8. INTRODUCING Samsung KNOX
SECURITY BUILT FROM THE GROUND UP
Android Stack
Application Layer
Android Framework
Android OS
Linux Kernel
Boot Loader
Hardware TrustZone
Samsung KNOX
Samsung KNOX Container
Samsung KNOX Android Framework
SE for Android
Trusted Boot
Secure Boot
TIMA TrustZone-protectedClientCertificate Mgmt.
TrustZone-protected KeyStore
TrustZone-protectedODE
Real-time Kernel Protection
TrustZone-based remote attestation
530+ IT-policies & 1300+ APIs for MDM
GenericVPN/SSO Framework
Two Factor Authentication
SE for Android Management Service
Enhancements in Samsung KNOX
Improved Samsung KNOX Container
9. Core platform service for generating and maintaining cryptographic certificates
Enables the device to act as a SmartCard and it’s reader
Benefits: More secure certificate management for service such as WiFi, VPN,
HTTPs, SSL, Email.
SAMSUNG KNOX SECURITY
TRUSTZONE-PROTECTED CLIENT CERTIFICATE MGMT.
PKCS #11
Interface
TrustZone
Encryption
10. Core platform service for generating and maintaining cryptographic key
Benefits: Key storage (not necessarily managed) insideTrustZone
SAMSUNG KNOX SECURITY
TRUSTZONE-PROTECTED KEYSTORE
Standard
Android
KeyStore API
TrustZone
Encryption
DRM
Services
Payments
Commerce
Enterprise
11. SE for android for 3rd party container (i.e GoodTechnology, Mobileiron, Fixmo)
Domains are only activated on demand and verified by certificate
Benefits:
3rd party applications secured by SELinux
The APIs to use SEAMS1) are available to partners
SAMSUNG KNOX SECURITY
SE FOR ANDROID MGMT. SERVICE
1) SE for Android Management Service
SEAMS API
SELinux Domain SELinux Domain
KNOX SE for Android
Samsung Container 3rd Party Container
Samsung Agent 3rd Party Agent
Thank you very much.
We have heard from Rory about how the employees coming into organisations are more tech savvy than ever, they are also very demanding as we would
expect from a consumer.
We at Samsung need to address this Consumerisation of the Enterprise workplace , ensuring that customers using our devices for business get the
same level of efficiency or responsiveness whether they use them for work or personal.
We also recognise that organisations are driving costs down wherever possible but at the same time, get closer to their customers.
According to IDC the number of Android devices deployed within the enterprise is set to reach 66% by 2017, we at Samsung need to make sure that our devices
continue to empower employees at your organisations, enabling a greater level of service to your customers.
There are a number of challenges that arise when considering this new consumer driven environment.
IT need to ensure the corporate data and assets are completely secure, the end-user needs to feel confident that their privacy is respected and that their personal information is not viewed by the enterprise.
It’s difficult to implement any kind of technology if the end users find it complicated to use. If they need training and support or they feel there are unnecessary barriers they will find another way of getting the task done. e.g. IT dictates password need to be x characters long, alphanumeric, upper and lower characters, different for every device/application, changed every x number of days. Research shows end users see all of these restrictions and rebel against them.
At the same time, IT needs a solution that is manageable, compatible with systems and covered by any regulations.
Finally, end-users need choice – they do not respond well to having technology forced upon them. However IT need to be vigilant over the costs of their mobile programs. Some organisations have seen that a BYOD program works, more and more organisations are opting for a Choose your own device program.
Samsung KNOX is the secure enterprise mobile platform to address these concerns.
We are evolving Samsung KNOX to respond to the challenges our customers face.
As of April this year, more than 63 million KNOX enabled devices have been shipped, over a million and a half have deployed a KNOX container on those devices. With just over 120 reseller contracts in place there is a huge opportunity for resellers to work with us to cover the demand we are seeing the 230 countries that over 18 device models are sold.
Why do you need to know this?
With Samsung KNOX we have looked at ways to ensure security is improved and adapts to our customer needs; to increase the services and functionality available and we are very pleased to say that today our pursuit of compliance many different countries has reached another milestone, CESG issued positive guidance which means UK govt entities are free to use it.
