At one of our our TechTarget Desktop Virtualization 2013 seminars in San Francisco last week, an attendee asked me about whether it's possible to ensure that BYOD / BYOC devices haven't been rooted and/or compromised. The answer? You can't. In other words, if you want to do BYOC or BYOD, you have to assume that your users' devices have been rooted and that attackers have the ability to record videos of their screens and to capture all the keys that they type.
Then you have to be okay with that.
If you can design a security solution or application delivery environment around the assumption that everything on the end users' device has been compromised, then you're ready to go. Simple!
I know I sound pretty flip about this, but that's the reality of today. Sure, there are security solutions and products out there that claim to be able to detect root kits and compromised devices, but the reality is that's a cat-and-mouse game and as soon as security vendors update their detection capabilities, the attackers find ways around them.
And yeah, you could decide to use Intel vPro with trusted encrypted secure whatever, but then you're not talking about BYO—you're talking about corporate-issued devices used remotely. (Which is fine, but not what this article is about.)
Besides, none of this can prevent a camcorder pointed at the screen. (Or a small camera hidden in the ceiling, in the next cubicle, in the pencil holder, etc.) Geez, even the most secure Citrix XenApp remote application with NetScaler Gateway SSL-VPN with full endpoint analysis is susceptible to Camtasia and Snagit. Patient data, corporate emails, financial reports.. it's all on YouTube now!
So the only way you can sleep at night is to flip that model on its head. Just go ahead and assume that every screen and every key press of every application is being recorded.
How do you do that? For starters we're talking about two-factor authentication. For everything. Then you probably want to follow that up with some kind of modern enterprise-specific file sync product (like Citrix ShareFile, WatchDox, etc.) which ensures that attackers can only get pictures of your data instead of the actual raw data itself. (With two-factor authentication of course.)
But beyond that, is there anything else you can do? Not really. (Though I'm curious to hear your thoughts?) Basically you do what you can and then don't worry about rooted devices. Done.