KNOX Product Overview v1 32 Public 4

Samsung KNOX Training Product Overview
Enterprise Edition
Published: Oct 31, 2013 Version: 1.32
Samsung 2013. All rights reserved.
Why did Samsung create KNOX?
11/21/2013
2
2
What Problem Does KNOX Solve?
8% 6% 34%
52%
60%
Android iOS Blackberry Others
9% 11% 20%
Overall Smartphone Share

Nielsen Mobile Insights, June 2012
Enterprise Smartphone Share

Gartner Survey, April 2012
11/21/2013
Background: Android in the Enterprise

Top 3 reasons for poor Android acceptance in the Enterprise: Fear of OS compromise No protection against data leakage
Limited policy controls and management
11/21/2013
What is KNOX?
11/21/2013
What is Samsung KNOX?

Google Android Samsung Secure Android
Lack of security Open Source Platform Malware
Security Enhancements Kernel Integrity monitoring MDM Manageability US DoD Approved
KNOX is Samsungs Secure Android Platform

11/21/2013 Samsung 2013. All rights reserved. 6
Secure Android Platform

Samsung KNOX utilizes a multi-layered approach to platform security:
OS Hardening features include:
Secure boot/ Trusted Boot Security Enhancements for Android. TrustZone-based Kernel Integrity Measurement (TIMA)
Application Security features include:

Container for dual persona. VPN Support. On-device Data Encryption.
Smart Cards support
11/21/2013
OS Hardening
Trusted Boot ensures boot-time integrity by ensuring that all boot loaders and the kernel image are from an authorized source; e.g. Samsung. TIMA monitors the running kernel for any evidence of tampering. Security Enhancements for Android (SE for Android) protects the system from malicious applications
11/21/2013
OS Hardening
11/21/2013
OS Hardening
11/21/2013
10
ARM TrustZone
KNOX uses ARM TrustZone hardware.

Enables strong isolation to separate the code execution into two worlds, the secure world and the normal world (or the non-secure world). The secure world is intended for (infrequent) security sensitive operations.
The normal world is intended for other regular operations.
11/21/2013
11
Standard Android Secure Boot

HARDWARE
PRIMARY BOOT LOADER
SECURE BOOT TRUSTED BOOT
Secondary Boot Loader 1 Secondary Boot Loader 2 Android Boot Loader
SE for ANDROID
ANDROID KERNEL
Some carriers*
Verification
?
Each boot loader verifies the next boot loader in the chain by authenticating its signature using a Public Key Infrastructure (PKI)-based certificate chain. The Root-of-Trust is a Samsung certificate that is verified by the hardware. However, on most Android devices, the Android Boot Loader does not verify the authenticity of the kernel it is loading
Installation of hacked and custom kernels by employees can compromise information security.
11/21/2013
12
KNOX Customizable Secure Boot

The Root-of-Trust is a Samsung certificate that is verified by the hardware.
For government and military use, Samsung KNOX allows the rootof-trust to be changed to a government issued or approved certificate, rather than using the default Samsung certificate.
This root-of-trust may be a US Department of Defense (DoD) issued (approved) certificate that enable deployments KNOX in government installations in the USA and NATO countries.
11/21/2013
13
Trusted Boot in KNOX

HARDWARE
PRIMA RY BO OT LOADER
TRUSTED BOOT
Secondar y Boot Loader 1 Secondar y Boot Loader 2 Android Boot Loader
SE for ANDROID
ANDROID KERNEL
Some carriers*
Verification
Measurements
Tr u s t Z o n e
KNOX implements a trusted boot sequence that extends to the Android kernel. - Measurements of the boot loaders and kernel are securely stored in TZ - Enterprise features are activated only if the boot process is verified
This ensures that enterprise security is not compromised if the bootloader and/or kernel are replaced by a hacked version.
11/21/2013
14
About Trusted Boot

If the user replaces the Samsung kernel with a custom or hacked kernel, the device boots as usual. However, enterprise features such as container creation, or container login are disabled by TIMA.
Furthermore, enterprise features continue to be disabled even if the user reverts back to the original Samsung KNOX kernel.
11/21/2013
15
How to Check Warranty Status (1/2)

