cis13: samsung’s perspective on mobile identity

MOBILE ENTERPRISE IDENTITY

7/11/13 © Samsung 2013. All rights reserved. 1

State of Identity

2

Industry Trends

§  Cloud, Mobile and Compliance requirements are the three top business and technology waves impacting enterprise IT –  BYO Servers & BYO Applications –  BYO Laptops & BYO Devices

§  Identity is at the center of all three waves

Samsung Confidential 3

Current State of Enterprise Identity

D A T A   C E N T E R  

DATA  C

EN

TER  

SERVERS  

DATA  C

EN

TER  

APPS  Smartphones  and  Tablets  

End  Users  

Laptops  

C L O U D  ID  

ID  

ID  

ID  

ID  ID  

ID  

ID  ID  

ID  

ID  

ID  

ID  

ID  

Samsung Confidential 4

Multiple Login for Users. Multiple Identity Infrastructure for IT.

State of Identity

5

But  Can  You  Con(n)  

SAMSUNG KNOX

7/11/13 © Samsung 2013. All rights reserved. 6

Introducing Samsung KNOX

7/11/13 © Samsung 2013. All rights reserved. 7

Multi-layered approach to OS Security

7/11/13 © Samsung 2013. All rights reserved. 8

•  Isolated virtual Android environment

•  Activated by Enterprise Identity •  Integrated with Enterprise Active

Directory

•  Managed by Group Policy Manager*

Enterprise Application Container

7/11/13 © Samsung 2013. All rights reserved. 9

Enterprise Application Container

Personal Applications

*supports  other  consoles  such  as  MDMs    

Secure Android Platform

•  Virtual Android Environment -  home screen, launcher, apps,

widgets, notifications

-  Additional apps from enterprise app store

•  Activated on signing with enterprise identity

•  Encrypted file system with AES 256-bit encryption.

•  Data sharing, apps, files, network completely isolated

•  Policies to allow remote IT configuration and management.

Isolated Virtual Android Environment

7/11/13 © Samsung 2013. All rights reserved. 10

Activate Knox Container with Enterprise Identity

Samsung Confidential 11

§  Enroll to create container

§  Use AD/GPM to manage container

§  Use same to sign into other cloud services

Centrify  SSO  (SaaS)

Container

SSO

…

KNOX Android Framework

Intranet

Centrify Cloud Proxy

1

Enroll  with  Enterprise  IdenBty  

3

Leverage  same  for  SSO  

2

Manage  with  AD/GPM  

AD/GPM Knox Container Management

7/11/13 © Samsung 2013. All rights reserved. 12

§  Samsung KNOX allows AD/GPM-based Container Management for enterprises that do not desire a traditional MDM system

§  Multi-application SSO is built into the Knox Container

§  The container identifies the user to the apps

§  The container can get AD attributes for the apps

§  Apps can request security tokens for their web app/service

SSO built in the Knox Container

Samsung Confidential 13

§  Container policies follow the user’s account lifecycle automatically –  Ex. upon termination,

employees must not be able to access company information from any device

§  AD changes automatically apply to container on user devices: –  Role changes may require

updated access policies –  Termination requires auto-

removal of access credentials and company data

Integrated Admin Follows User Lifecycle

User  enrolls  their  own  devices  

Update  device  security  seIngs  or  new  group  

de-­‐provision  device  

Lock  account  and  full  device  wipe  

Delete  or  disable  account  and  de-­‐provision  device  

Ac*ve  Directory  

Samsung Confidential 14

Knox Smart Card support

7/11/13 © Samsung 2013. All rights reserved. 15

§  Samsung Knox supports Smart Cards –  Requires a compatible bluetooth

CAC reader such as the baiMobile™ 3000MP Bluetooth ® Smart Card Reader.

§  Currently allows –  Browser, email and VPN can

use credentials on the smart card –  KNOX also support two-factor authentication for the device lock

screen using the CAC –  Other applications may also utilize the CAC card via PKCS 11 APIs