"When we told our colleagues and friends that we were working on something called Knox, their reactions were all the same: 'What in the world is that?'" said Injong Rhee, senior vice president of Knox Business, IT & Mobile Communications Division at Samsung Electronics, with a chuckle, when asked how Samsung Knox started.
ZDNet Korea met Rhee and two senior engineers of Samsung's B2B R&D Group under his wings, Younkyu Heo and Gyejoong Shin, at the company's Seo-cho office in Seoul, to get the goods on Knox, Samsung's mobile security solution aimed at the enterprise market.
Knox is an odd child of sorts for Samsung, which is known more for its hardware and manufacturing prowess in the consumer sector. The words "enterprise" and "solution" are still somewhat of a novel concept for the public at large, at least in Korea, as well as within the company to some degree.
Rhee looks athletic and is lean. He wears his hair very long, reminiscent of rock stars of the '80s or football players. He is very laid-back and talks with ease. His suit is stylish, but it isn't gaudy. He doesn't seem like your regular Samsung man — formal, perhaps too "professional" and polite for those in the West — but so is Knox, for Samsung.
"That is why it was so exciting, I think, for me and our team when we got started," chipped in Shin. "I was immediately enamoured by this whole new concept. It sounded really fun, and most of our team felt that way. We joined because it was very, very new."
Built for success
The Knox project, which began in earnest back in November 2011 according to Rhee, started off just with 10 people.
"But from the start, when the team to work on Knox full time was just starting gathering together, there was this mutual feeling among the high-up executives, I think, to make Knox a success," said Heo. "And we got full support and acted accordingly."
Now there are about 1,000 employees dedicated to Knox, with a total of six R&D centres for the project located worldwide; in Korea, the US, Canada, India, the UK, and Poland.
"Because our R&D centres are located across the globe in all time frames, we are able to get our clients' feedback 24/7 and immediately react to them and start developing changes based on our clients' needs, anytime," said Heo.
Marketing and R&D have worked together closely since the beginning, the two Knox engineers said, and their offices were physically in tandem so that the two groups were able to work closely together and get feedback from each other immediately.
Before the platform even materialised, Samsung decided on the name Knox after US' "Fort Knox" — the highly secure and fortified vault building that stores part of the US' official gold reserves — which was an obvious marketable and attractive name for enterprise and government clients that is well known, with the message of being secure immediately recognisable. Samsung had big ambitions for Knox.
The year 2012 was a busy year for Samsung: The much-hyped Galaxy S3 came out, and became the first respectable Android phone that legitimately challenged the then overwhelmingly dominant iPhone.
A hitherto background issue surfaced due to that big surge of Android users: Security. Android was becoming a big ocean that dwarfed iOS and Windows in size but remained, in the eyes of the public, vulnerable.
"Samsung Knox was precisely designed to address that problem with a more resilient and secure mobile platform and by providing better controls over enterprise data to IT, such that they can adopt mobile enterprise in the Android space confidently," said Rhee.
At the same time, behind closed doors, Knox was quickly coming together for its big unveiling that would happen early the following year at Mobile World Congress 2013, which signalled for many Samsung's big move into the enterprise market.
"Samsung is formidable in the consumer market with hardware because of its strong fundamentals and technology portfolio," said Rhee. "And that core competitiveness wasn't built on a single day's work. It took long, hard efforts to build that foundation.
"With that same principle, we created Knox. And there is without a doubt that synergy that comes from doing hardware, and software together in Knox that no competitor of ours can mimic," he said.
Shin, who works mainly in making software and hardware "sync", said Samsung's huge portfolio in handset hardware is the most fun to work with, and the company's biggest advantage.
"You have to remember Samsung makes literally every component that goes into a mobile device, which none of our competitors do. Processors, memory chips, each modules, the displays, the circuit board, and everything else of a handset are considered when we made Knox, and to fit that device perfectly," he said.
"So, in a word, Samsung's biggest strength in designing software like Knox is that it has full control over both hardware and software," said Shin. "So though it was new when we started, I think it makes perfect sense for Samsung to push Knox."