Boot device in ODIN Mode
Simultaneously press volume down, home, and power button. When warning screen is displayed, press the volume up button. Status is displayed in upper left hand corner of the display.
11/21/2013
16
How to Check Warranty Status (2/2)

Kernel Replaced with 3rd Party Kernel
Samsung signed Kernel replaced after Rooting
11/21/2013
17
Android Kernel Security Background

Android leverages the user-based access control of Linux, aka Discretionary Access Control (DAC) as a means of securing applications:
Because there is only one real user, Android assigns a unique user ID (UID) to each application and runs it as that user in a separate process: This unique UID-per-app approach sets up a kernel-level Application Sandbox.
However, rooting the device allows applications to run as the privileged root user with full access to all system resources. This privilege escalation flaw allows malicious applications to take control of the device.
11/21/2013
18
KNOX SE for Android

Samsung KNOX integrates SE for Android into the platform that uses Mandatory Access Control (MAC).
Uses policies to create security domains. Architecture prevents a compromise in one domain from propagating to other domains or the mobile operating system. Renders rooting useless and ineffective as even applications that run as the root user are subject to mandatory access controls.
11/21/2013
19
The Need to Monitor Kernel Integrity

Trusted Boot verifies the kernel image at boot time: However, it does not protect the kernel from being compromised when running
HARDWARE
PRIMA R Y BO O T L O ADER
Se c onda r y Boot Loader 1 Verification
TRUSTED BOOT
Se c onda r y Boot Loader 2 And r oid Boot Loader
SE f or AND R OID
AND R OID KERNEL
Some carriers*
Measurements
TrustZone
SE for Android protects the system using mandatory access controls:

However, this relies on the kernel itself not being compromised
There is a clear need to ensure that the kernel itself is not compromised by exploiting an as yet unknown vulnerability. The TrustZone-based Integrity Measurement Architecture (TIMA) fulfills this requirement.
11/21/2013
20
TIMA
TIMA monitors the integrity of the kernel using two techniques:
Authenticating Linux kernel modules (LKM) as they are dynamically loaded. Periodic kernel measurement (PKM) is conducted by hashing kernel code pages and verifying the values against known defaults.
11/21/2013
21
TIMA Measurements
The following are some of the key features of TIMA:
TIMA LKM (Loadable Kernel Module) authentication

Initial LKM verification + code & data page separation Periodically hash some kernel code pages and verify if the hash values have changed from the default values
TIMA periodic kernel measurement

-
11/21/2013
22
TIMA is also used for Attestation

What is Attestation ? Process where the Samsung verifies that the kernel was never tampered with Check if anything has changed on the device which could affect the KNOX container security When integrity checks of a KNOX device are required (enterprise deployment) Galaxy Note 3 and Galaxy 10.1 tablet
Why we need it ? -
When can Attestation be done ?

-
What Devices Support Attestation?

-
11/21/2013
23
Secure Android Platform Summary

The Samsung KNOX platform fully addresses the shortcomings of the open source Android platform for broad enterprise adoption. Meets or exceeds the most stringent requirements of the United States government
Approved for use by the US Department of Defense (DoD)
Enhanced security at the OS level provided by Secure Boot/Trusted Boot, TIMA and SE for Android protect against malware attacks and hacking.
11/21/2013
24
Application Security
11/21/2013
25
Application Security
KNOX provides a multi-faceted application security approach by providing.
Protection of applications from malware attacks and data leakage, Security for data in-transit (DIT), Encryption for data at-rest (DAR), Support for Smart card authentication
11/21/2013
26
What is Data Leakage?

Data leakage issues occur when mixing personal and business use on the same mobile device.
For example, when an email attachment or file received is downloaded and stored in memory or SD card. The unsecured file is vulnerable to theft by malicious apps.
The SD card can be stolen and file exploited.

