Anyone who deals with network security has run into this problem:
Department/powerful-user buys an application for a lot of money. They would like it to work please. Application's requirement state, "disable all security systems so our crappy-app can work unencumbered." Crappy-app runs into network security problems and dies. Department/PU contacts IT and asks to have network security disabled so their expensive crappy-app can run correctly.
What happens next is a very good test of management's commitment to network security. Will management say:
Department/powerful-user buys an application for a lot of money. They would like it to work please. Application's requirement state, "disable all security systems so our crappy-app can work unencumbered." Crappy-app runs into network security problems and dies. Department/PU contacts IT and asks to have network security disabled so their expensive crappy-app can run correctly.
What happens next is a very good test of management's commitment to network security. Will management say:
- Hmm, that's a lot of money. IT, make an exception for this app.
- Hmm, that's a lot of money. We'll have to make it work somehow.
- That's a really insecure app, too bad you spent a lot of money. It will not be installed. Let this be an object lesson to you all.