Introduction to Samsung KNOX
13
Samsung KNOX Wayne Pau, Emerging Technologies SAP Mar 26, 2013
description
Basic overview of new Samsung KNOX and how it compares to Generic Android and iOS offerings.
Transcript of Introduction to Samsung KNOX
Samsung KNOXWayne Pau, Emerging Technologies SAPMar 26, 2013
© 2012 SAP AG. All rights reserved. 2Internal
Samsung KNOX
• Generally more “Secure” than existing Container/Quarantines
• Much “Deeper” solution than other Android SW options:
1. Customized Secure Boot
2. ARM TrustZone-based Integrity Measure Architecture (TIMA)
3. Security Enhanced Kernel
• Allows KNOX to constantly verify/monitor for intrusions/attacks
• Creates Samsung-only App Signing process (ie. KNOX-only App Store)
© 2012 SAP AG. All rights reserved. 3Internal
Samsung KNOX - Developers
• KNOX Offers Developers “out-of-the-box”:
1. Secure KNOX Container
2. Separate Encrypted File Systems (KNOX zone)
3. FIPS certified VPN client per app
4. Container Level SSO
• Only a “repackage”. No need to re-write or embed API
• Integration with MDM vendors for 65 Policies:
• Certificate management
• Audit Log
• SEAndroid Policy Enforcement
• Enterprise Container Management Policy Group
• Container Password Policy Group
• Enterprise Single-Sign-On
• Enterprise ISL Group
• Enterprise Premium VPN Policy Group
• SmartCard Policy Group
• Container VPN Policy Group
• Container Application Policy Group
• Container Firewall Policy Group
© 2012 SAP AG. All rights reserved. 4Internal
Inter-App Communication Spectrum
Apple iOS Samsung KNOX Google Android
← More Secure Less Secure →
© 2012 SAP AG. All rights reserved. 5Internal
Inter-App Communication Spectrum
← More Secure Less Secure →
© 2012 SAP AG. All rights reserved. 6Internal
iOS – Apple Sandbox
• No Inter-app Communication
• Each App installed in own Container
• Apps have to be signed by Apple
• Keychain from Apple for password/sensitive data
• Does not support External Storage (ie. SD Cards)
• Only 1x app in foreground
• Most apps close <10 min after UI context switch (change app)
• Industry “deemed” secure
© 2012 SAP AG. All rights reserved. 7Internal
Generic Android – Google Sandbox
• “Privileged- Separated” Operation System
• Apps apply and grant permissions to outside access
• Apps are “developer” signed (not by Google)
• Support External Storage (SD)
• Tradition Volume level encryption
• Vulnerable to USB/MTP mounting (see above)
• Easy to Root. Hard to 100% detect “Rooting”
• Industry “deemed” not very secure
© 2012 SAP AG. All rights reserved. 8Internal
Generic Android – Google Sandbox
• Apps are “repackaged” & signed by Samsung
• Apps run in Secure KNOX quarantine
• Secure Boot Loader & SE Kernel
• Secure focus only between in KNOX container vs. outside KNOX container
© 2012 SAP AG. All rights reserved. 9Internal
What does KNOX protect against?
• Spoofed, Fake or Dangerous Apps (quarantine + app signing)
• Automatic Data at Rest encryption (no need for custom encryption or encryption detection)
• Automatic Remote Kill (no need for data fading/Time-bomb)
• Baked-in SSO authentication
• Secure Corporate Email-Only integration
• 3rd Party Secure Viewer integration
© 2012 SAP AG. All rights reserved. 10Internal
Exchange ActiveSync & BYOD
• KNOX is ‘Optimized’ for BYOD
• KNOX Email Client – Only Wipes Out KNOX Container [corp. data]
• Ignores data outside KNOX Container [user personal data]
• No add’n changes @ Exchange Server
(Note: If user connects to Exchange with non-secure/non-KNOX email client, this will still wipe entire
device as per the current generic Android and iOS behaviour. For more info on EAS Remote Wipe see
http://
office.microsoft.com/en-us/support/delete-all-information-from-your-lost-phone-or-tablet-HA102834573.
aspx?CTT=1
)
© 2012 SAP AG. All rights reserved. 11Internal
Competition
Single Android Containers:
Enterproid “The Divide”
Android Containers & Wrappers:
Good Dynamics
Mocana
O/S & ROM level Solutions:
3LM
Cyanogen
Hardware & Kernel:
Blackberry Balance (BB10)
Samsung KNOX
© 2012 SAP AG. All rights reserved. 12Internal
More Links
http://www.bloomberg.com/news/2013-01-10/rim-leads-phones-letting-employees-use-own-devices-on-job-tech.html
http://forums.crackberry.com/news-rumors-f40/blackberry-balance-competition-ottawa-citizen-rim-aims-offer-dual-use-phones-762189/
https://www.redbend.com/images/stories/redbend_datasheets/red_bend_data_sheet_true_solution.pdf
http://www.slideshare.net/agent0x0/the-android-vs-apple-ios-security-showdown
https://threatpost.com/en_us/blogs/apple-details-ios-security-features-new-guide-053112
http://0xlab.org/~jserv/android-binder-ipc.pdf
![[Infographic] IFA 2016: Samsung Knox](https://static.fdocuments.in/doc/165x107/586fcf5c1a28aba24c8b802d/infographic-ifa-2016-samsung-knox.jpg)