The attachment can be uploaded to a public cloud such as Facebook or Dropbox. The file can be transferred to a PC via USB.
11/21/2013
27
Application Container Solution

The KNOX Container is a virtual Android environment within the device, complete with its own home screen, launcher, applications, and widgets.
Eliminates the data leakage problem associated with Bring Your Own Device (BYOD) and Corporate-Owned Personally Enabled (COPE) Samsung KNOX for Employees using personal mobiles for work KNOX Container also provides the user reassurance that their personal applications and data are safe and separate and private from their work environment. IT access is limited only to the container.
KNOX Container Environment
Personal Environment
11/21/2013
28
Psuedo-Sandbox
Applications running inside a container cannot interact with applications outside the container. Similarly, applications running outside a container cannot interact with applications inside a container.
11/21/2013
29
Containers for BYOD
Employee concerns solved by KNOX:

IT policies not enforced on personal usage. No wipe of personal data. No apps restrictions. No passcode. No encryption.
IT concerns solved by KNOX:

Robust security.
Feature-rich management.
Protection against malicious apps. Liability concerns mitigated by Containerization.
In BYOD mobility models, the Container feature confines enterprise management functions to the business environment.
Containers for COPE

Some enterprises are now enabling corporate owned devices for personal use (COPE)
Faced with pressure from younger generations of employees (e.g., Gen Y) to enable device for personal use. They seek the ability to user personal apps (i.e., social networking, games, email, and browsers). Ability to use open networks without VPN.
Using the KNOX Container allows IT to enforce strong controls on business use and relax controls for personal use.
11/21/2013
31
The Need for Protecting Data-at-Rest

Enterprises must ensure that data stored on mobile devices is secure as devices can easily be lost or stolen.
Data can be exploited using USB or rooting techniques to steal data from a lost device.
Hackers can even root a temporarily misplaced device and install malware that steals data.
11/21/2013
32
Solution is Full Device Encryption

KNOX On-Device Encryption (ODE) allows the encryption of data on the entire device.
ODE uses a 256-bit AES cipher algorithm. Encryption spans the devices internal storage as well as external SD Card.
The key used for encryption is derived from the user-supplied password or passcode.
Full device encryption may be activated by the user, or remotely by the IT admin as a policy setting.
11/21/2013
33
The Need for Securing Data-in-Transit

Secure mobile access to server-based enterprise applications is a fundamental mobility requirement. Compliance regulations and other factors require protection of data while in-transit. VPN is crucial for personnel that travel or do field work. Data must be secure when using both cellular and Wi-Fi connectivity.
11/21/2013
34
KNOX VPN Solution
KNOX provides a comprehensive IPSec-based VPN solution for the most demanding enterprise requirements:
Connectivity Flexibility Full device VPN with split-tunnel mode Per-app VPN for BYOD/COPE deployments Up to 5 simultaneous VPN connections Multiple admin support Automatic tunnel re-establishment FIPS-mode configurable by MDM CAC support for US Govt. applications NSA Suite B algorithms X.509 support with OCSP-based certificate checking Cisco, Juniper, strongSwan Checkpoint, RSA token support
High security applications
Broad industry support
11/21/2013
35
Per-app VPN
The Per-app VPN feature enables IT admins to selectively enforce secure VPN connectivity only for enterprise apps, including web-based (SaaS) apps.
Eliminates personal applications congesting enterprise VPN resources. Protects consumer privacy by not sending personal application data via the enterprise network.
11/21/2013
36
Smart Card support

Samsung KNOX supports US Dept. of Defense issued Smart Cards aka Common Access Cards (CACs)
Used by active-duty military, selected Reserve, DoD civilian employees, and some contractors. Requires a compatible Bluetooth CAC reader such as the baiMobile 3000MP Bluetooth Smart Card Reader.
The browser, email and VPN clients use credentials on the CAC card if configured by the IT admin. -
Authentication
Signing
Encryption
Other applications may also utilize the CAC card via well-defined PKCS 11 APIs
KNOX also support two-factor authentication for the device lock screen using the CAC.
11/21/2013
37
Application Security Summary

The KNOX Container technology allows enterprises to create a secure zone in the device to protect against malware and data leakage.
The Per-app VPN feature provides a flexible way for enterprise IT to manage mobile application access into the corporate network. Automatic container encryption and policybased full-device encryption allow the enterprise to secure corporate data on the device. Extensible access to Smart Cards enables KNOX devices to be used in high security environments
11/21/2013
38
Enhanced Management Policies
11/21/2013
39
KNOX Enhanced Management

