Security Matters : The Evolution of Samsung KNOX™
•Download as PPTX, PDF•
3 likes•1,853 views
Jae Shin and Neil Barclay present the evolution of Samsung KNOX™ at our Business Discovery Day in London.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Security Matters : The Evolution of Samsung KNOX™
Similar to Security Matters : The Evolution of Samsung KNOX™ (20)
More from Samsung at Work
More from Samsung at Work (12)
Recently uploaded
Recently uploaded (20)
Security Matters : The Evolution of Samsung KNOX™
- 1. Security Matters The Evolution of Samsung KNOX JAE SHIN VICE PRESIDENT, KNOX BUSINESS GROUP SAMSUNG ELECTRONICS
- 4. The Secure Enterprise Mobile Platform THE BIRTH OF SAMSUNG KNOX
- 5. THE EVOLUTION OF SAMSUNG KNOX Samsung KNOX- enabled devices users have activated Resellers now sell Device models in 230 countries Create Security Platform Evolve Capabilities Adapt toThreats Pursue Compliance Engage Ecosystem +63M +1.9m +120 +24
- 6. The Power of Customer Discovery
- 7. Security Matters The Evolution of Samsung KNOX NEIL BARCLAY SENIOR B2B PRODUCT MANAGER, SAMSUNG MOBILE EUROPE
- 8. INTRODUCING Samsung KNOX SECURITY BUILT FROM THE GROUND UP Android Stack Application Layer Android Framework Android OS Linux Kernel Boot Loader Hardware TrustZone Samsung KNOX Samsung KNOX Container Samsung KNOX Android Framework SE for Android Trusted Boot Secure Boot TIMA TrustZone-protectedClientCertificate Mgmt. TrustZone-protected KeyStore TrustZone-protectedODE Real-time Kernel Protection TrustZone-based remote attestation 530+ IT-policies & 1300+ APIs for MDM GenericVPN/SSO Framework Two Factor Authentication SE for Android Management Service Enhancements in Samsung KNOX Improved Samsung KNOX Container
- 9. Core platform service for generating and maintaining cryptographic certificates Enables the device to act as a SmartCard and it’s reader Benefits: More secure certificate management for service such as WiFi, VPN, HTTPs, SSL, Email. SAMSUNG KNOX SECURITY TRUSTZONE-PROTECTED CLIENT CERTIFICATE MGMT. PKCS #11 Interface TrustZone Encryption
- 10. Core platform service for generating and maintaining cryptographic key Benefits: Key storage (not necessarily managed) insideTrustZone SAMSUNG KNOX SECURITY TRUSTZONE-PROTECTED KEYSTORE Standard Android KeyStore API TrustZone Encryption DRM Services Payments Commerce Enterprise
- 11. SE for android for 3rd party container (i.e GoodTechnology, Mobileiron, Fixmo) Domains are only activated on demand and verified by certificate Benefits: 3rd party applications secured by SELinux The APIs to use SEAMS1) are available to partners SAMSUNG KNOX SECURITY SE FOR ANDROID MGMT. SERVICE 1) SE for Android Management Service SEAMS API SELinux Domain SELinux Domain KNOX SE for Android Samsung Container 3rd Party Container Samsung Agent 3rd Party Agent
- 12. The Power of Customer Discovery
- 13. Single Sign-On SAMSUNG KNOX EMM CLOUD BASED MDM & IAM
- 19. Security & Privacy Manageability & Usability Cost & Choice
Editor's Notes
- Thank you very much. We have heard from Rory about how the employees coming into organisations are more tech savvy than ever, they are also very demanding as we would expect from a consumer. We at Samsung need to address this Consumerisation of the Enterprise workplace , ensuring that customers using our devices for business get the same level of efficiency or responsiveness whether they use them for work or personal. We also recognise that organisations are driving costs down wherever possible but at the same time, get closer to their customers. According to IDC the number of Android devices deployed within the enterprise is set to reach 66% by 2017, we at Samsung need to make sure that our devices continue to empower employees at your organisations, enabling a greater level of service to your customers.
- There are a number of challenges that arise when considering this new consumer driven environment. IT need to ensure the corporate data and assets are completely secure, the end-user needs to feel confident that their privacy is respected and that their personal information is not viewed by the enterprise. It’s difficult to implement any kind of technology if the end users find it complicated to use. If they need training and support or they feel there are unnecessary barriers they will find another way of getting the task done. e.g. IT dictates password need to be x characters long, alphanumeric, upper and lower characters, different for every device/application, changed every x number of days. Research shows end users see all of these restrictions and rebel against them. At the same time, IT needs a solution that is manageable, compatible with systems and covered by any regulations. Finally, end-users need choice – they do not respond well to having technology forced upon them. However IT need to be vigilant over the costs of their mobile programs. Some organisations have seen that a BYOD program works, more and more organisations are opting for a Choose your own device program.
