Samsung KNOX Workspace offers a multi-faceted security solution rooted in the tamper-resistant device hardware, through the Linux kernel and the Android operating system. The first line of defense against malicious attacks, Samsung KNOX Workspace is designed for high-security government and military deployments.
Jump to details about:
Secure Android Platform
On most Android devices, the Android Boot Loader does not verify the authenticity of the kernel on the device. Those who want more control over their device can install a hacked Android kernel that roots a device. A hacked kernel provides superuser access to all data files, apps and resources. If the hacked kernel is corrupted the result can be a denial of service. If the kernel contains malware it can compromise the security of your enterprise's data.
Secure Boot is a security mechanism that prevents unauthorized boot loaders and kernels from being loaded during the startup process. Firmware images, such as operating systems and system components, cryptographically signed by known, trusted authorities, are considered authorized firmware. Secure Boot is a component that forms the first line of defense against malicious attacks on devices with KNOX Workspace.
Samsung KNOX Workspace uses systematic security checks to ensure that only valid kernels are used by the device. On the hardware level, the Primary Boot Loader confirms a PKI certificate to verify the integrity of the Secondary Boot Loader 1. Similarly, the Secondary Boot Loader 1 verifies the integrity of the Secondary Boot Loader 2, and the Secondary Boot Loader 2 verifies the integrity of the Android Boot Loader. The Android Boot Loader will only load a Samsung-authorized kernel with a Samsung certificate as its Root-of-Trust.
Secure Boot does not continue to check for authorized firmware after the system boot. For example, authorized firmware can be updated to remove vulnerabilities. However, both the updated and not updated firmware will be allowed to boot on the devices since both have proper signatures.
Also, the process to verify a boot loader's certificate has vulnerabilities that, if exploited, can cause the device to avoid Secure Boot altogether. The capability of custom Android OS on devices means Secure Boot cannot always be extended onto the OS kernel. As a result, devices cannot guarantee that their Android system will enforce OS level security (for example, SE for Android), which creates problems for the security of enterprise apps.
Trusted Boot on KNOX Workspace extends Secure Boot to further ensure kernel integrity. Trusted Boot uses the ARM TrustZone technology, a tamper-resistant sector of an ARM processor. During the boot process, the ARM TrustZone saves cryptographic fingerprints (called measurements) from all boot loader and OS kernels. At system run time, ARM TrustZone apps on KNOX Workspace constantly compares all measurements. Critical security decisions are made based on the compared results.
For example, cryptographic keys used by the KNOX container are stored by the TIMA keystore (ARM TrustZone-based Integrity Measurement Architecture ) keystore, which is built on the ARM TrustZone framework. When KNOX-approved firmware runs on a device, it enforces SE for Android and protects the KNOX container keys. However, when custom Android OS runs on a device, there is no guarantee that the keys are protected. To guarantee the keys are protected, TIMA keystore stores the keys and will only release them when the ARM TrustZone indicates that compared boot loader and kernel measurements match. If an unauthorized kernel is put on the device, the TIMA keystore detects that the measurements do not match and will refuse to release the keys.
TIMA KeyStore provides apps with services for generating and maintaining cryptographic keys. The keys are further encrypted with a device-unique hardware key that can only be decrypted by the hardware from within ARM TrustZone. All cryptographic operations are performed only within ARM TrustZone, and are disabled if the system is compromised, as determined by Trusted Boot.
App developers should continue to use the familiar Android KeyStore APIs and specify that the TIMA KeyStore is used to provide the service.
BYOD has potential for employees to use rooted Android devices with customized firmware. An enterprise must validate the device's integrity before it installs a Samsung KNOX container on the device.
Attestation compares the original kernel measurements to the current kernel on the device to verify that a kernel is authorized before KNOX Workspace is installed. Attestation is based in the device's unique public/private key pair. In the factory, each device is given a unique pair of public/private keys along with a certificate for the public key, signed by a Samsung root private key. Attestation servers send random challenges to the device to test its integrity. An app in the ARM TrustZone compares the measurements of the boot loaders and the kernel against the attestation challenge and sends the result back to the attestation server for final verification.
Attestation has many similarities to Trusted Boot and essentially uses the same fundamental data sources and procedures. The primary difference is that Attestation can be requested on-demand by the enterprise's Mobile Device Management (MDM) system.
When requested, Attestation reads the previously-stored measurement information and the fuse value (see Trusted Boot above), then combines the data in a proprietary way to produce an Attestation verdict. This verdict, essentially a coarse indication that tampering is suspected, is returned to the requesting MDM. The cryptographic signature is based on the device's unique Attestation Certificate, and embedded in the device during the manufacturing process. This process ensures that the Attestation verdict cannot be altered during transfer.
