Now this is something I often come up against, and if I'm honest, it is something I have never really understood.
I regularly go into businesses to evaluate their security controls and technical implementations for hosting platforms... whether it be Office365, Azure or AWS, and when I get into it, I can see Deny permissions left right and centre. When I interview the business and ask their thoughts, I often get 'pain in the arse to get anything done', or 'I've just setup my own environment as it takes 3 weeks to get anything approved'.
When I start to dig into the reasoning behind it with IT, it seems to boil down to them not trusting their business users. Examples such as 'they will just mess it up', or 'they don't know what they are doing'.
What IT seem to forget is the business are the reason why their roles exist. The business often brings in the money, consumes services and needs the support. So don't make it harder!
So what do I recommend? Move from a Deny model to guard rails. Set out the rules (often aligned to industry standards) and build secure guardrails that block the big and scary issues... but monitors and alerts on the not-so.
Examples might be to not allow users open up management ports to the internet, but let them provision any cloud technology into development, and automatically enable encryption using automation.
Yes it needs some thought, but it will make IT and the businesses lives a lot easier.