Please enjoy the next few hours and we lookforward to what is set to be an afternoon of discovery, insight and transformation – in our thinking and ability to get closer to our customers.
To get things underway let me welcome Rory to the stage...
1.1 WHAT’S NEXT?
Congratulations on the world cup so far, coming from England I’M VERY ENVIOUS.
Sorry can’t speak more german.
Thanks Jae. CLICK. Here you can see a typical Android stack, this is what most devices look like, you have….moving onto the Samsung KNOX architecture we start by burning device unique keypairs into the hardware during manufacture and this forms our root of trust.
We start with secure boot and trusted boot which are Samsung signed ROM images each of which authenticates the next ROM to be loaded, forming a chain of trust.
Trusted boot takes known good measurements of the ROM images and stores them securely in Trustzone. When the device boots Trusted Boot takes real-time hashes and compares them with known good values from TrustZone.
If during the boot process any differences are found (say someone has installed a 3rd party ROM), a hardware fuse will be physically blown, the encryption keys for the KNOX container will not be released and no enterprise services will be allowed to run.
So as you can see in Samsung KNOX we extensively leverage the secure world of ARM Trustzone. But it all starts in the factory, during manufacturing process, we burn keypairs into the hardware, and this forms the basis for our root-of-trust. Starting with secure boot and trusted boot, we sign all our ROM images with a samsung key. This allows each ROM in the boot sequence to authenticate the next, including aboot. Trusted boot takes hashes of each ROM and stores those values in trust zone.
TrustZone-based Client Certificate Management (CCM)
TrustZone-based CCM enables storage and retrieval of digital certificates, as well as other operations using certificates such as encryption, decryption, signing, verification, and so on, in a manner similar to the functions of a SmartCard.
The certificates and associated keys are encrypted with a device-unique hardware key that can only be decrypted from code running within TrustZone. TrustZone-based CCM also provides the ability to generate a Certificate Signing Request (CSR) and the associated public/private key pairs in order to obtain a digital certificate. A default certificate is provided for applications
that do not require their own certificate.
Programming interfaces for certificate storage and management are provided in the KNOX Premium SDK. Application developers are provided with industry standard PKCS #11 APIs for signing and encryption, and therefore interact with the CCM as if it were a virtual SmartCard. Both types of operations are permitted only if Trusted Boot can guarantee system integrity.
TrustZone-based KeyStore
The TrustZone-based KeyStore provides applications with services for generating and maintaining cryptographic keys. The keys are further encrypted with a device-unique hardware key that can only be decrypted by the hardware from within TrustZone. All cryptographic operations are performed only within TrustZone, and are disabled if the system is compromised, as determined by Trusted Boot.
SEAMS
A new KNOX platform feature recently introduced includes a new feature called SE for Android Management Service (SEAMS) that provides controlled access to the SELinux policy engine. SEAMS is used internally by the KNOX container, and is also available to third-party vendors to secure their own container solutions. For security considerations, the domains for third-party containers are defined a priority by Samsung and activated on-demand when the container application is first invoked. SEAMS also provides enterprises the ability to replace individual SELinux policy files. We should note however this feature is governed by a special KNOX license and intended only for very specialized environments.
This feature was introduced due to customer feedback and we believe this is the first time software developers and hardware manufacturers have come together to form a complete solution.
Thank you Neil. Let me introduce you to our latest innovation, KNOX EMM is cloud based mobile device management with identity access management.
Simple to enroll and use; just with a few clicks your employees are using enterprise applications and service on their Samsung devices, and you can manage them. This is the service we provide to all our customers. Also, you can be rest assured. This is not only manages not only Samsung devices, but also devices from other manufacturers. It is integrated with this entire active directory and cloud based active directory and also you can have your own cloud directory integrated with single-sign-on capability.
EMM also provides Single Sign On for its apps and a directory service for users.
We believe that Samsung KNOX is a key enabler for the new kind of consumer-employee.
Built on these three pillars, Security, manageability and usability, Samsung KNOX is at the heart of Samsung devices for business.
Thank you.