One of the biggest points of friction I see between networking teams, security teams, and users is around the idea of network segregation. For instance, the network team wants to isolate everyone behind VLANs, such that, for example, users would not even be able to browse the IP address of a security tool. The reasoning is that if everything is segregated, then that limits the potential exposure of that sensitive device to attack. Conversely, users in the security team find this cumbersome, because if they need to VPN in and view events at night, they need to utilize a jump box because they cannot access the interface from the VLAN that they are a part of.
What I want to know is how people typically approach this clash between “security” and usability. To me, I would rather the application perform the authentication, rather than rely on which VLAN someone is located.