The thin line between system security and usability.

I recently implemented a product for a company that prided itself on having very strict security policies on their servers and workstations. My initial thought as a security consultant was to compliment the ITSEC team on their highly advanced security environment........until I had the pleasure of attempting to install a new software product into the environment. Their company policy mandates that all accounts have the least amount of privileges, aka read only rights. Those privileges can be escalated only if there is undisputed proof that they are truly needed. This created significant issues, considering the product I was implementing required full access to the database. After spending a significant amount of time, we were eventually successful in our implementation. Further inquiry reveled that any new software deployment in this company typically takes 3 to 4 times longer than expected by the vendor.

If used correctly, strict security policies are a great weapon against malicious activities. However, as you can see from the example above, ideas that sound great on paper sometimes can have dire consequences if not implemented correctly. Our mission as security consultants is to make sure we know, understand, and train our clients to appreciate the balance between security and the impact it can have on the day to day operations of a business.