Enero 27, 2019

Knox Deep Dive: Sensitive Data Protection

Josh Fernandez

Protecting Data-At-Rest (DAR) on mobile devices is a major concern. While the industry standard is to encrypt all data on a device, that data is decrypted and accessible after the device boots successfully. If a device is lost or stolen, a sophisticated attack can extract data from it as long as the device is still running, even if the device is locked.

Samsung created Sensitive Data Protection (SDP) to address this specific issue, and includes SDP in Samsung devices built on the Knox Platform for Enterprise (KPE).


What is Knox SDP?

With Knox SDP, selected files remain encrypted at runtime and are decrypted only after device users authenticate themselves at the device lockscreen or Knox Workspace login. Knox ejects decryption keys each time the device or Knox Workspace locks.


Why should I consider Knox SDP?

  • MDFPP-Compliant:

    SDP is certified as meeting the Mobile Device Fundamentals Protection Profile (MDFPP) requirements defined by the National Information Assurance Partnership (NIAP) for DAR, meaning that SDP is approved for use by the US government and military. Without Knox SDP, the base Android system is not certified as satisfying MDFPP requirements, which mandates a form of SDP. MDFPP compliance is a requirement for many government agencies and the companies they work with. Samsung has more MDFPP-certified products than any other mobility solution provider.
  • Granular Control:

    App developers and enterprise IT admins can use Knox SDP to protect individual files, databases, and any other sensitive enterprise data.
  • Per-App Password:

    For an added layer of security, app developers and enterprise IT admins can customize Knox SDP so that sensitive data is decrypted only by a per-app password entered by the app user. In this case, the device unlock or Knox Workspace authentication alone does not decrypt app data. An app password is also needed.


How does Knox SDP work?

Knox’s two levels of protection and how they perform when a device is off, locked, or authenticated

The Knox Platform provides two levels of protection for Data-At-Rest:

  • Protected Data

    By default, all data is encrypted when the device is powered off. When the device is powered on, the data is decrypted. The decryption key for Protected Data is tied to the device hardware, making Protected Data recoverable only on the same device.
  • Sensitive Data

    SDP provides an extra layer of security. Unlike Protected Data, Sensitive Data remains encrypted, even after the device boots. Data is decrypted only after the device is unlocked through user authentication. SDP data can't be decrypted in the locked state, only in the unlocked state. The SDP data decryption key is also tied to device hardware, meaning Sensitive Data is recoverable only on the same device and only after successful user authentication.

SDP enables both app developers and enterprise IT admins to label data as “sensitive” to guarantee the data is encrypted and not accessible on locked devices.


Where is Knox SDP used?

Knox SDP is enabled by default to secure the Samsung Email app's email body and attachments.

SDP even handles incoming sensitive data, such as emails and notifications, ensuring it is immediately encrypted and not accessible until the user is authenticated. This encryption uses a public key algorithm. The private key is maintained in an encrypted partition while the public part encrypts the sensitive, newly received data.


Next steps

To learn more about:

  • Other data protection options for Samsung Knox devices, see the KPE Admin Guide.
[Ícono] cerrar

Comenzar con Samsung Knox

[Ícono] maletín
¿Es un distribuidor, un proveedor de soluciones o un proveedor de servicios?

Conviértase en socio de Knox y haga crecer su empresa hoy mismo.

[Ícono] información

Seleccione un producto Knox para comenzar:

Paquete todo en uno
Knox Suite
Cambios de marca y personalización
Knox Configure
Protección contra el fraude y el robo
Knox Guard
Plan de protección de dispositivos
Samsung Care+ for Business
Otros productos y servicios

Comience con

[Imagen] Knox Suite

Paquete de soluciones todo en uno para ofrecer movilidad empresarial.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Un conjunto completo de herramientas para proteger, implementar, administrar y analizar los dispositivos corporativos.
  • Pruebe funciones potentes incluidas en el paquete de Knox Suite.

Knox Suite incluye lo siguiente:

Knox Mobile Enrollment Gratuita
Knox Manage
Knox Asset Intelligence
Knox Platform for Enterprise Gratuita
Soporte remoto de Knox
Knox Capture
Knox Authentication Manager

Comience con

[Imagen] Logotipo de Knox Configure

Personalice sus dispositivos Samsung y cámbieles la marca.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Configure de forma remota los dispositivos Samsung en masa y personalícelos según las necesidades específicas, desde el primer momento.
  • Configure sus dispositivos para una implementación de una sola vez o actualícelos cuantas veces quiera.

Comience con

[Ícono] Logotipo de Knox Guard

Protección contra el fraude y el robo para dispositivos Samsung.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Reduzca los riesgos financieros y proteja los activos mediante el control remoto de dispositivos Samsung.
  • Pruebe todas las funciones de Knox Guard, incluidos el control de SIM y el bloqueo de dispositivos.

Comience con

[Imagen] Logotipo de Samsung Care Plus For Business

Planes de protección de dispositivos para dispositivos Samsung.

  • Limite las interrupciones empresariales con reparaciones y reemplazos de dispositivos rápidos. Comuníquese con el equipo de ventas de Samsung para comenzar.
  • Vea toda la cobertura para dispositivos e información de reclamaciones en un solo lugar.
  • ¿Ya compró Samsung Care+ for Business? Cree una cuenta y active su plan en la consola Samsung Care+ for Business.

Otros productos y servicios

[Imagen] Otros logotipos

Soluciones modernas para abordar sus necesidades únicas.

  • Obtenga soporte técnico eficiente de un administrador de cuentas dedicado con el Soporte técnico empresarial.
  • Cree dispositivos a medida para su empresa mediante Samsung Software Customization Service.