Any further action is determined by the enterprise's MDM security policy. The security policy might choose to detach from the device, erase the contents of the secure app container, ask for the location of the device, or any of many other possible security recovery procedures.
Security Enhancements (SE) for Android
UNIX and Linux allow users to grant themselves access to read, write, and execute files, an example of Discretionary Access Control (DAC). If malicious users obtain DAC, they could potentially obtain unauthorized access to data files, apps and resources. On rooted devices, malicious users can install apps that read passwords, email clients to send spam, upload sensitive documents to the Internet, or secretly turn on resources like the camera or microphone.
Samsung KNOX Workspace protects the OS through SE for Android, which is built on the SELinux technology.
SELinux defines which users or apps can access particular files and resources at the Linux level. It enforces Mandatory Access Control (MAC) with policy files. A corporate security administrator centrally controls policy for enterprise devices. Users cannot override this policy. To minimize the effects of device rooting, the system's superuser is also subject to MAC.
SE for Android secures the OS by separating it into distinct security domains. Within each domain, apps are given the minimal permission needed to operate. This process will contain the damage in one area and leave other areas uncompromised.
The KNOX 2.0 Workspace introduces a new feature called SE for Android Management Service (SEAMS), which provides controlled access to the SELinux policy engine. SEAMS is used internally by the KNOX 2.0 Workspace, and is also available to third-party vendors to secure their own container solutions. SEAMS also provides enterprises the ability to replace individual SELinux policy files.
ARM TrustZone-based Integrity Measurement Architecture (TIMA)
Devices are secured only at boot time, which leaves the device vulnerable to be compromised while it is in use. Secure Boot only verifies the Android kernel at boot time and SE for Android uses MAC, but relies on the kernel itself not being compromised. Platforms that permit external software to be loaded make the device more exposed to new or modified kernel modules.
Samsung KNOX Workspace introduces the ARM TrustZone-based Integrity Measurement Architecture (TIMA). TIMA uses the ARM TrustZone a tamper-resistant sector of an ARM processor. TIMA uses two techniques to ensure that the Linux kernel has not been compromised:
- Periodically verifies that the kernel has not changed, through measurements retrieved from the kernel and comparisons against the original factory kernel
- Authenticates kernel modules as they are dynamically loaded
With KNOX 2.0 Workspace, TIMA Real-time Kernel Protection (RKP) performs ongoing, strategically-placed real-time monitoring of the operating system from within ARM TrustZone to prevent tampering of the kernel. RKP intercepts critical events happening inside the kernel, which are inspected in ARM TrustZone. If an event is determined to have impact on the integrity of the OS kernel, RKP either stops the event, or logs an attestation verdict that tampering is suspected, which is sent to the MDM. This protects against malicious modifications and injections to kernel code, including those that coerce the kernel into corrupting its own data.
Also, TIMA Client Certificate Management (CCM) enables storage and retrieval of digital certificates, as well as other operations using those certificates such as encryption, decryption, signing, verification, and so on, in a manner similar to the functions of a SmartCard. The certificates and associated keys are encrypted with a device-unique hardware key that can only be decrypted from code running within ARM TrustZone. TIMA CCM also provides the ability to generate a Certificate Signing Request (CSR) and the associated public/private key pairs in order to obtain a digital certificate. A default certificate is provided for apps that do not require their own certificate.
Many industries that handle sensitive information need to comply with strict security requirements, and use only certified products and services.
Samsung KNOX Workspace has the following certifications:
Common Criteria Certification: The Common Criteria for Information Technology Security Evaluation, commonly referred to as Common Criteria, is an internally-recognized standard for defining security objectives of information technology products and for evaluating vendor compliance with these objectives. A number of governments use Common Criteria as the basis for their own certification schemes. Select Galaxy devices with KNOX Workspace embedded received Common Criteria (CC) certification on Feb 27, 2014. The current CC certification targets the new Mobile Device Fundamentals Protection Profile (MDFPP) of the National Information Assurance Partnership (NIAP), published in October 2013, which addresses the security requirements of mobile devices for use in enterprise.
FIPS 140-2 Certification: Issued by the National Institute of Standards and Technology (NIST), the Federal Information Processing Standard (FIPS) is a US security standard that helps ensure companies that collect, store, transfer, share, and disseminate sensitive but unclassified (SBU) information and controlled unclassified information (CUI) can make informed purchasing decisions when choosing devices to use in their workplace. Samsung KNOX 2.0 Workspace meets the requirements for FIPS 140-2 Level 1 certification for both data-at-rest (DAR) and data-in-transit (DIT).