The Samsung KNOX platform can be managed using a Mobile Device Management (MDM) with additional KNOX MDM policies, for security, enterprise integration, and Container management.
600
500
KNOX Policies
400
300
200
SAFE Policies
100
MDM 1.0
MDM 2.0
MDM 3.0
MDM 4.0
11/21/2013
40
IT Policy Support
KNOX offers a rich set of policies that enable comprehensive management of the device and/or the container.
KNOX introduces new policies primarily in the areas of security and enterprise integration.
Accounts Browser Email SSO Attestation Applications Firewall Password License Mgmt. Restrictions Container Integrity Mgmt. VPN Integrity Result Audit
SE for Android Certificate Mgmt. Smart Card Geofencing Customization
11/21/2013
41
KNOX Enterprise Services
11/21/2013
42
Samsung KNOX Enterprise Features

Samsung offers a variety of Enterprise Features that enhance KNOX security and productivity:
SSO AD-based Management Integrity Management App Store
Theft Recovery
11/21/2013
43
Enabling SSO for Mobile Apps

Almost all enterprise apps require authentication.
Entering passwords repeatedly is cumbersome and negatively affects the user experience.
Password sprawl can cause Helpdesk issues related to password resets. Caching passwords in apps is not safe.
11/21/2013
44
SSO
SSO enables authentication with a single account to quickly access a broad range of enterprise services.
Employees get a single destination and one-click access to all of their work applications. Eliminates the need for users to remember multiple passwords or create weak, easyto-remember passwords that dont meet corporate password policies.
Samsung KNOX platform includes SSO support for apps within a Container
11/21/2013
45
Managing Mobile Devices without MDM

An enterprise is not interested in an MDM solution. Enterprise IT wishes to leverage their existing Active Directory infrastructure to manage their mobile devices.
11/21/2013
46
Active Directory-based Management

AD-based Management is ideal for enterprises that dont have an MDM or dont want to use Microsoft Exchange.
Allows IT Admins to have complete control over the KNOX Container. Email, browser, contacts, calendars, apps and data are sanitized from the personal environment.
Allows customers to use Active Directory to manage Containers, Samsung devices, and offer policybased access to mobile applications.
* requires Centrify Corp.s AD-based Management Solution

App Store
The App Store in the KNOX Container is preloaded with a variety of business apps from Independent Software Vendors (ISVs) such as Salesforce, Dropbox, etc. The app and associated data is secured within the business persona.
11/21/2013
48
App Store
A rich set of business applications are available in the App Store
BOX
11/21/2013
49
Support for Custom Enterprise Apps

Enterprises can offer private apps (e.g., an employee phone directory) that are pushed to devices using an MDM/MCM
MDM/Reseller representatives and IT Admins can perform automated App Wrapping on behalf of enterprise customers using Samsungs cloudbased app wrapping service.
The service Containerizes the app and reassembles the Android Package (APK file), without changing the functional intent of the code. After an app has been wrapped, it undergoes basic QA testing.
If the testing is successful, the wrapped app can be added to the enterprise app store and made available for download.
If an error is detected during the QA process, the service supplies the details so the app can be modified and resubmit for wrapping.
11/21/2013
50
Theft Recovery (1/2)
An unfortunate consequence of the rapid growth of smartphones is the equally rapid rise in the theft of mobile devices.
Samsung KNOX includes a builtin anti-theft solution and an associated subscription service that provides both tracking and recovery in the event a device is stolen. The solution consists of two components: the embedded Persistence Service that resides in the device firmware, and the Mobile Agent installed in the Android OS.
The Persistence Service is dormant until the user subscribes to the theft recovery service and installs the Mobile Agent Once the service has been activated, any malicious attempts made to remove the Mobile Agent (by accident or on purpose) will automatically invoke a restoral operation A process will be initiated for the Agent to self-heal and automatically reinstall itself onto the device
11/21/2013
51
Theft Recovery (2/2)

When a device is stolen.
Theft Recovery personnel can transmit commands to the Mobile Agent to activate monitoring and tracking and coordinates with law enforcement to recover the device.
Enterprise Features Summary

