This document discusses enterprise mobility security and Samsung's Knox platform. It provides 3 key points: 1. Mobile security is important for enterprises to securely manage corporate data on devices. Samsung Knox addresses challenges like secure data storage, authentication, and device management. 2. Samsung Knox includes various security features aligned with the National Cyber Security Centre's 12 security principles, such as encrypted storage, authentication, and updating policies. It also offers a separate, encrypted workspace container. 3. Samsung Knox provides device management capabilities for IT departments to remotely configure policies, monitor device usage, and enroll devices securely in a corporate environment. The document emphasizes that containerization is important to separate corporate and personal data on devices.

1. Paweł Śniecikowski
Samsung R&D Institute Poland
Secure enterprise mobility

2. DIGITAL IN 2018: GLOBAL OVERVIEW
More than half of the world’s web traffic now comes from mobile phones
Unique mobile users grew by 4% in: Jan 2017 – Jan 2018
5.14 billion global mobile users in Jan 2018, equaling 68% penetration
People spend 7 times longer using mobile apps compared to mobile web browsers
Source: https://wearesocial.com/blog/2018/01/global-digital-report-2018

3. Mobile security is important but…

4. Enterprise mobility
challenges
Secure corporate data
Efficient mobile device
management
Mobile productivity
Privacy of a user

5. Źródło: Open Web Application Security Project, https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
Top 10 of most critical security risks
in mobile devices
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Poor Code Quality
M8: Code Tampering
M9: Reverse engineering
M10: Extraneous Functionality

6. 6
12 Security Principles
National Cyber Security Centre UK Security Guidance:
Security Principle
1. Data-in-transit
protection
2. Data-at-rest
protection
3. Authentication
4. Secure boot
5. Platform integrity and
application sandboxing
6. Application
whitelisting
Security Principle
7. Malicious code
detection and
prevention
8. Security policy
enforcement
9. External interface
protection
10. Device update policy
11. Event collection for
enterprise analysis
12. Incident response
* NCSC: National Cyber Security Centre, https://www.ncsc.gov.uk/guidance/eud-security-guidance-samsung-devices-knox-workspace
Samsung Knox
Foundation grade
built-in VPN
H/W backed encryption for
Knox Workspace,
Sensitive Data Protection
Strong password backed by
TrustZone-based components
Secure boot & Trusted Boot by
default
Remote Attestation,
Mobile Enrollment
Full control of app installation
via whitelisting
Samsung Knox
Google Play/Samsung App
store vetting system
Enforcing Knox policies via
MDM for both device and W/S
Wi-Fi, NFC, USB, Bluetooth
disabled by Knox policies
FOTA update version control
Advanced audit and logging
features by Knox platform
Device/Container Wipe,
Remote Attestation,
Certificate revocation

7. 7
There is no such thing as ‘enough’ security
Corporate data security and management are the most critical factors to
consider when an enterprise adopts and maintains enterprise mobility
One security hole could be all they need to take full control over the device
‘Enough security’ is never enough

8. So what we can do…

9. 9
Hardware Root of Trust – Trust Zone
Trusted Boot & Secure Boot
TIMA*
SE for Android
Knox Container
* TrustZone-based Integrity Measurement Architecture (TIMA)
TrustZone - completely isolated space on the chipset
as the hardware-rooted trusted environment to
ensure the security and integrity
Knox Platform for Enterprise

10. Meets stringent government security standards worldwide including MDFPP of NIAP
Build Trust…
Most “Strong” Ratings
of Any Mobile Security Platform by Gartner
Mobile Device Security : A Comparison of Platforms
2015, 2016 and 2017
10

11. CORPORATE
INFORMATION
SECURITY
PERSONAL
PRIVACY
Corporate data protection
There are conflicting needs between
IT departments and employees

12. Corporate
Area
Use irises or draw pattern
EMERGENCY CALL
Private
Area

13. If the device is ever compromised,
KNOX Workspace will permanently lock down
COMPROMISED
ENCRYPTED

14. Common Criteria compliant mode
Pre-Conditions:
• Screen lock password
• The maximum password failure retry policy should be less than or equal to 50
• A screen lock password required to decrypt data on boot
• Revocation checking must be enabled
• External storage must be encrypted.
• Password (non-container) recovery policy and password history must not be
enabled.
Requirements:
• Prevents loading of custom firmware/kernels and requires all updates occur
through FOTA
• Utilizes CAVP approved cryptographic ciphers for TLS
• ensures FOTA updates utilize 2048-bit PKCS #1 RSA-PSS formatted signatures
(with SHA-512 hashing)
• ......
Single
Policy Compatible
with

15. 15
User authentication under full control
Security or usability? Enforce container unlock methods the way you prefer. Knox Platform for Enterprise
provides both secure and user-friendly ways for end users to access corporate data in Workspace container.

16. pass
Biometric authentication

17. 17
Knox Platform for Enterprise adds advanced features for granular VPN control and enforced
configuration.
Robust VPN connectivity – data at transit protection

18. 18
Hardware-based storages for user credentials and its management.
The most reliable way of user authentication for corporate data and network access.
* TIMA CCM: TrustZone-based Integrity Measurement Architecture Client Certificate Management
Most reliable certificate storage and management

19. 19
Device monitoring
Knox Platform for Enterprise provides powerful tools to monitor
end-user activities as well as data traffic usage.

20. Audit Logs
End-User AdminEvents :
- Creating containers, password setting policies
for devices and containers, app installations
and removal
- Certificate failure and key generation
- Adding and removing accounts
- Attempts to exchange files over Wi-Fi
ALERT

21. DEVICE UNIQUE HARDWARE KEY
ROLLBACK PREVENTION
SIGNED BOOTLOADERS
WARRANTY BIT
X.509
TIMA : PERIODIC KERNEL MEASUREMENT
TIMA: REALTIME KERNEL PROTECTION
ON-DEVICE ENCRYPTION
KEY STORE in TRUST ZONE
CLIENT CERTIFICATES MANAGEMENT
BIOMETRY
DEVICE ROOT KEY
AES256
…AND MORE

22. Custom solution needed?? Knox SDK

23. Firmware
Firmware Over-The-Air (FOTA) for Maintenance Release requires end user interaction
Android Update Security Patch Bug Fix App Update
End User
Approval
Monthly / Quarterly
depending on model
48 times for last
8 years

24. Samsung E-FOTA (Firmware Over The Air)

25. Remote device configuration

26. What is Knox
Configure?

27. Mobile device management
Security &
IT policies
Accountability
>> Reports
Actions

28. Knox Mobile Enrollment
Automatic provisioning
Traditional
IT registers device
(phone numbers, email…)
IT sends EMM
installation link
User downloads &
installs EMM
User logs in Device is enrolled
IT registers device
(IMEI, S/N…)
Device is enrolled
Turn on & Connect to network (Wi-Fi/4G/LTE)
EMM is automatically installed & logged in with user credentials
Automatic Bulk Enrollment
VS
Knox Mobile Enrollment
28

29. Event-Based Policy Enforcement
An IT admin can apply pre-defined policies to improve operating efficiency and enforce security
at certain times
when a specific app starts
running on the device
when an unauthorized
SIM is inserted
when the user is roaming
when the device connects
to a specific Wi-Fi SSID
when the user enters a
predefined Boundary*
* * Globally available ‘18 2H

30. Three mobile security recommendations for organizations:
1. Use platform security features & tools…
2. Keep firmware up to date
3. Separate company and private worlds by containerization
(user authentication, data encryption, strict policies…)

31. Thank you…