This is not as easy as he makes it sound:
And then lastly is learning from all these three elements – the user, the device, the least privilege, and adapting your policies. So it’s a constant learning and adapting, changing the policies. For instance, if Jane never executes certain commands on a Unix machine, let’s dial down the policies so she can never run them. If Bill never accesses certain reports on Salesforce.com, let’s dial them down as well. So it’s really a concept of least privilege.
The concept of least privilege is the best security measure there is, I totally agree with that. Stolen credentials are the leading cause of breaches, and the less anyone has access to, the less damage can be done by having a single compromised account. But, it’s also a pain in the ass. Things change, and what people need access to changes, all the time. Users don’t see this as a proper security measure, they see it as not having access to things they might need at any given time, and then having to wait for a process to complete before they can do the thing that they’ve not had to do before.
In a law firm, for example, where you have a bunch of “owners” who are not exactly known for their patience, this becomes a source of great tension between those owners and the IT department. The security team becomes an obstacle to doing what the lawyers want to do, but that isn’t because the security team is being difficult, it’s because getting access to something new should be a bit of a chore. There should be a valid reason for a user to be granted access to something more than they normally have access to. If it isn’t so, than stealing a credential, logging in as that user, and escalating their rights via the process would be too easy.
That’s not very good security. Good security puts up roadblocks to that sort of thing, and users need to be educated about that reality, instead of angry they have to jump through hoops.
The hoops are there for a reason.