Heo stressed: "And our Knox team is truly a motley lot. We have experts in software and hardware from various sectors working closely together, from various countries. There is a huge synergy in that."
Before launching Knox 2.0 at this year's Mobile World Congress, almost all of the Knox engineers around the world gathered in Korea to make the final arrangements.
"We were very, very proud at that moment," said Heo with a smile. "It seemed such a big step forward."
BYOD fleets in a row
Samsung recently— My Knox, Knox Express, and Knox Premium — with My Knox, the personal version, available for free via Google Play for the Galaxy S5 and Galaxy Note 4.
After the official launch of the initial Knox 1.0 in February 2013, Rhee said that Samsung has been "keeping its ears open" to the market and mulling about how to make Knox better after observing the initial reactions of customers.
The first thing that Samsung wanted to address was the overall increase in BYOD policies, especially in western nations. It was the priority when Knox began back in 2011, and it still is — the only change being that it is more pressing now.
"Our top priority in making Knox has always been two things: Security and usability. Customers want a higher level of security and they want an easier user experience, simple enrolment, and a choice of devices they can deploy. It's that simple," said Rhee.
The new three versions of Knox were designed following that goal — to allow more flexibility for IT managers in overseeing their BYOD fleets.
"I think Knox represents a transformation in the mobility of the workforce today, offering both employers and employees the comfort of security and ease of use while working on the go," said Rhee. "This flexibility will increase productivity, as employees will be able to streamline professional and personal content into one device for more optimal use."
Recent validation from government and financial industries, especially abroad, has boosted the confidence of the Knox team tremendously, and will allow more feedback to further improve Knox, said Rhee.
"We already have supply deal with the Credit Finance Association of Korea, and our Galaxy devices with Knox have been approved for the US government's Defense Information System Agency (DISA) products list," he said.
The Knox team boss also highlighted that Knox is currently the only Android provider of defence-grade and government-certified mobile security complying with key US Government and Department of Defense initiatives and other standards for mobile device security.
"We know that mobile threats are increasing exponentially and will never stop. We've put, and will continue to put, our efforts to provide a secure mobile platform, and this external trend motivates us to innovate Knox beyond what it is now," said Rhee.
"And it's so cool: Looking at a whole fleet of Knox devices in sync with IT managers everywhere. Comprehensive, ubiquitous. We love that," he said.
How Knox works
The two engineers gave a quick breakdown of the basics of Knox.
"Knox adds and modifies security mechanisms in each layer of the Android stack from the hardware all the way to the application layer, but without compromising Android compatibility," said Heo.
"First, we put in a lot of hardware-assisted rooting preventions and detection mechanisms. By design, Android allows users to run custom ROMs. But this is a huge challenge for IT managers.
"The ability to change the kernel or run custom ROM or rooting means that when devices fall into the wrong hands, data can be easily accessed. To prevent and detect illegal rooting of devices, we put in hardware-assisted mechanisms which are embodied into three components: Secure Boot, Trusted Boot, and TIMA [TrustZone-based Integrity Measurement Architecture].
"Being hardware manufacturers, we were able to do this job right, as we own both hardware and the software platform."
Shin, who started off from a hardware background, went on:
"Android OS itself has received a considerable re-engineering to add a mechanism called Mandatory Access Control, or MAC. MAC greatly expands the vocabulary of OS to describe the privilege of each process in accessing system resources. This significantly limits the ability for system compromised processes to escalate its privileges.
"In the Android framework, we add a lot of management and remote control capability, as well as VPN, data encryption, and SSO [single sign-on]. They considerably improve the ability for enterprises to protect and securely manage their data and devices.
"Finally, on the application layer, we implement a concept of dual persona where users can store and manage enterprise data and applications," said Shin, and added proudly: "We call it Knox container.
"The separate secure zone created in the employee's device or container ensures security for corporate applications and data encryption. All the information kept there is constantly managed and maintained by the IT department.
"But the employee's personal email, photos, and social messaging can be untouched and remain private. This feature enables BYOD to work right out of box," he added.