Samsung KNOX offers an assortment of accompanying features that allow the device to integrate into any enterprise, from small businesses through large and regulated enterprises
AD-based Management allows enterprises to leverage their existing AD infrastructure to manage mobile devices. SSO Service enables the use of a single set of credentials to access multiple applications. Samsung KNOX App Store offers a rich assort of enterprise business apps available from within the KNOX Container environment. App wrapping service supports integration and deployment of enterprise apps Theft Recovery Service locates and recovers lost or stolen KNOX devices.
11/21/2013
53
What is KNOX Summary

Samsung KNOX fully addresses the shortcomings of the Android platform and enables broad enterprise adoption with its multi-tiered security model, device management capabilities, and enterprise features. The enhanced security at the OS level provided by Secure Boot/Trusted Boot, SE for Android and TIMA protect against malware attacks and hacking. KNOX Containers allow enterprises to create a secure zone in the device for corporate applications. NIST FIPS 140-2 VPN and device encryption secure data in-transit and atrest
KNOX MDM policies enable IT administrators to better manage devices and offer improved support by being able to remotely configure various features.
Enterprise features include AD-based management, SSO, Integrity Management, App Store, and Theft Recovery.
11/21/2013
54
Additional resources
For additional Samsung KNOX information:
Samsung KNOX Web Portal Samsung KNOX Support (FAQs, etc.) Samsung KNOX Flash Simulator Samsung KNOX White Paper
For additional Samsung Galaxy S4 information: Samsung Galaxy S4 Flash Simulator Samsung Galaxy S4 User Manual Manuals and Troubleshooting Guide
11/21/2013
55
Thank you for supporting Samsung KNOX.
Notice: All functionality, features, specifications, and other product information provided in this document including, but not limited to, the benefits, design, pricing, components, performance, availability, and capabilities of the product are subject to change without notice or obligation. Samsung reserves the right to make changes to this document and the product described herein, at anytime, without obligation on Samsung to provide notification of such change.

KNOX Product Overview v1 32 Public 4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KNOX Product Overview v1 32 Public 4

Uploaded by

Copyright:

Available Formats

Samsung KNOX Training Product Overview

Samsung 2013. All rights reserved.

Why did Samsung create KNOX?

Samsung 2013. All rights reserved.

What Problem Does KNOX Solve?

Android iOS Blackberry Others

Overall Smartphone Share

Enterprise Smartphone Share

Samsung 2013. All rights reserved.

Background: Android in the Enterprise

Limited policy controls and management

Samsung 2013. All rights reserved.

Samsung 2013. All rights reserved.

What is Samsung KNOX?

Lack of security Open Source Platform Malware

Security Enhancements Kernel Integrity monitoring MDM Manageability US DoD Approved

KNOX is Samsungs Secure Android Platform

Secure Android Platform

Application Security features include:

Smart Cards support

Samsung 2013. All rights reserved.

Samsung 2013. All rights reserved.

Samsung 2013. All rights reserved.

Samsung 2013. All rights reserved.

KNOX uses ARM TrustZone hardware.

The normal world is intended for other regular operations.

Samsung 2013. All rights reserved.

Standard Android Secure Boot

Samsung 2013. All rights reserved.

KNOX Customizable Secure Boot

Samsung 2013. All rights reserved.

Trusted Boot in KNOX

Samsung 2013. All rights reserved.

About Trusted Boot

Samsung 2013. All rights reserved.

How to Check Warranty Status (1/2)

Samsung 2013. All rights reserved.

How to Check Warranty Status (2/2)

Samsung signed Kernel replaced after Rooting

Samsung 2013. All rights reserved.

Android Kernel Security Background

Samsung 2013. All rights reserved.

KNOX SE for Android

Samsung 2013. All rights reserved.

The Need to Monitor Kernel Integrity

SE for Android protects the system using mandatory access controls:

Samsung 2013. All rights reserved.

Samsung 2013. All rights reserved.

TIMA LKM (Loadable Kernel Module) authentication

TIMA periodic kernel measurement

Samsung 2013. All rights reserved.

TIMA is also used for Attestation

When can Attestation be done ?

What Devices Support Attestation?

Samsung 2013. All rights reserved.

Secure Android Platform Summary

Samsung 2013. All rights reserved.

Samsung 2013. All rights reserved.

Samsung 2013. All rights reserved.

What is Data Leakage?

The SD card can be stolen and file exploited.

Samsung 2013. All rights reserved.

Application Container Solution

KNOX Container Environment