& Secure Collaboration Platform by Paweł Mączka, Storware CTO
Table of Contents OVERVIEW 3 WHAT IS KODO? 4 HOW IT WORKS? 5 BACKUP & RESTORE 6 TABLE OF FEATURES 8 END-TO-END ENCRYPTION FOR ANDROID DEVICES 10 ENTERPRISE FILE SYNC & SHARING (EFS&S) 11 MIGRATION 12 KNOX AWARENESS 13 SUMMARY 15 ABOUT THE AUTHOR 15 ABOUT THE COMPANY 15 2 P a g e
Overview In this white paper, we present Storware KODO for Knox, the platform which enriches existing Knox offering with new layer of features. KODO aims Knox - the most comprehensively secure and manageable mobile device solution for any size of enterprises. Based on IBM Spectrum Protect Engine, Storware KODO is designed around the philosophy of data protection and secure data collaboration. KODO builds a trusted environment for a sensitive and enterprise-critical data, by setting up the rhythm of organization s data flow. With a Knox Workspace, KODO beautifully protect data by giving the 3 new major features such as: Backup & Restore, Sync & Sharing, Migration. 3 P a g e
What is KODO? Storware KODO is an enterprise platform that provides the collaboration & protection for mobile devices such as laptops, tablets and smartphones. It ensures not only continued protection of key corporate data, but also compression, deduplication and file versioning. KODO delivers security to Android. The safety and secure access for a corporate data are priorities for KODO. This enterprise-ready solution provides easy and intuitive web-based management. KODO works on both, application and Knox Workspace Container layer. Building a trusted zone on Knox Workspace, KODO can easily transfer mission-critical data between the authorised users and devices. 4 P a g e
How it works? KODO can work in 2 models - On-premise and Cloud. On-premise installation provides a private cloud approach. In on premise model KODO Server can be installed as a VM machine or physical server. It needs just a public IP (gateway) for connectivity to a mobile device. KODO client can be downloaded and installed from MDM or GooglePlay. It is important to mark, that KODO client is fully separated from private and Knox Workspace (due to data security aspects). Once the client is installed and configured to KODO Server (users authentication can be integrated with Active Directory), the administrator can use a webbased management which allows IT departments to fully control mobile devices and their data. 5 P a g e
Backup & Restore Whereas organizations are aware of protecting servers and data centres, they still seem to ignore the importance of endpoint environment protection. Endpoints are able to carry lots of key corporate data, such as contacts, confidential documents, e-mails and more. Therefore, the mobile users require special attention in data security area as the unsecured mobile devices may be the weakest point of the system. KODO automates backup & restore for Android devices, providing advanced policy rules, managing and controlling as a single pane of glass. 6 P a g e
On Android OS, the KODO data workflow is as follows: 1. KODO client compares data that is stored on the server with the current state of the data on the device 2. If application detects changes, it uploads files / contacts / calendar object to the server over HTTPS using REST API (TLS 1.2) 3. REST API accepts also object s metadata during the backup process 4. Server pushes data to the KODO Gateway/Server and sends confirmation to the KODO client if the data has successfully been stored. 7 P a g e
Table of features Deduplication methodology Global, client-side, block level deduplication Deduplication of email and attachments PSTs are evaluated as a single file Global Data Deduplication Global, deduplication across all desktop, laptop devices Dedupe Granularity block level WAN Optimization Client Deduplication and compression Deployment, configuration, and management Centralized KODO portal, magic link deployment IT-blessed File-sharing Deployment Options On-premise & cloud Licensing structure per device, per user Security and Data Privacy Encryption in-transit TLS 1.2 Encryption at-rest 256-bit AES Remote Wipe Capability Integrated File Sync & Share File sharing with IT visibility Data Capture Frequency CDP (seconds) Administrator Experience Central Management Console Mass Deployment via Active Directory Device/OS Diversity Supported PC/Laptop Platforms Windows/Mac Smartphone/Tablet Backup ios, Android, Windows Phone Mobile Access ios, Android, Windows Phone Content Variety Files/Folders Email Archives Visibility and Control Over End-User Data Data Loss Prevention Backup Integrated File Sharing with IT Visibility mykodo containers Mobility and BYOD Support Mobile apps Smartphones and tablets Device/OS heterogeneity Windows, Mac, ios, Android, Windows Phone Self-deploy and self-restore Data backup for smartphones and tablets Remote laptop backup and restore without VPN Ability to disable backups over 3G/4G Data backup for smartphones and tablets Policies for BYOD enablement 8 P a g e
System and application settings backup Integrated file sharing Remote wipe & geo location Mobile container for selective wipe Mobile security policies to control access to corporate data by other apps Global Mass Deployment Silent deployment No custom scripting required Deployment options Centralized administration Installation and Management Installation time 1-click configuration Centralized administration End-user Experience WAN optimization End-user experience Data Protection Manual and automatic backups Continuous data protection Integrated enterprise file sync and share Data Governance Reporting and alerts KODO for Knox On premise, cloud Minutes Non-intrusive Seconds 9 P a g e
End-to-End Encryption for Android Devices Before leaving a Knox Container data is encrypted by AES 256-bit key to enhance integrity of protected data. Automatically generated key is managed by KODO server or user by providing a password key. If the password is lost, the business user will not have access to protected data. User Key based encryption strategy ensures that all user s data is secured on the device with AES-256 encryption algorithm and transmitted over TLS secured connection. New encryption key is randomly generated for each backup session and persisted after securing it with AES-256, using user s password based PBKDF2 (16.000 iterations) derived key in order to strengthen the security and prevent situations where encryption key leaks and causes decryption of all user s data. Notice User provided encryption password is securely stored on the device (protected using platform specific security algorithms device s internal memory) for user convenience so it can be reused for all backup sessions, and user will not have provide it over and over again. 10 P a g e
Enterprise file sync & sharing (EFS&S) Applications and data inside Knox Workspace are isolated from applications outside the Workspace. This means, the applications outside the Workspace cannot use Android interprocess communication or data-sharing methods with applications inside the Workspace. To provide secure collaboration between Knox users, we need to implement a trusted zone, where users can exchange corporate data without risk of data leakage. KODO with secure sync & data sharing feature allows enterprises which use Knox Workspace to: increase the productivity by providing self-service sharing capabilities of files and folders with colleagues, partners and customers secure, password protected file share via internal URL enable the internal exchange data to authorized users, based on enterprise security policy For more information about Knox protection go to: https://kp-cdn.samsungknox.com/cac39a4cdc16170950852eec88ca60cf.pdf Section: Solution: Protect enterprise apps and data in a secure Workspace Page 19 11 P a g e
Migration Migration is an important part of mobile fleet management process. It allows IT department to unify the migration between Samsung devices based on Knox Workspace. In addition KODO can be fully user-centered. Employees can implement migration by themselves with minor involvement of company s IT helpdesk. Migration procedure 1. Go to Knox and open KODO application 2. Login to KODO with your username and password 3. KODO will detect that you are logged in with a new device and will ask if you want to migrate your data 4. Select and choose device which data from you want to migrate 5. Migration process will start and you will be notified when it s over 12 P a g e
Both, IT staff and users will especially appreciate the migration feature in the following easy-to-imagine life situations: device has been stolen device has been lost device has been destroyed device is in maintenance mode user has acquired a new phone when company changes standard of a mobile fleet Knox Awareness The Knox Workspace container is designed to separate, isolate, encrypt, and protect work data from attackers. This enterprise-ready solution provides management tools and utilities to meet security needs of enterprises large and small. It s natural for KODO to be aware of Knox and recognize which files origin from the Container. For more information about Knox go to: https://kp-cdn.samsungknox.com/6ee7dbf222f5eabeafea9d15e3986f09.pdf Section: Samsung Knox overview Page 11 System runs, even if Google Services are disabled. KODO can be customized by applying the policies that automate protection and lifecycle of the data. It can be also set up quickly by using defaults to the most common settings. 13 P a g e
KODO in Knox container is identified as separate device, without any ability to see it from the outside. Container vs Private 14 P a g e
Summary Storware KODO enhances Knox by delivering safe folders and files backup. Data and transfer encryption allows you to backup and also share your data among co-workers in a very safe way. KODO is a powerful tool for Samsung products that allows to restore important data if device is broken or stolen. With full understanding of public, military, government and commercial sectors organization, KODO completes the Samsung Knox solution enabling access to copy of data in case the user demand. About the Author Paweł Mączka, a visionary and a geek, but first of all he is a founder and Chief Technology Officer of Storware. His work background origins from IBM where he started the career as Technical Sales Engineer in data protection area based on IBM Tivoli Storage systems. Addicted to Storage and Data Protection Solutions serve in every combination cloud, hybrid, on premise. Mobility evangelist, concentrated on security aspects, MDM, backup, secure sync & sharing features. About the Company Storware is a company building the simplified data protection products for businesses. We help to reduce the risks of data loss and its related costs. Wherever you keep your data, in the cloud, on servers or endpoints - we continuously care and bring additional value to them. Storware successfully offers products through the worldwide distribution and partner channel. 15 P a g e
Storware Sp.z o.o. Sp.K., ul.leszno 8/44, 01-192 Warsaw, National Court Register No. 000551481, VAT 5213656342 Copyright 2017 Storware Sp. z o.o. Sp.K. All rights reserved. This product is protected by international copyright and intellectual property laws. Storware logo is registered and protected by EUiPO. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: STO-WP-KD/SG-1 16 P a g e