The security of Samsung Knox is no after-the-fact bolt-on; rather, the security features are multi-layered. From the hardware to the software, it was designed with security in mind.
Security at Manufacture
Security is assured right from the point of manufacture. Samsung’s Galaxy mobile devices are manufactured and configured in Samsung’s own factories, giving it control over both the hardware and the software. Before any device leaves the factory, it’s provisioned with cryptographic hardware keys, including a device-unique hardware key (DUHK). It is on the basis of this cryptographic key programmed into the device that all other security controls built into Knox rest.
Hardware-Level Security Controls
Built into the hardware level are security mechanisms that flag any time the device’s default controls have been altered, such as by rooting the device. These include the Secure Boot Key and Device Root Key that performs authentication and encryption operations associated with the device. Samsung terms its hardware controls the “Hardware Root of Trust.”
When a device is booted up, Samsung’s Trusted Boot is invoked to ensure that the authenticity and integrity of the bootloader modules. Trusted Boot further protects the boot process by blowing a tamper-evident fuse if it detects an unauthorized modification.
One layer higher up the stack is TrustZone. Here, checks are run to ensure that no modifications have been made to software, such as by malicious code, or to the kernel. If a mobile device management (MDM) system is deployed, the device will attest to the system that authorized images were loaded during the boot. This layer also contains TrustZone-based Integrity Measurement Architecture (TIMA) that provides cryptographic keys for use by applications, with the keys further encrypted using the device-unique hardware key that’s provisioned during manufacture.
Application-Level Controls
Samsung Knox also includes security controls at the application layer. This includes the use of containerization for separating corporate data from personal, with the work container under the full control of the enterprise and the personal data remaining private. All data held in this space is encrypted, with the cryptographic keys stored in the hardware. At this layer, Knox provides a number of security enhancements for the Android operating system, building on native capabilities to provide organizations with the ability to meet stringent security and compliance requirements in industries such as healthcare, financial services and government. The features provided enable organizations to ensure that their employees’ productivity is maintained, while making sure that corporate assets are fully protected.
Samsung Knox also has many features that ensure it can be easily integrated with other controls in use by enterprises. More than 1,500 APIs are provided for integration with MDM systems, and there are a variety of solutions enabling IT admins to set VPN controls, smart card frameworks, and for providing single sign-on integration with Active Directory.
Knox has been recognized as the industry’s leading mobile security platform. In a Gartner mobile security report, “Mobile Device Security: A Comparison of Platforms,” published in April 2016, Samsung Knox received the most “Strong” ratings of any mobile platform. Samsung Knox was also the only platform in the report to receive “Strong” ratings in all security controls listed in the Corporate-Managed Security category.
The security features built into Knox provide what Samsung describes as “defense-grade security.” They ensure that Samsung mobile devices can serve as an essential part of any enterprise mobility infrastructure. Mobility is key for both individuals and organizations today and its importance is only set to grow — security can’t be an afterthought. Thanks to the multi-layered security features included in Samsung Knox, security is at the forefront of its design.
Find out more about how Samsung Knox can provide your business with cutting-edge mobile security.