Transcription
Samsung KNOX 2UK Government EUD GuidanceWhitepaperDecember 2014
Copyright NoticeCopyright 2014 Samsung Electronics Co. Ltd. All rights reserved. Samsung is a registered trademark of SamsungElectronics Co. Ltd. Specifications and designs are subject to change without notice. Non-metric weights andmeasurements are approximate. All data were deemed correct at time of creation. Samsung is not liable for errors oromissions. All brand, product, service names and logos are trademarks and/or registered trademarks of their respectiveowners and are hereby recognized and acknowledged.Document InformationThis document was last modified on December 24th, 2014.Document HistoryDateNovember 4th 2014thChangesFirst DraftNovember 5 2014Updated Acronyms and referencesNovember 7th 2014Updated following review comments from HQDecember 24th 2014Updated following final release of EUD Guidance for KNOXv2.xContact InformationSamsung Electronics Co., Ltd416, Maetan-3dong,Yeongtong-gu Suwon-CityGyeonggi-do, 443-742KoreaSamsung Enterprise Mobility Solutions – Santa ClaraSamsung Telecommunications America, Ltd3920 Freedom Circle; Suite 101Santa Clara, CA 95054United States of Americaii
ContentsAcronyms . 41 Introduction . 62 End User Devices Security Framework . 83 Samsung KNOX UK Public Sector Usage Scenario . 94 How Samsung KNOX can meet the EUD Security Framework Requirements. 10Assured Data-In-Transit Protection . 11Assured Data-At-Rest Protection . 12Authentication . 12User to Device . 12User to Service. 13Device to Service . 13Secure Boot . 14Platform Integrity and Application Sandboxing . 15SE for Android . 15TrustZone-based Integrity Measurement Architecture . 15KNOX Container . 15Application Whitelisting . 17Malicious Code Detection and Prevention . 18Security Policy Enforcement . 18External Interface Protection . 20Device Update Policy. 20Event Collection for Enterprise Analysis . 20Incident Response . 205 Samsung KNOX Configuration Guidance . 22Configuration . 22Policies for Samsung KNOX Enabled Device . 22Policies for Samsung KNOX Container . 24VPN Configuration. 266 Samsung KNOX Deployment Guidance . 27MDM Support . 27KNOX License Management. 28Recommended Provisioning Steps . 28About Samsung Electronics Co., Ltd. . 30Samsung KNOX 3
List of TablesTable 1 - Mapping of Samsung KNOX functionality to EUD Security FrameworkRequirements . 10Table 2 - MDM policy configuration for Samsung KNOX enabled device . 23Table 3 - MDM policy configuration for the Samsung KNOX container . 25AcronymsAPIApplication Programming InterfaceAPNAccess Point NameCESGCommunication & Electronics Security GroupCOPECorporately Owned Personally EnabledCPACommercial Product AssuranceDEKData Encryption KeyDHDiffie-HellmanEUDEnd User DevicesFIPSFederal Information Processing StandardsGCMGalois Counter ModeIKEInternet Key ExchangeIPSecInternet Protocol SecurityKNOXThe Samsung enterprise security solutionLDAPLightweight Directory Access ProtocolMACMandatory Access ControlMDMMobile Device ManagementNATNetwork Address TranslationNFCNear Field CommunicationODEOn Device EncryptionOFFICIALUK Government Security ClassificationOTAOver The AirPKMPeriodic Kernel MeasurementRAMRandom Access MemoryRKPReal-time Kernel ProtectionROMRead Only MemorySamsung KNOX 4
SD CardSecure Digital CardSEAMSSE for Android Management ServiceSSLSecure Sockets LayerSSOSingle Sign OnTIMATrustZone based Integrity Measurement ArchitectureURLUniform Resource LocatorUSBUniversal Serial BusVPNVirtual Private NetworkSamsung KNOX 5
1 IntroductionSamsung KNOX 2 is the next-generation of the secured Android platform introduced by Samsungin 2013 as Samsung KNOX. Targeted primarily at mid and high-tier devices, it leverages hardwaresecurity capabilities to offer multiple levels of protection for the operating system andapplications.Key features of KNOX Workspace include Trusted Boot, ARM TrustZone -based Integrity andSecurity services, SE for Android enhancements (KNOX platform), and the KNOX 2 container.In addition, KNOX 2 features a new enterprise enrolment process that vastly improves both theemployee and IT administrator experience for enrolling devices into the company’s MDM system.Figure 1 - Samsung KNOX overviewSamsung KNOX mobile security solution is highly suited to Government and Public Sectordeployments of mobile platforms for remote working, and is designed to meet the stringentrequirements demanded by Government organisations.Samsung KNOX 6
