Can Samsung Knox security make devices safe enough for Fort Knox?

Knox security tools help keep data safe and make Samsung devices viable even in high-security settings, but admins should enable all the features.

Samsung's Knox security tools help IT administrators preserve the integrity of corporate data, but it's important to use all the available features in Knox to reach the highest level of data security.

Knox isolates business apps and data on Samsung devices to a secure container, separating personal apps and data without compromising users' privacy. It also helps protect data communications and facilitate improved Android mobile device management (MDM). But to get the most out of Knox security, admins should use the full range of features. Otherwise data could be compromised if a device is lost or stolen, or if communications are intercepted.

In December 2013, researchers at Israel's Ben-Gurion University discovered a vulnerability on Knox-enabled devices: Hackers can load a personal malicious app onto a device to intercept communications to and from the secure business apps. Samsung was quick to point out that such "man-in-the-middle" exploits can occur only when data transfers are unencrypted, so admins should require all business apps to encrypt data communications, and workers can use Android's built-in virtual private network (VPN) functionality. Admins should also enable Knox security features such as on-device data encryption (ODE), Knox-specific VPN and enhanced MDM policy settings.

On-device data encryption

Workers should never store sensitive data unencrypted on a mobile device. If the device is lost or stolen, hackers can easily access the data, including deleted files. That's where Knox's ODE feature comes in. It uses 256-bit Advanced Encryption Standard to encrypt the entire device, and it conforms to the Federal Information Processing Standards (FIPS).

Admins can use an MDM policy or Exchange Active Sync policy to enable ODE on managed devices. Users can also activate ODE directly. Once enabled, ODE encrypts all storage on the device, including SD cards. Knox uses hardware accelerators to speed the encryption and decryption processes and minimize the effect on users.

VPN functionality

Android phones usually include a VPN client, but Knox has a FIPS-certified VPN client that provides broad support for IPsec functionality such as split tunneling, National Security Agency Suite B Cryptography and Internet Key Exchange (IKE). The VPN features in Knox make it possible to establish highly secure connections between a mobile device and the corporate intranet, even in regulated environments. Knox also supports up to five simultaneous connections, as well as Cisco VPN gateways.

The Knox VPN technology has per-app functionality which lets IT specify individual apps that should automatically communicate data via a secure VPN connection. Users' personal apps don't connect over the VPN, which protects privacy and prevents personal data from overloading corporate connections.

Mobile device management

Devices in Samsung's SAFE (Samsung for Enterprise) program meet specific security criteria and can integrate with an MDM tool, making it possible for IT to secure, monitor and manage devices from a central location. Knox builds on SAFE's MDM capabilities and provides additional policies to help secure and manage Samsung devices.

Knox has a wide range of policies that apply to passwords, VPN connections, data encryption, screen locking, app and container management, email forwarding and a variety of other components. Many of the policies also comply with the U.S. Department of Defense Mobile OS Security Requirements Guide, so workers in highly secure environments can use Knox-enabled devices. In addition, the MDM agent on devices with Knox can block attacks that try to change any of its settings.

More ways Knox tightens security

At the platform level, Knox implements security-enhanced Android (SE Android), TrustZone-based Integrity Measurement Architecture (TIMA) and Trusted Boot.

SE Android is built on SELinux, a technology that defines which users and apps can access particular resources at the OS level. SE Android isolates apps and data into different domains and separates device data based on confidentiality and integrity requirements, but data can still be vulnerable if the Linux kernel is compromised. TIMA closes this gap with Advanced RISC Machine TrustZone hardware that partitions memory and CPU resources to segregate secure data from other data. TIMA also continuously monitors the Linux kernel and works with SE Android and Trusted Boot to defend against malicious attacks on the kernel and core bootstrap processes.

Trusted Boot addresses limitations in Secure Boot, a mechanism on Android systems designed to stop unauthorized boot loaders and operating systems from loading during startup. Secure Boot does not preserve evidence of authorization beyond startup, however, which means it does not continue to check for unauthorized firmware after the system boot. Trusted Boot maintains this evidence as measurements stored in TrustZone, thus helping to eliminate these vulnerabilities.

Knox also has features to support government and high-security use. Customizable Secure Boot, for example, ensures that only verified and authorized apps can run on a Knox-enabled device. Other Knox security features include support for Common Access Cards, which allows government agencies and regulated industries that require more authentication than a password to use Samsung devices. Knox also meets the FIPS 140-2 Level 1 certification requirements for all data at rest and in transit, supports Active Directory integration, provides more than 840 MDM application programming interfaces and 390-plus IT policies.

All these features have improved on the standard features in Android devices, but even Knox-enabled devices can only be trusted if administrators implement all the available security features.

Dig Deeper on Enterprise mobile security