- Samsung KNOX is the secure enterprise mobile platform to address these concerns.
- We are evolving Samsung KNOX to respond to the challenges our customers face. As of April this year, more than 63 million KNOX enabled devices have been shipped, over a million and a half have deployed a KNOX container on those devices. With just over 120 reseller contracts in place there is a huge opportunity for resellers to work with us to cover the demand we are seeing the 230 countries that over 18 device models are sold. Why do you need to know this? With Samsung KNOX we have looked at ways to ensure security is improved and adapts to our customer needs; to increase the services and functionality available and we are very pleased to say that today our pursuit of compliance many different countries has reached another milestone, CESG issued positive guidance which means UK govt entities are free to use it.
- Please enjoy the next few hours and we look forward to what is set to be an afternoon of discovery, insight and transformation – in our thinking and ability to get closer to our customers. To get things underway let me welcome Rory to the stage...
- 1.1 WHAT’S NEXT? Congratulations on the world cup so far, coming from England I’M VERY ENVIOUS. Sorry can’t speak more german.
- Thanks Jae. CLICK. Here you can see a typical Android stack, this is what most devices look like, you have….moving onto the Samsung KNOX architecture we start by burning device unique keypairs into the hardware during manufacture and this forms our root of trust. We start with secure boot and trusted boot which are Samsung signed ROM images each of which authenticates the next ROM to be loaded, forming a chain of trust. Trusted boot takes known good measurements of the ROM images and stores them securely in Trustzone. When the device boots Trusted Boot takes real-time hashes and compares them with known good values from TrustZone. If during the boot process any differences are found (say someone has installed a 3rd party ROM), a hardware fuse will be physically blown, the encryption keys for the KNOX container will not be released and no enterprise services will be allowed to run. So as you can see in Samsung KNOX we extensively leverage the secure world of ARM Trustzone. But it all starts in the factory, during manufacturing process, we burn keypairs into the hardware, and this forms the basis for our root-of-trust. Starting with secure boot and trusted boot, we sign all our ROM images with a samsung key. This allows each ROM in the boot sequence to authenticate the next, including aboot. Trusted boot takes hashes of each ROM and stores those values in trust zone.
- TrustZone-based Client Certificate Management (CCM) TrustZone-based CCM enables storage and retrieval of digital certificates, as well as other operations using certificates such as encryption, decryption, signing, verification, and so on, in a manner similar to the functions of a SmartCard. The certificates and associated keys are encrypted with a device-unique hardware key that can only be decrypted from code running within TrustZone. TrustZone-based CCM also provides the ability to generate a Certificate Signing Request (CSR) and the associated public/private key pairs in order to obtain a digital certificate. A default certificate is provided for applications that do not require their own certificate. Programming interfaces for certificate storage and management are provided in the KNOX Premium SDK. Application developers are provided with industry standard PKCS #11 APIs for signing and encryption, and therefore interact with the CCM as if it were a virtual SmartCard. Both types of operations are permitted only if Trusted Boot can guarantee system integrity.
- TrustZone-based KeyStore The TrustZone-based KeyStore provides applications with services for generating and maintaining cryptographic keys. The keys are further encrypted with a device-unique hardware key that can only be decrypted by the hardware from within TrustZone. All cryptographic operations are performed only within TrustZone, and are disabled if the system is compromised, as determined by Trusted Boot.
- SEAMS A new KNOX platform feature recently introduced includes a new feature called SE for Android Management Service (SEAMS) that provides controlled access to the SELinux policy engine. SEAMS is used internally by the KNOX container, and is also available to third-party vendors to secure their own container solutions. For security considerations, the domains for third-party containers are defined a priority by Samsung and activated on-demand when the container application is first invoked. SEAMS also provides enterprises the ability to replace individual SELinux policy files. We should note however this feature is governed by a special KNOX license and intended only for very specialized environments. This feature was introduced due to customer feedback and we believe this is the first time software developers and hardware manufacturers have come together to form a complete solution.
- Thank you Neil. Let me introduce you to our latest innovation, KNOX EMM is cloud based mobile device management with identity access management. Simple to enroll and use; just with a few clicks your employees are using enterprise applications and service on their Samsung devices, and you can manage them. This is the service we provide to all our customers. Also, you can be rest assured. This is not only manages not only Samsung devices, but also devices from other manufacturers. It is integrated with this entire active directory and cloud based active directory and also you can have your own cloud directory integrated with single-sign-on capability.
- EMM also provides Single Sign On for its apps and a directory service for users.
- We believe that Samsung KNOX is a key enabler for the new kind of consumer-employee. Built on these three pillars, Security, manageability and usability, Samsung KNOX is at the heart of Samsung devices for business. Thank you.