The U.S. Department of Defense recently approved Android devices that utilize Samsung's KNOX platform. My organization has been wary of allowing Androids on the corporate network, pushing users to iPhones and BlackBerrys instead. Could you explain what KNOX does to secure Android devices and whether it may be a viable enterprise device platform as well?
Ask the Expert
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
Although the security of the open source Android OS is considered to be as robust as iOS and BlackBerry OS, devices running Android have generally been shunned by enterprises due to concerns over the number of malicious Android apps and the ease with which hackers have been able to distribute them due to lax submission policies on Google Play.
Samsung is hoping to change this mindset with its new Android-based KNOX platform, a locked-down version of Android that enables work and personal data to safely coexist on the same device while retaining full compatibility with the Android ecosystem. The KNOX platform has been approved for use within the U.S. Department of Defense by the Defense Information Systems Agency (DISA), and it could prove a popular solution for network administrators trying to control employee-owned devices in the enterprise.
One of today's top bring your own device (BYOD) concerns is data leakage caused by the mixing of professional and personal data and apps. Administrators have been reluctant to use remote wipe tools on lost devices; they typically erase the user's personal data, photos, music and other files, as well corporate information. Enterprise data stored on Android devices has also been under threat from malicious apps downloaded by users via third-party app marketplaces. The KNOX Platform tackles these problems by using partitions -- called containers -- to isolate enterprise apps and encrypt enterprise data both at rest and in motion. Therefore, administrators have no access to personal apps and data as they remain outside the isolated business environment, and a remote wipe will only erase the business partition.
KNOX includes other security features:
- Customizable Secure Boot, which ensures that only verified and authorized software can run on the device;
- ARM's TrustZone-based Integrity Measurement Architecture, which provides continuous integrity monitoring of the Linux kernel, and which will disable it and power down the device if it detects kernel or boot loader violations; and
- Security Enhancements for Android, which enforces the separation of information based on confidentiality and integrity requirements by isolating applications and data into different domains. This reduces the threats of tampering and bypassing of application security mechanisms while minimizing the damage that a malicious application can do.
Also, an on-demand Federal Information Processing Standards (FIPS)-certified VPN client can be configured and provisioned on a per-application basis.
As a platform, Android already owns the largest share of the smart device market and the introduction of the Samsung KNOX now means there's a reasonably secure Android device for enterprises to leverage. KNOX's primary competitor is BlackBerry Balance, which also boasts separate personal and business uses of its phones as personalities, but BlackBerry's service does not include management of work space through containers in Active Directory.
The Samsung KNOX is compatible with multiple enterprise mobile device management (MDM) products and any Android apps that will run in the secure work partition must come from an app store curated by Samsung. While such enterprise apps will need to be checked and signed by Samsung, developers will not need to write their own enterprise features, such as FIPS-compliant VPN, on-device encryption, or enterprise single sign-on, as KNOX provides all these.
The dual-persona platform will make it quite popular with employees as personal applications and data are kept private from network administrators. The KNOX platform also should be easy for users to handle; it does not leverage virtualization and users can switch between personal and work use, with no reboot or wait time, simply by pressing an icon.
This was first published in October 2013