On each discussion including IT security we witness demanding more and more security. Someone may ask what is wrong with that, but if you have experience with delivering applications to technologically lay people you already know that sometimes books are one and reality something completely different.
The great example comes from my previous assignment as a Chief IT Officer for the largest dental clinic in Croatia. We had instruction by application architects that users have to have passwords with at least twelve characters in length, including uppercase and lowercase characters, numbers and special characters. Definitively in that case we are talking about high secure password, but after only few days of implementation more than half users printed their passwords and stick them somewhere around their monitors. Of course, that is security disaster.
Second example was when we wanted to protect access to only some users, but in that case (if you do not set it properly) assistants will know authentication information of their patrons and get all privileges. Especially because of HIPPA regulations, they will skip phase of asking for privileges and they will just “borrow” access through their colleagues.
In one last example, we had situation where doctors write medical histories and schedule patients for future encounters. After few days, they really enjoyed the system because it gave them quick access to patients’ records, but problem they had was authentication. We had limited number of computers and doctors waited for few seconds their colleagues to finish. In the end, they skipped the phase of logging off and on and just used one user for everything. How they resolve it in banks? McDonald’s? Social Security Administration offices? They use smart cards attached to the uniform of the employee or USB-key with client certificate. That is a good idea and definitively can bring more security.
After few examples, I want you to think about security and not to overdo it by setting it too stringent only because you think it is automatically better. You have to weigh both sides and to select the best level of security. Long story short: the best security is to turn off all servers and unplug them from power outlets, but how then to use them?