Follow Tweet This Facebook LinkedIn google+
Industry talking to customers What's this?

Opportunity Knox: Layered depth defence

Published: December 18th, 2017 By: Glenn Weir


Whether it’s a border wall or a frontline trench in wartime, security has always involved a demarcation. This concept has informed computer security from its beginnings, and many security solution providers today hold to the idea that good security is down to the height and solidity of your wall.

However, strong security involves not merely a deep defence but multiple, overlapping layers. In his book Principles of Programming Languages*, University of Tennessee professor Bruce MacLennan discusses depth defence as a method of managing risk with diverse defensive strategies, “so that if one layer of defense turns out to be inadequate, another layer of defense will hopefully prevent a full breach.”

There are many reasons why a government IT department would want to secure the enterprise with Samsung KNOX, including:

  • Defence-grade security – KNOX meets the security requirements set by government and major enterprises worldwide, including the Canadian Federal Government, the US Department of Defense, l’Agence nationale de la sécurité des systèmes d’information (ANSSI), and the UK National Cyber Security Centre (NCSC). (Full list of KNOX certifications)
  • Best in market – In April 2016, Samsung KNOX received the most “Strong” ratings of any mobile security platform in the Gartner Inc. report “Mobile Device Security: A Comparison of Platforms.” This report compares the core OS security features built into 12 mobile device platforms as well as enterprise management capabilities.
  • Anchored and multilayered – Multilevel hardware-to-application security via Trusted Boot and Arm TrustZone-based Integrity Measurement Architecture. Installed to Samsung devices at the manufacturing stage, KNOX offers true multilayered defence, providing overlapping security at the application, middleware, kernel, and hardware levels.
  • Two devices in one – KNOX Workspace allows IT to offer employees two separate spaces: a work space and a personal space. This separation is necessary when government employees are using their smartphones both to perform key functions of their job and access the Internet and use apps after work hours for personal enjoyment.
  • Encryption – All data in KNOX Workspace is encrypted. Encryption keys are stored in the device’s chipset at the hardware level as opposed to software-level file systems, which can and regularly are breached in other devices. Keys stored in the chipset are very difficult to access.

    All files, apps, and email stored in the Workspace container are encrypted when the container is locked. The only way to access the data is to have the device owner provide their password, PIN, pattern, or through biometric authentication.

    KNOX offers an added measure of security with its Warranty Bit. It can detect if a non-KNOX kernel has been loaded onto the device. The Warranty Bit is a one-time programmable bit e-fuse, which can only be turned from 0X0 to 0x1 (burned) — an indication that the device can no longer use the Knox container service.

  • TrustZone – The TrustZone area of the Samsung device chipset holds the most critical data of the Knox security architecture. The moment the device is compromised, KNOX Workspace is locked down. That means no leakage of critical data, and encryption keys are irretrievable.
  • Simple management – KNOX integrates with your existing MDM, VPN, and MS Exchange ActiveSync, allowing you to offer just the right security solution for your enterprise.

The design of Samsung’s KNOX security platform was informed by:

  • First, a desire to build a trusted environment rooted in proven hardware security mechanisms. With advances by attackers, KNOX designers recognize the best defence against full-system compromises is to tie system self-checks to a secret password maintained by secure hardware and out of the reach of any software-based or physically present adversary.
  • Second, to make the trusted platform ready for enterprise use. KNOX includes a collection of useful applications and utilities that enable enterprise-ready deployment. KNOX Workspace security is based on the hardware root of trust and on isolating the work space on a device from the personal space.

Government employees are no different from non-government employees: they use their mobile devices for both work and personal purposes. KNOX gives users the ability to switch between their protected workspace and a space with their personal apps — all with the simple tap of a button. This gives IT the assurance that, no matter what employees do on their device, or where they go with it, critical professional data is more secure.

To learn more about KNOX, and the ways it can protect your organization, visit the Samsung KNOX website.

*MacLennan, Bruce. Principles of Programming Languages: Design, Evaluation, and Implementation. Oxford Univ Press, 1986.