Hi,
We are in the midst of transitioning the users to VDI environment. All access to company resources will be via the VDI environment. Once user is fully transited over, laptop local admin rights will be released to the users. With this release, users will be able to install any software on the laptop,
The argument to this is that, access to company data can only be done via the VDI environment and no on-premise servers in the office.
Since the laptops are still belongs to Company, who is responsible to application patching if vulnerable software found on the laptop? Can IT push the responsibilities to users?
A company can set a policy like that. The more important consideration is if that control will be effective or not. There are number of issues with the 'do what you like' with corporate assets approach, amongst them:
Malware - if through installing software an employee downloads malware, that goes undetected, and can screen scrape sessions, who is accountable. The employee may try to blame the company for ineffective anti-malware controls, the company may hold the employee accountable for the downloading and regulators may hold the company vicariously liable for the action of their employees.
Encryption - it may be possible to create data locally, that given its content, should be classified e.g. PII, and also possible to disable storage encryption on the device itself.
Patching - a local admin may uninstall OS patches and leave the endpoint vulnerable.
Licensing - if a local admin installs software that is proprietary or is not free for commercial use, the terms of the license may make the organisation legally accountable due to their ownership of the hardware. Presumably not all staff would read the license term or have the expertise in software licensing to understand this.
So my advice would be to carry out a risk assessment and get the senior IT staff responsible for the policy to formally accept the risks being introduced.
While I find this kind of security atrocious (being in a regulated environment), it's fairly common in the tech space with BYOD policies. Typically, patching and access to resources are controlled by an MDM solution that has the ability to restrict access based on the device risk score, e.g., if the device has the latest patches, software installed, services running, etc. So yes, patching is now the responsibility of the device owner/user. If your risk score is too high, access is cut off until remediated.
I'm unfamiliar with VDI environments and how an MDM solution could work together here because we don't use VDI but ideally this is what you would do. Your VDI provider will probably have a list of other providers that they work regularly with to help solve issues like this.
access to company data can only be done via the VDI environment and no on-premise servers in the office.
Is this a statement I would like making regarding PCs that have LD Admin privileges on a corporate network?
Do keep in mind that most VDI solutions share Video, keyboard, mouse, clipboard, audio and even mounted drives with the display-PC. All of these can be attack/disclosure vectors.
You need to consider two separate but related concepts here:
It is very easy for a company to assign responsibility to somebody else, but it is very difficult for a company to disavow accountability (Delve into RACI for greater details).
If assigning patching responsibility to users, I recommend investing in a reporting tool to measure compliance. If allowing software installs, invest in a software-inventory management system so you can verify that all software has an acceptable pedigree and is properly licensed.
If your goal is to shift "accountability", that is a discussion to be had with the lawyers and probably will involve developing a formal "Shared-Responsibility" (AWS, Azure, Google) policy.