Samsung works closely with Government Information Assurance and Security organisations on acontinuous basis to ensure our products and solutions meet and exceed these requirements.1In the UK, the Cabinet Office has introduced the End User Devices Strategy , which aims to enablepublic sector workers to work from any location using any suitable device. Adoption of thestrategy enables central government and public sector organisations to access the latesttechnology meeting certain standards, and deploy cost effective commercial devices.As part of this strategy, CESG, the National Technical Authority for Information Assurance, hasproduced a security framework for End User Devices working with OFFICIAL information, and2defines controls for devices used for both OFFICAL and OFFICAL-SENSITIVE .CESG assess suitable End User Devices against the security framework requirements, producingguidance for UK Public Sector organisations describing how best to configure the device to meetthe requirements, highlighting any areas where the platform does not meet the securityframework requirements and indentifying risks that should be considered when deploying the3platform in their systems .Samsung as a world leading Smartphone and Tablet manufacturer with a broad range ofconsumer devices, coupled with Samsung KNOX mobile security solution, is a natural fit for theUK Government End User Devices Strategy, meeting the needs of the public sector in bothsecurity and functionality. As such, CESG has assessed the Samsung KNOX platform, producing4platform security guidance for public sector deployments .This whitepaper explains how the features of Samsung KNOX allow public sector organisations todeliver market leading devices to their users, as part of a cost effective solution meeting thestandards for the End User Devices Strategy, with minimal deployment risk, as shown in the CESGplatform guidance for Samsung KNOX enabled knox-2x2Samsung KNOX 7
2 End User Devices Security Framework5The End User Devices Strategy: Security Framework and Controls document defines a set ofsecurity requirements and controls for End User Devices working with OFFICIAL information.The framework defines 12 areas that require security controls, with requirements and controls foreach area detailed in the document.Figure 2 - EUD Security Framework RequirementsCESG assess platforms such as Samsung KNOX against the 12 areas, identifies any risks, anddefines configuration guidance for the platform which outlines who best to deploy the platformto meet the standards expected when handling OFFICIAL classification data.Specific per-platform guidance, along with general security recommendations and enterpriseconsiderations are published on the UK Government web portal.The CESG assessment is independent. This whitepaper takes the EUD guidance for KNOX andaims to highlight the exact features of the platform and how they can be used to meet thestandards required by the public ntrolsSamsung KNOX 8
3 Samsung KNOX UK Public Sector Usage ScenarioThe EUD Guidance presents a usage scenario for Samsung KNOX enabled devices, where deviceswill be used remotely over 3G, 4g and non-captive WIFI networks to enable remote working in theform of accessing OFFICIAL classification email, reviewing and commenting on OFFICIALdocumentation, and accessing the intranet and other corporate resources.It is advised that due to the enhanced security features of the Samsung KNOX Container, sensitiveenterprise data should be stored in the container, and corporate resources accessed via thecontainer. Non-sensitive work can be carried out outside the container, with the user accessingthe container for access to sensitive data.All data-in-transit from the device should be routed over a VPN for confidentiality and integrity ofdevice traffic, and to allow devices to be protected by enterprise monitoring solutions.Arbitrary installation of third-party applications by user should not be permitted. Applicationwhitelisting should be employed and approved enterprise applications distributed to devices.Unnecessary applications should be removed or managed using whitelisting.This usage scenario defines how to best make use of Samsung’s differentiating security featuresand is used as a basis for the recommended configuration presented in the guidance.Samsung KNOX 9
4 How Samsung KNOX can meet the EUD SecurityFramework RequirementsThe EUD platform guidance for Samsung KNOX includes a section describing how the platformcan best satisfy the security recommendations. Below we take this further and describe thespecific features of Samsung KNOX enabled devices that align with the EUD security framework,and clearly differentiate Samsung KNOX from other available platforms.Table 1 provides a summary of the technical features and controls which Samsung KNOX enableddevices provide to meet the EUD Security Framework requirements.Requirement12Assured Data-in-transit protectionAssured Data-at-rest protection3AuthenticationUser to DeviceUser to ServiceDevice to Service4Secure Boot5Platform Integrity and ApplicationSandboxing6Application Whitelisting789Malicious code detection andpreventionSecurity policy enforcementExternal interface protection10Device update policy11Event collection for enterpriseanalysisIncident response12Mitigation-KNOX Enterprise IPSec VPNOn Device EncryptionSD Card EncryptionKNOX Container EncryptionAndroid device lock screenKNOX Container lock screenSSO SupportMutual authentication established by IPSecVPN clientTIMA attestationSecure Boot mechanismTrusted Boot mechanismSE For AndroidTIMAKNOX Application ContainerApplication whitelisting for deviceApplication whitelisting for KNOX Containerrd3 party anti-malware productsIntegrity Monitoring servicesKNOX Standard and Premium MDM APIsMDM Restriction PoliciesMDM Firewall PoliciesOTA device firmware updatesSE for Android policy updatesKNOX Audit Logging capabilityMDM capabilities for remote lock remotewipe of device, and certificate managementTable 1 - Mapping of Samsung KNOX functionality to EUD Security Framework RequirementsSamsung KNOX -10