DISA MOS SRG Compliance: The Defense Information Systems Agency (DISA) is an agency within the US DoD that publishes Security Requirements Guides (SRGs) as processes to improve the security of DoD information systems. SRGs guide the development of Security Technical Implementation Guides (STIGs) which document specific product policies and requirements as well as best practices for configuration. In 2012, DISA published the Mobile Operating System SRG to specify the security requirements that commercially available mobile devices should meet in order to be deployed within the DoD. On May 2, 2013 DISA approved the STIG for Samsung KNOX Workspace drafted for the Mobile Operating System SRG.
Protected Apps and Information
Data leakage can occur when one device is used to store both personal and business data. Employees could copy company-sensitive data onto apps, like notepad or email, or save confidential documents to an unprotected file system. Rogue apps, downloaded for personal use, can secretly collect and re-distribute this confidential data. Some apps can also secretly take screenshots when sensitive data is viewed.
The Samsung KNOX container is an Android environment within the device, complete with its own home screen, launcher, apps and widgets. Apps and data inside the container cannot interact with apps and data outside the container. The container enables enterprise IT to isolate and keep enterprise apps and data in a secure environment. Certain activities that can compromise security, such as screenshots, are restricted within the container.
With KNOX Workspace, apps inside the container had to be wrapped with an extra layer of security. Samsung KNOX provides an app wrapping service to protect enterprise apps and data from being compromised by third-party apps. This web-based service unpacks the app's APK file, extracts the developer certificate and repacks the binary with additional files to secure operation within the KNOX container. The new package is digitally signed with a certificate based on the original developer certificate. After an app has been wrapped, it is sent to Samsung's Quality Assurance (QA) process to be tested for device compatibility, basic functions, malware and risky behaviors. The QA process is done before an app is allowed to be installed in KNOX containers.
KNOX 2.0 Workspace introduces these container enhancements:
- Multiple containers: This meets the needs of professionals that use their own devices and have multiple employers. Examples include a doctor who works for several clinics or a consultant with multiple clients.
- Controlled data sharing: IT admins can control the flow of data between a container and the rest of the device. This data includes contacts, calendar events, clipboard data, call logs, and browser bookmarks. This feature enables enterprises to strike the right balance between security and user productivity. Users can also control the device's data sharing capability based on their personal preferences, according to the limits specified by the enterprise IT admin.
- Elimination of app wrapping: This is achieved by leveraging technology introduced by Google in Android 4.2 to support multiple users on tablet devices. This enhancement enables enterprises to easily deploy custom apps without having to wrap them. It also further reduces the barrier to entry for independent software developers wishing to develop and deploy apps for the KNOX 2.0 Workspace container.
Samsung KNOX Apps
Google Play distributes almost a million apps worldwide to Android customers. Apps in the marketplace undergo only automated scans for malware or malicious activities. Apps can then be published and downloaded by customers instantly. Although apps can easily be published and downloaded, the apps' security is not guaranteed.
Samsung KNOX Apps in the KNOX container offers apps from reputable vendors with established Samsung partnerships. Samsung provides a QA process to ensure that apps are compatible, functional and secure.
With KNOX Workspace, all apps in the container were wrapped to safely operate within the KNOX container. With KNOX 2.0 Workspace, this wrapping is no longer required, and apps in the Samsung KNOX Apps store are unwrapped. An IT Admin can now push unwrapped apps Over-The-Air (OTA) from the enterprise's MDM console to the KNOX container on devices.
On-Device Encryption (ODE)
Data that is stored unencrypted on a device can easily be read. Data recovery tools can also be used to restore deleted files, on both internal memory and external SD Cards.
Samsung KNOX Workspace enables ODE by default. ODE uses a 256-bit AES cipher algorithm to encrypt data on the entire device, including both the device’s internal storage and external SD Card. The enterprise IT admin can set a policy to encrypt data outside and inside the KNOX container. The key used for encryption is derived from the user-supplied password. Samsung KNOX Workspace meets the requirements for FIPS 140-2 Level 1 certification for both DAR and DIT.
Virtual Private Networking (VPN)
Unencrypted data sent wirelessly from a device can be monitored by sniffer devices situated throughout a network's infrastructure.
The KNOX 2.0 Workspace platform offers additional comprehensive support for enterprise Virtual Private Networks (VPN). This support enables businesses to offer their employees an optimized, secure path to corporate resources from their BYOD or corporate-issued devices.
