As I understand this correctly, it is not a new idea, even in the government. When I retired about 5 years ago, US DoD data centers had largely implemented a scheme of many VLANs with detailed access control lists and intermediate firewalls such that users of an application (including other applications) were permitted access only to the resources required. As far as I was concerned, as DBA for a number of specific databases, applications that did not connect to those databases might as well not have existed. The data centers also had implemented out-of-band access for their own administration and begun to impose that on customers who did their own administration.
As Gleicher and various commenter have noted, it is not easy to implement even for new work, quite a lot harder to retrofit, and more than a little painful for various categories of user. It took them for or five years In general, though, it worked well once in place, giving trouble only occasionally when changes had to be made.
Out-of-band requirement for us external administrators was especially irksome, as it brought a required VPN that shut off all other workstation networking, cutting off email and the IM that we used for internal communication. These were hard to do without for more than a short period because our agency was geographically distributed, by branch, across three widely separated locations; this problem eventually was solved, I believe, by providing those affected with secondary workstations (and additional LAN drops) for their VPN use. This requirement also led my former agency to drop out of the server operation business, as the network upgrade cost, combined with increasingly stringent and costly configuration management and security requirements came to be seen as diverting resources from their primary mission.
Biting the hand that feeds IT
