Samsung Knox Raises Android Security Game - InformationWeek
Government // Mobile & Wireless
07:26 PM
Larry Seltzer
Larry Seltzer
Connect Directly
How Upwork Cut Zero-Day File Attacks by 70%
Oct 05, 2017
Upwork has millions of clients and freelancers that have to upload and download many files to and ...Read More>>

Samsung Knox Raises Android Security Game

Following the BlackBerry announcement of BES 10 as a general-purpose mobile management solution, Samsung has expanded their SAFE program to include EMM features like MAM and business/personal partitioning. These companies are advancing the technology for customers. Where are Microsoft and Apple in this? Microsoft is doing a little, but Apple seems to think that management of their devices is not their problem.

The handset makers are making a play to standardize management and security of their devices in enterprises and especially in BYOD scenarios. Well, some of them are making more of a play than others.

The first big example we got of this was BlackBerry and BES 10. As I explained last week, BES 10 includes some of the new techniques of EMM (Enterprise Mobility Management) such as MAM (Mobile Application Management) and a separation of user and business personalities. These are emerging as the two key technologies in the next generation of mobile device management.

Join us at Interop Las Vegas where the mobility track will explore best practices for management of mobile computing today and what's coming in the future. Register today!

Now Samsung has announced similar capabilities for its phones called Samsung Knox —. It's not an acronym, I guess it's an allusion to Fort Knox (where, since 1937, the Treasury Department has stored the highly-secure United States Bullion Depository). There's more to Knox than MAM and personal/user "partitioning," as they call it, but I think these are the most appealing.

With MAM the company either compiles management hooks into the program or, in the case of third party programs, installs a "wrapper" program around it that provides management. This allows administrators to set policy for the use of program: for instance, they may say that it can only read from or write to certain locations, that it only communicate over SSL, or that it not put unencrypted data on the clipboard. One common MAM feature is the ability to create a custom VPN session just for that instance of the program.

The user/personal separation addresses the core problem created by BYOD: Neither users nor administrators want administrators to have control over personal user data. BlackBerry refers to the separate personal and business uses of its phones as personalities and Samsung calls them partitions. The division is baked into the operating system, so administrators not only can ignore personal data and programs, they actually have no access to it. The remote wipe becomes a wipe not of the whole phone, but of the business personality/partition.

One big difference between the BlackBerry and Samsung approaches is that BlackBerry is pushing BES 10 as a cross-platform management tool: You can use it to manage iOS and Android devices as well as its own BlackBerry phones. Superficially, SAFE is an open standard that other Android handset makers, perhaps even Google itself, could incorporate into its products, but fat chance of that. The truth is that Samsung is ascendant and BlackBerry needs to accommodate users of its competitors' products.

Samsung Knox creates partitions between personal and business use and protects one from the other.(Click for larger image)

It's more complicated than that. Like the MDM APIs of old, Knox and Samsung's earlier SAFE (Samsung For Enterprise) APIs, the interfaces are open for third-party management platforms to access. Indeed, my briefing on Knox came not from Samsung but from AirWatch, which announced its support for Knox as Samsung announced it at the recent Mobile World Congress. Other independent mobile security vendors have support for SAFE and will likely support Knox, whereas companies need a BES to support BlackBerry devices. Of course, it's more complicated than that too, as BES also provides a secure communications channel for BlackBerry and, eventually, third party devices. Knox is in beta. AirWatch, incidentally, says that it implements the most SAFE APIs of any mobile security vendor.

There may be some limitations in the partitioning that are a bit disappointing. For instance, ideally I would want the two personalities to have different phone numbers and accounts. This requires that the phone have two NAMs (Number Assignment Modules) and probably two SIM cards. There are phones like this and I have seen a business/personal virtualization scheme using the two numbers demonstrated by Cellrox. Click here to read about that and see a video of it. So it can be done, but it's not clear if either BlackBerry or Samsung are supporting it. Neither demoed it. I asked an Airwatch spokesperson to try, on their Knox phone, to make a phone call in one personality and then switch to the other personality. The phone call persisted. Whether this is correct behavior is unclear to me. There are probably arguments on both sides.

It's pretty obvious that Knox will be supported in the Galaxy S IV, which will be announced this week in New York. Will it add support into older phones, such as the very popular Galaxy S III? No word on that yet.

So both BlackBerry and Samsung are advancing security for their customers. What about Microsoft and Apple, the other big mobile OS companies? Microsoft's APIs and products (basically Intune and System Center) are quite conventional, but Apple doesn't even try. Many years ago it released an MDM API that it cloned from BlackBerry. Apple's locked-down app-deployment process means that many security products are not possible — for instance, the business/personal division is basically impossible on iOS — although it has also prevented the development of any malware of note. I suggest that in the long term, companies like BlackBerry and Samsung that help the customer to better manage their devices, will be more appealing to enterprises.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll