Dezember 14, 2020

German government security approvals for solutions with Samsung Galaxy devices

Samsung Knox Team

One of the most important things we focus on at Samsung is security. This is true for all our devices and solutions, and it’s especially true for our government, military, and other public sector customers and partners.

Public institutions have a very pressing need for top-tier security to protect sensitive information and to avoid unauthorized access to systems, so we have set up a variety of processes to ensure that we are complying with all guidelines.

Additional challenges for public institutions are the digital transformation of work processes, the necessity to increase efficiency, and to constantly innovate – but at the same time decrease cost. Mobile devices have become a personal information hub with support for messaging, voice and video calls, but also a business tool with calendar, address books, and information access and exchange in general. So, commercial off-the-shelf devices can deliver all the necessary tools at a high innovation rate and competitive prices – but can they meet stringent security requirements?

In Germany, the BSI (Bundesamt für Sicherheit in der Informationstechnik, Federal Office for Information Security) is the public authority that defines security requirements and leads the approval process of devices and solutions for restricted government use cases. The approval most relevant for Samsung Mobile is the one for secure mobile communication solutions for classified information of the "VS-NfD" (classified material, for official use only) restriction level. Only solutions with BSI approval are allowed to be used in the VS-NfD context. While the BSI approval is an essential step, some agencies might require their own approval in addition before a solution can be used by them.

The BSI approval is not for mobile devices alone, but comprises a whole solution including the device, applications, servers, VPN, and device management. While Samsung devices, the Knox Platform for Enterprise, and most Knox solutions are under Samsung control, everything else in scope of the approval is provided by the solution partner or third parties. Our partners build their products utilizing Samsung Knox security features, and enter the approval process with the whole solution.

The BSI approval process for a solution can only be initiated by a government customer that wants to use it. Besides the BSI, the process involves the solution partner, an accredited test lab, third parties, and Samsung as device manufacturer.

Product security properties and features must be accurately documented in a formal way, and the documentation as well as the solution itself is evaluated by the security test lab. Evaluations are conducted to determine if the device meets all the requirements needed to protect against unauthorized access to sensitive information and for the integrity of the solution overall.

The most commonly evaluated modules that we see include cryptographic modules, Data-At-Rest (DAR) protection, Data-In-Transit (DIT) protection, device firmware update mechanisms, device restriction policies, kernel and system protection mechanisms, and secure boot mechanisms.

Further details of the BSI approval process are documented on their web site.

Samsung Galaxy devices are currently approved in a solution provided by our solution partner Secusmart, the SecuSUITE for Samsung Knox – with more to follow. It is referenced on BSI's web site on mobile communication solutions, and listed in their catalogue of approved products.

This allows many government agencies in Germany to deploy solutions using Samsung smartphones and tablets with security assurances to be utilized for a wide range of day-to-day and mission critical activities, for transfer and handling of information up to the secrecy level "VS-NfD".

When German government agencies consider the deployment of highly secure ultra-mobile communication solutions, they often opt for SecuSUITE for Samsung Knox (SS4SK), as one of the most comprehensive offerings in the VS-NfD-approved space.

For SecuSUITE for Samsung Knox, Secusmart has partnered with Samsung Electronics Co., Ltd. It allows government employees to exchange classified information with their colleagues, be it via an end-to-end crystal-clear encrypted phone call, or a presentation, edited on the mobile device, and sent via email across the solutions’ SecuCONNECT vpn link through the governments’ own data center. Employees are also enabled to access authority-specific IT-systems via dedicated secure apps or the SecuFOX browser.

Optional personal apps, strictly separated from the secure space, can be downloaded from the Google Play Store by the user.

As working from home and remote work become the new normal, Samsung DeX, in combination with virtual desktop infrastructure, turns a SecuSUITE for Samsung Knox device into the flexible, pocket-sized, yet full-featured mobile workstation for classified data.

SS4SK integrates with market-leading MDM/MAM solutions. It also utilizes Samsung key services such as Knox Mobile Enrollment and Knox Configure to support large scale deployments.

When the goal of approval for a specific product version is achieved, the work is not over: the approval for new versions of the partner's application and new Samsung devices needs to be prepared so that new devices can be used for "VS-NfD" soon after their market release.

Samsung's work to achieve government security approvals underlines our efforts to maintain and enhance Knox security features. Another long-term project that Samsung has undertaken since 2016 together with BSI and partners is the initiative to bring Germany’s National electronic ID onto selected Samsung Galaxy smartphones. A key device feature to support the eID is a tamper-resistant embedded Secure Element (eSE) inside the smartphone. The eSE serves as security anchor for the eID and its cryptographic keys. Its security properties have been certified according to the international Common Criteria standard.

Existing global and national approvals, certifications, and related documents for Samsung Knox can be found on our Knox certifications and guidance page.

Get in touch with Secusmart at www.secusmart.com

Secusmart GmbH
Heinrichstraße 155
40239 Düsseldorf
sales@secusmart.de

Or contact your local Samsung team using the contact form below.