Assured Data-In-Transit ProtectionSamsung KNOX offers comprehensive support for VPN, both IPSec and SSL. The KNOX platformprovides a VPN framework which allows third-party vendors to provide their clients as plug-ins tothe framework. The framework enables these clients to be configured and managed via KNOXMDM policies.The EUD Security Framework mandates the use of an IPSec based VPN, using Certificate basedauthentication.The KNOX platform currently supports IPSec VPN functionality via the Mocana KeyVPN IPSecclient plug-in integrated into the KNOX VPN framework. The client supports the followingfeatures: Includes FIPS 140-2 Level 1 certified cryptography module Internet Key Exchange IKE v1 (Aggressive and Main Mode) IKE v2 / IPv4 / IPv6 / XAUTH /NAT Traversal IPsec (ESP) using Data Encryption Standard (DES)/Triple DES (3DES) (56/168-bit) or AES(128/256-bit) with MD5 or SHA RSA, Diffie-Hellman, Elliptic Curve and full support for NSA Suite B Cryptography X.509 v3 certificate supportSupport for additional IPSec based clients is planned for the near future, including integration ofthe Strongswan based device client into the KNOX framework (a number of different third-partySSL client are already supported).The KNOX VPN framework and management APIs allow VPN configurations to be for full device,per container, and also per-app mode. The per-app mode allows an MDM to select applications(inside or outside the container) to connect to the network via a specified VPN profile. Allapplications inside the container and outside the container can be added. Up to 5 simultaneousVPN connections are allowed, allowing an administrator to define groups of applications toconnect to different VPNs.Once the VPN is configured in per-app or per-container mode, tunnel establishment is automatic.If the VPN is not connected, all outbound traffic from application is blocked from leaving thedevice. When connected, traffic is routed via the VPN, depending on how the devices have beenconfigured (full device VPN, Container, per-app etc.). VPN profiles are provisioned by the MDM;they cannot be disabled or modified by the user.These features are highly suited to the EUD deployment use case, allowing all device traffic to betunnelled automatically, without user interaction, in an ‘always-on’ type configuration, preventingdata leakage, and allowing traffic monitoring and filtering inside the customer network if desired.The EUD guidance for KNOX recommends the use of the per-app VPN configuration, with allapplications inside the KNOX container and all applications outside the KNOX container added toa VPN profile, to ensure all traffic is routed through the enterprise VPN. The flexibility of theSamsung solution allows administrators to configure separate VPN tunnels for applications insideSamsung KNOX 11
and outside the container, so separating enterprise and less-trusted non-enterprise traffic, but stillbeing able to monitor and control all traffic from the device as required.Assured Data-At-Rest ProtectionData at Rest protection is a core part of the Samsung KNOX layered security solution.The KNOX container (an isolated environment for enterprise applications and data, described laterin this whitepaper) has its own AES256 encrypted file system, which automatically protects all datawithin the container.A comprehensive key management solution has been implemented to meet the needs ofGovernment customers, which includes the use of TrustZone based mechanisms with deviceunique hardware keys to protect encryption keys, as well as user passcodes. The KNOX platformstores cryptographic values within TrustZone, protected by hardware, which the platform onlyreleases if the integrity of the platform has been verified during boot. If the integrity of the devicehas been compromised, the values required to derive the container encryption keys, meaningsensitive data cannot be decrypted, protecting it from potential compromise.In addition, full On Device Encryption (ODE) can optionally be enabled or enforced by theadministrator to encrypt the entire device data partition, thus protecting data outside thecontainer as well. Further, if the use of external SD Cards is permitted, encryption can also beenabled and enforced for files stored on this media.T
The KNOX VPN framework and management APIs allow VPN configurations to be for full device, per container, and also per-app mode. The per-app mode allows an MDM to select applications (inside or outside the container) to connect to the network via a specified VPN profile. All applications ins
