access these certificates via standards-based Public Key Cryptography Standards (PKCS) APIs. This enables the use of the CAC card by the browser, e-mail application and VPN client, as well as other specific government applications. Third-party SmartCard reader and providers also have the option of installing their own solutions to the framework.
Single Sign-On (SSO) allows users to log in once and have access to all systems. This limits the number of credential combinations a user must remember, as well as increases security and reduces IT costs.
Mobile Device Management
Comprehensive Management Policies for the enterprise IT administrator can be classified into two categories: Standard and Premium.
The Standard Policy suite offers the Software Development Kit (SDK) for its policy APIs to MDM vendors and others who are interested free of charge. There is also no runtime license fee associated.
The Premium Policy suite offers advanced capabilities for policy groups, such as management of the KNOX Container and other security features. The SDK for these policy APIs is also available at no charge, however enterprises using these must purchase a KNOX License that is verified on the device at runtime.
Simplified Enrollment offers an easy and intuitive onboarding process that eliminates many steps and human error. Employees are provided with an enrollment link, which then guides them through a simple set-up process.