The original KNOX Workspace platform offered broad support for the IPSec protocol suite including features such as:
- Internet Key Exchange (IKE and IKEv2)
- Triple DES (56/168-bit), AES (128/256-bit) encryption
- Split tunneling mode
- Suite B Cryptography
However, a large number of enterprises have deployed Secure Socket Link (SSL) VPNs to enable remote access to their workforce as they do not require the full connectivity to the enterprise network, but rather a small set of resources such as web-based apps and file shares.
The KNOX 2.0 Workspace platform adds support for leading SSL VPN vendors. As SSL implementations are proprietary, KNOX 2.0 Workspace features a new generic VPN framework which enables third-party SSL vendors to provide their clients as plugins into the VPN framework. Enterprise IT managers use KNOX Workspace MCM policies to download and configure a specific SSL client.
The per-app VPN feature in the original KNOX Workspace platform has been extended to support SSL VPNs. This feature enables the enterprise to automatically enforce the use of VPN only on a specific set of apps. For example, the enterprise IT administrator can configure an employee’s device to enforce VPN for only business apps. This feature ensures that the data from the user’s personal apps do not use the VPN and overload the company’s intranet. At the same time, user privacy is preserved because personal data does not use the enterprise network.
Powerful Control of Devices
Mobile Device Management
Enterprises face new challenges from mobile devices at work and the popularity of Bring Your Own Device (BYOD) programs:
- Manage and support employees who are local, remote or traveling
- Enforce corporate security policies consistently and reliably
- Handle security threats
- Manage lost or stolen devices that contain sensitive enterprise data
- Comply with new regulatory requirements
The Samsung KNOX Workspace can be managed with a Mobile Device Management (MDM) system. Samsung has partnered with MDM vendors to integrate KNOX Workspace capabilities into current MDM consoles used by enterprises.
Prior to KNOX Workspace, Samsung for Enterprise (KNOX Standard) enabled enterprise IT Admins to manage Samsung mobile devices through MDM consoles with a comprehensive suite of IT policies. Samsung KNOX Workspace adds even more security and management policies.
A MDM agent on a device implements an IT admin's policies by calling KNOX Standard and KNOX Premium Application Programming Interfaces (APIs) on the device. For example, your IT admin could invoke a policy to wipe a device if the kernel is compromised; the agent will call the APIs to carry out this order on the device.
Combined, the KNOX Standard and KNOX Premium SDKs provide over 600 policies that IT admins can configure at their MDM consoles. Of these, a third are KNOX Premium policies. All policies are supported by over 1400 APIs that MDM partners can use in their device-based apps.
KNOX Workspace empowers enterprises to manage
security in these areas:
- SE for Android
- Integrity Management
- Multiple apps with different password require Sign-On (SSO)
- Common Access Card (CAC) or SmartCard
KNOX Standard empowers enterprises to manage security in these areas:
- Restrict Access
- Geo Fencing
- Enterprise License Management (ELM)
KNOX Workspace technical details
- Install the KNOX container with a launcher icon, home screen and preloaded apps
- Lock the container, which requires the user to enter their KNOX Workspace password to unlock
- Uninstall the container
- Install or uninstall an app in the container through Samsung KNOX Apps
- Add or remove an app launcher icon on the KNOX Workspace home screen
- Define a whitelist or blacklist of apps that can be installed in the KNOX container
- Start or stop an app in the container
- Write data to an app's home directory
- Create a firewall around the container (for example, block the FTP port on the device from receiving connections, or block the device from connecting to the HTTP port on a web server)
- Define the password policy (same capabilities as the KNOX Standard password)
- Enable or disable camera, non-secure keypad and share via list
SE for Android
- Set the enforce status of SE Linux
- Set the enforce status of the Android Activity Manager Service (AMS)
- Write SE Linux policy file to SE for Android
- Write policies for SE for Android security contexts
- Map apps to SE for Android security contexts
- Add apps to the baseline scan
- Perform a pre-baseline scan
- Establish the kernel measurement baseline
- Scan the kernel or installed apps in real time
- Start or stop the continuous runtime integrity monitoring
- Define a subscriber to receive integrity violations and results
- Update the existing baseline with the new scan result
- Add or remove a VPN profile
- Add or remove an app to or from a VPN profile so that when the app is launched, it uses a specific VPN
- Add all apps in the container to a VPN profile
- Enable a default forwarding route through defined network nodes
- Set the CA certificate or user certificate for a VPN profile
- Enable FIPS mode
Single Sign-On (SSO)
- Define a whitelist or blacklist of apps allowed to use the SSO service
- Set user information
- Force user to re-authenticate
Common Access Card (CAC) or SmartCard
- Enable or disable CAC or SmartCard authentication for the browser or email
KNOX Standard technical details
