sdecoret - stock.adobe.com
Navigate Android encryption software from OEMs, EMM vendors
IT professionals can go beyond Android OS encryption to secure their mobile endpoints. OEMs such as Samsung and EMM vendors offer additional protections for Android smartphones.
Smartphone users can compromise corporate data by simply clicking on a malicious link or connecting to an insecure network, so organizations should encrypt mobile device data whenever possible.
The major smartphone OSes, Google Android and Apple iOS, both include native file-level encryption that protects users' data. Smartphones that run iOS include Apple's device-level encryption, as well. Android device-level encryption, on the other hand, can vary based on OEM.
Android admins should learn about common OEM Android encryption software and the third-party encryption tools that can supplement it.
OEM Android encryption software
In some cases, Android OEMs implement their own encryption in addition to or instead of Android's built-in encryption options. The most notable example of this is the Samsung Knox Platform for Enterprise (KPE).
Initially, enterprise customers had to choose between KPE and Android programs, such as Android for Work or Android Enterprise, when they set up their organization's smartphones. As of Knox 3.0, however, KPE aligns with native Android encryption software and builds on features such as file-based encryption (FBE) to deliver strong mobile security.
One of KPE's main components is Sensitive Data Protection (SDP), which works in conjunction with Samsung Knox Workspace, a container that provides an extra security layer for enterprise data. SDP encrypts data during device runtime and decrypts the data after the user unlocks the workspace.
SDP adds an extra layer of protection to Android's built-in encryption to ensure that even if a device is lost or stolen while the device still running, a sophisticated attack cannot access protected data. With SDP encryption in place, Samsung devices meet strict U.S. government and military compliance standards.
KPE adds another layer of protection with Samsung DualDAR encryption, which builds on Android's FBE architecture to implement two layers of encryption that use separate authentication methods: device authentication and Samsung Workspace authentication. DualDAR encrypts all data that users save to the Samsung Knox Workspace on both layers and requires authentication at each layer to permit access. This means, however, that devices must run Android 7.0 or later and support the Android APIs that drive FBE.
Standardize Android devices
Organizations that support Android devices should limit the device OEMs and models to those that can meet their Android encryption software requirements. For example, an IT team might choose to support only Samsung devices, on which they can enable DualDAR encryption across all of the organization's mobile devices. An IT department could also opt to mandate Android 9 or later on its fleet to take advantage of the OS' native metadata encryption.
Third-party encryption options
Organizations could also use enterprise mobility management (EMM) or other mobile security tools to implement encryption. For example, an organization can use Sophos Endpoint Protection in conjunction with Sophos SafeGuard Enterprise to implement mobile threat protection to a mobile fleet of Android devices.
Sophos Endpoint Protection software determines the device's security health status, and Sophos SafeGuard Enterprise encrypts the data and protects access to the certificate keys. The two security tools work together to provide a proactive approach to device security. For example, if the endpoint protection tool detects an active infection, IT can temporarily revoke the encryption keys.
An organization can also use EMM tools that simply enforce the native Android OS encryption without adding any new encryption of its own. Tools such as ManageEngine Desktop Central, IBM Maas360 and VMware AirWatch all include policies that can enforce the native Android encryption software.
Whenever an organization evaluates an EMM tool, it should verify which Android versions and which types of encryption it supports. An EMM tool that doesn't include policy settings for FBE and only supports Android 9 and earlier offers little advantage for smartphones running Android 10.