Samsung SAFE (Samsung Approved for Enterprise) reverses the consumerization of IT trend by transforming the mobile device maker’s smartphone handsets into devices that are secure enough for enterprise use.
Today Samsung will likely have an uphill battle in organizations that are satisfied with Research In Motion’s BlackBerry Mobile Fusion, which can secure Apples iPhone iOS and Android devices along with BlackBerry phones and the PlayBook tablet. However, the pressure to accept a diversity of end-user devices is increasing. In this light, Samsung SAFE devices have all the hallmarks of an enterprise-ready device that IT managers should put on their strategic plan for supporting mobile users who require secure communication on a Samsung handset.
I used a Samsung Galaxy S III smartphone along with third-party mobile-device management (MDM) and VPN technology as well as Samsungs on-device 256-bit Advanced Encryption Standard (AES) encryption capabilities to see how SAFE works.
The first thing to take note of is that Samsung SAFE is a security designation that the handset maker uses to specify that some of its handsets are ready for use with third-party security products. Today, this means that handsets are designed to work with MDM systems from AirWatch, Juniper Networks, MobileIron and SAPs Afaria. Samsung is working with Cisco, F5 and Juniper for VPN support, and Microsoft Exchange ActiveSync for corporate email, calendar and contact information. All these third-party tools are wrapped up with on-device AES 256-bit encryption of both the phone and any removable Secure Digital (SD) card memory.
All in all, my work with Samsung SAFE shows that IT managers will benefit from starting pilots today to see how the approved for enterprise capabilities of Samsung devices will fit in with future mobile communication plans to support user choice.
The first thing I tested will also likely be the biggest stumbling block for Samsung SAFE: device encryption. Of course, its a great idea to encrypt the contents of the phone and any removable media in the phone. And nothing is more counterintuitive to the user experience of picking up a smartphone and getting right to work. Tight security based on strong passwords is a pain no matter which mobile handset maker is implementing it.
For example, I encrypted my test phone, a Samsung Galaxy S III running Android 4.0.4 (Ice Cream Sandwich). As a result, I needed to enter a strong password when I turned on the phone from an unpowered state in order to gain access to the SD card (not a very frequent action) and also every time the screen was turned on using the power button (very frequent.) Entering this password was fine during testing, but I wouldnt want to do it in the course of a workday.
Samsung SAFE Should Work With BlackBerry Mobile Fusion
However, executives and high-value employees who insist on accessing regulated or highly sensitive data must understand that protecting that data requires putting security barriers in place. And this understanding must be balanced with the IT managers being sensible about creating password complexity rules that a mere mortal will be capable of keying in using a constrained, virtual keyboard. For example, my complex password, which is fine when typing on a physical keyboard, is quite awkward to enter on a virtual keyboard where I had to flip back and forth between virtual keyboard screens in search of all the special characters I required.
Samsung has instituted AES 256-bit encryption for on-device security. My test phone was new, with almost no data or applications onboard. It took about 10 minutes to encrypt the device. Since then Ive added several apps, including a media player with several large data files. Phone functions were uninterrupted and performance slowed but was not a major inconvenience when the files were first added to the system.
Mobile Device Management
After data encryption, one of the most important aspects of securing a device for enterprise use is ensuring that the handset can be managed. As listed above, Samsung has enlisted a small fleet of enterprise-worthy MDM application providers. In my tests, I used a hosted version of AirWatch MDM to manage my test phone. It almost goes without saying that AirWatch is an enterprise scale system. I managed only a single device because I was just looking at the Samsung SAFE technologies.
As with any MDM product, it integrates with Microsoft Active Directory or other LDAP services to marry existing user controls to the handset. I was easily able to integrate my test Samsung phone into the AirWatch system and immediately get both monitoring information and direct management control over the device.
In my tests, I was able to set security policies such as password complexity and to create device policies that could report if the security posture of the handset had been changed in a way that violated my security policy. I could also specify which applications were on the whitelist and which were on the blacklist. User accounts were fine-grained and I was able to create restricted administrative accounts. In addition to administrative roles, such as content manager and report viewer, I would like to see AirWatch add administrative limits such as executive or sales in order to limit administrative access to policies that governed devices used by these types of users.
In this sense, Samsung SAFE devices should be able to also slip into a BlackBerry Mobile Fusion environment with little extra effort. If this happens, the likelihood that more users will opt for a non-BlackBerry device is almost certain to grow, which is why it makes sense for IT managers to evaluate RIM alternatives now.