- Start encryption and decryption on a device's internal memory or external SD card
- Wipe internal memory or the external SD card
- Lock out the device with a specific password
- Install or remove the certificates used to authenticate users for email, Wi- Fi or VPN
- Set the device enrollment status with the MDM server
- Power off a device
- Set the policy for user password patterns
- Set a blacklist of strings that are not allowed in passwords
- Set the number of failed password attempts before a device is disabled
- Set the time a password is valid, before it must be changed
- Set the number of previous passwords that cannot be used for a new password
- Show the user the password as it is entered
- Install, update or uninstall an app on a device
- Disable the uninstallation of an app
- Force all apps to be installed on an external SD card
- Get a list of the apps installed on a device
- Start or stop an app used on a device
- Check if an app is currently in use
- Get info about an app: package name, version, how much RAM/CPU/network traffic it is using, the size of code/data/cache required, last time it was launched and how long it was used
- Back up or restore a device’s app data and preferences
- Wipe data associated with an app
- Define a whitelist or blacklist of apps or widgets that can be installed
- Disable or re-enable the native browser, Play store, voice dialer, or YouTube
- Add an app launcher icon to the home screen and change an app's launcher icon
Enterprise License Management (ELM)
- Activate an enterprise license, which enables enterprise apps to access the MDM APIs
- Add or delete an MS Exchange ActiveSync account
- Set the account host, domain, username, email address, password
- Enable or disable Secure Sockets Layer (SSL) security
- Indicate if all certificates accepted for SSL
- Set the certificate to be used for SSL authentication
- Enable S/MIME certificates
- Synch the account with the device contacts, calendar, tasks and notes
- Enable device vibration for a new email
- Allow only IPsec or SSL/TLS connections
- Create, update or delete a VPN profile
- Configure the profile: ID, pre-shared key, CA certificate, user certificate, secret, encryption, DNS search domains/addresses and network node forwarding route
- Enable or disable Android Beam, apps not from Google Play, audio recording, background process limits, backups to Google cloud, Bluetooth, camera, cellular data, clipboard, factory reset, Home key, microphone, mock GPS locations, NFC, OTA O/S upgrades, power button, S Beam, SD card writing, S Voice, screen captures, settings changes by user, Share Via list, status bar, tethering, USB debugging, USB storage, video recording, VPN, wallpaper and Wi-Fi
- Enable or disable Kiosk mode, which provides a restricted version of the default Samsung home screen
- Enable or disable hardware keys, multi window mode or recently used apps display
- Hide the navigation bar, status bar or system bar
- Create or destroy a geofence area, which can be linear, circular or polygonal
- Determine if a device is within the geofence area
- Set the minimum distance and time interval to monitor a geofence
- Start or stop geofence monitoring
Robust Enterprise Ecosystem
Single Sign On (SSO)Add On
Multiple apps with different password requirements result in users who are overwhelmed with passwords. To simplify the process, some users create weak, easy-to-remember passwords.
Single Sign-On enables enterprise users to log in to multiple business apps with only their corporate login. Through Samsung KNOX's SSO apps in the KNOX container can leverage an enterprise's Active Directory to authenticate employees. SSO ensures that employee passwords meet policies for enterprise apps.
CAC or SmartCard SupportAdd On
Regulated industries require a more robust employee authentication method than a simple login password. The method must prevent identity fraud, tampering, counterfeiting and exploitation.
Samsung KNOX Workspace supports US Department of Defense issued SmartCards, also known as Common Access Cards (CACs). The browser, email and VPN clients can use credentials on the CAC to log in, if the enterprise IT admin has configured this policy. Other third-party apps can also use the CAC through well- defined PKCS 11 APIs. CAC can be used for two-factor authentication on the device lock screen.
Theft RecoveryAdd On
A consequence of rapid growth in smartphone usage is the equally rapid rise in mobile device theft. Over 40% of robberies in major metropolitan cities are smartphone related. Reasons for the increase include: high resale value of the device, inability to disable a stolen device when stolen, and the ability to sell the personal information on the device.
Working in partnership with Absolute Software, Samsung KNOX Workspace offers a fully managed theft recovery solution for devices, enabling enterprises to:
- Monitor and manage devices within the Absolute Customer Center
- Remotely lock and delete data on lost devices and produce an audit log for proof of compliance with this process
- Report a device as stolen and engage the Absolute Theft Recovery Team, which comprises 42 recovery investigators and six forensic experts. Absolute will work with local law enforcement to recover the device, even after it has been factory reset
Absolute Software has recovered over 26,000 devices in 101 countries, leveraging relationships with over 6,700 law enforcement agencies worldwide.