[lvspiff]

Come work in healthcare - if you are at one of the larger insurance orgs (UHG, Anthem, Humana) or hospital networks (HCA, Dignity, etc) you are locked into a world of this model making your life the most difficult imaginable. Need vendor support? Hope you like watching them work over webex as they wont have any access to any of your servers. Need a VPN to tunnel data across? Yeah good luck with that it'll take at least 6 months mostly for legal to approve. On top of rotating passwords on a yearly basis for service accounts , regular entitlement reviews, risk reviews, policy reviews, and rotating passwords for users every 90 days still along with multifactor authentication. I feel like I'm working at ft knox every day.

[ziddoap]

This sort of speaks to what the GP was talking about -- not following guidelines and frameworks.

For example,

>On top of rotating passwords on a yearly basis

> rotating passwords for users every 90 days

NIST 800-63B, as of 2017, explicitly advised against this.

"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)." [1]

[1]https://pages.nist.gov/800-63-3/sp800-63b.html

[freedomben]

Agreed, be careful what you wish for. When I was a consultant at Red Hat I worked with a lot of customers in this boat. We had to jump through absolutely absurd hoops that made a two day job take weeks.

I'm a security pro and I rejoice in secure systems, but swinging the pendulum to the other side is bad too.

[DrBenCarson]

there are ways to 1. be secure, 2. be productive.

I think that's the ultimate goal of "zero trust," but maybe I'm naive