Samsung Knox Smartphone Guidance Published by CESG

A recent press announcement has highlighted that Samsung Knox has had guidance published by CESG for use by HM Government departments who may wish to consider issuing these smartphones for business use.

What is Samsung Knox and what guidance has been issued?
Samsung Knox is a software addition to your android “smartphone” that allows corporate or professional data to be separated from unclassified user or personal data. Samsung Knox version 1.0 has gone through extensive CESG testing and can be delivered to HMG departments on the following handsets: Samsung Galaxy Note 3, Galaxy S3, S4 & S5. The advice published by CESG allows the protection built into Samsung Knox to be deployed against a consistent standard and implemented as long as the residual risks are accepted.

How can I get a copy of Knox 1.0
You can obtain a copy of Knox 1.0 either through a new handset or through the Google Playstore.

What information can be processed on this version of Knox
CESG only provide configuration advice that could enable the use of Samsung Knox to protect information classified up to and including OFFICIAL, following a risk assessment and acceptance of the residual risks by the organisation. The use of Samsung Knox to access and protect OFFICIAL-SENSITIVE information is a risk based decision for each organisation to determine, depending on their appetite for information risk and the nature of the classified information.

Are voice communications covered under this guidance?
No, voice is not currently covered under this guidance on this particular platform, only the Blackberry family of phones with the relevant chip installed are currently accredited to process voice communications up to and including the new OFFICIAL-SENSITIVE classification.

How is Knox 1.0 controlled?
Your company or organisational administrator can control which applications you can download to the handset from the Google Playstore through the enforcement of policy by use of the Mobile Device Manager (MDM), the MDM can be configured to allow or block certain Google Playstore applications as well as enforce those device security policies that have been adopted by the department in line with the CESG device guidance..

What other smartphones have guidance published ?
Guidance has been published by CESG for both Blackberry and iOS based devices (iPhones and iPad’s from Apple) as well as Windows Phone 8, Google Chrome OS 26 and Ubuntu 12.04. All of these devices can be configured in such a way as to allow the processing and storage of OFFICIAL and OFFICIAL-SENSITIVE data on the assumption that the residual risks highlighted by CESG and any highlighted by the organisation’s own risk assessment are acceptable. If you need to protect phone calls to the same standard, CESG CAPS approved products are available on all of these devices to encrypt these conversations.

What’s the difference between a standard Android phone and a Samsung phone running Knox 1.0
Samsung employs 256 bit encryption on the virtualised partition on the phone rather than the standard Android 128-bit encryption thus giving greater security protection to the data held on the phone.

What are the risks?
CESG identified the following risks surrounding the use of Samsung Knox:

  1. No Foundation Grade (CESG approved) VPN has been successfully tested for use with Knox therefore data in transit is at risk of compromise.
  2. Both the Knox container on the phone or the Android device encryption have not been assured by CESG to Foundation Grade, therefore the data resident on the phone can be compromised if the device is stolen.
  3. The encryption keys that reside on the phone can be retrieved if the device is attacked whilst still powered on.

What can I do to mitigate these risks ?

Data-in-transit risks

  • Consider the deployment of a reputable IPsec VPN client with a view to replacing this product when one that is assured to Foundation Grade becomes available.
  • Configure the device to ensure that both types of data (personal & professional) are routed within the VPN.

Data-at-rest risks

  • Ensure that the Android encryption is enabled for data outside the Knox container.
  • All enterprise applications outside the Knox applications to be disabled.

Authentication

  • Organisations considering use of the Samsung Knox should employ a combination of strong passwords and pin numbers for both the device and the Knox container.

Application whitelisting

  • Organisations should ensure that their MDM is employed to control which applications are deployed on the phone. The Android application ecosystem has a history of allowing spyware and other malware to be deployed on the device, so it’s really important to ensure that only reputable, authorised applications are installed.

Malicious code detection and prevention

  • Only allow “vetted” applications on to your whitelist.
  • Employ an effective anti-malware product.

Incident Response

  • Ensure that your MDM supports the “remote wipe” facility in the event that a device is lost or stolen.

The Regency View

Guidance on the deployment of the Samsung Knox container is good news for UK Government departments and opens the way for a greater selection of devices to be used within a BYOD (Bring Your Own Device) strategy in some departments. In the case of Samsung Knox users, they would have to agree to configuration changes by their organisational administrator or the MDM which they connect through. Arguably this may take away some of the sparkle of using the device as installation of many of the more interesting applications may be constrained by the security policies enforced by the MDM. Equally, the restrictions required to comply with the advice may be unacceptable to some users on their own device. Some UK Government departments have already started to issue other mobile platforms which can only connect to a wifi portal after the user enters the appropriate key which prohibits access to captive portals in order to protect the user from inadvertently making an unsafe connection.

Organisations considering the use of Samsung Knox enabled handsets will no doubt experience business tariffs from their phone providers broadly similar to those using iPhones but the debate about which type of handset is best still remains subject to much debate; “beauty is in the eye of the beholder” as they say.

If you’d like more information on protecting your ICT assets feel free to contact us through this website or by calling us on 01242 225699 for an informal chat with one of our consultants.

For more information on the UK Government guidance on the use of Samsung Knox visit the following site:
https://www.gov.uk/government/publications/end-user-devices-security-guidance-samsung-devices-with-knox/end-user-devices-security-guidance-samsung-devices-with-knox