Designing a secure system is a tough nut to crack. You need to have the ability to do your job as well as the capacity to prevent intrusion. Couple all that with what it is you are trying to secure, that is what’s the cost if what you are securing becomes public. There’s a balancing act when you’re coming up with such a system.

One of the problems you can wind up with — and in fact we have this exact thing going on at Amazon (and I’m sure plenty of other large organizations) — is a system that is so secure that it actively gets in the way of you doing your job. The job still needs to be done, so one of the first things that you need to do is come up with a workaround for the security so you can do your job.

Oops.

You had a system that was secure. Now, by forcing workarounds, you’ve actually made a system that is less secure than before. The workarounds likely aren’t auditable. They likely aren’t implemented with end-to-end safety in mind. The system that looks perfect on paper, winds up being notably less so in practice.

But, like I said, it all comes down to what you are trying to secure. If you’re securing personally identifiable data, yes, please have a super high bar. But to mix everything together into the same security level dumbs down the entire solution; you have inadvertently made those same workarounds you’ve done for the mundane tasks also work for the critical data as well.