This is missing an extremely important upfront concept: you need to know what you're protecting and how valuable it is.<p>It does no good whatsoever to require every user of a grocery-list app to have a Yubikey to verify their identity. It might not even make sense to have users login at all.<p>The balance between usability and security must be consonant with the costs of implementation.
Already makes the crucial mistake:<p>Security people always want to "set policy" "educate on practices" and "enforce". You've already lost the battle.<p>PROVIDE SOLUTIONS. Why recommend all this "policy" when what you need to do is provide, at a minimum, a reference implementation. If you get called in as part of security architecture, PROVIDE A SOLUTION.<p>Because if you don't the devs will do the absolute minimum, and likely will have backdoors galore, especially as your policies impose real restrictions on their systems support quality of life, ability to respond to production issues, and iterate to produce features.<p>The other persistent issue with security is that it is anathema to automation, and therefore efficiency. So dovetailing with providing a solution, these practices for 2FA and SSO (which invariably involves horrible popup UIs and other hacky things) will block, say, automated backups, auditing, monitoring, etc that also require access. So be ready with those.
But how do I actually <i>do</i> any of this.<p>E.g., in Azure, in theory, we should PoLP the access controls. But Azure's tutorials and guides often recommend using Contributor (Azure role that entails access to almost everything, except granting more access), and which permissions an API call requires is, AFAICT, undocumented. And sometimes, the error doesn't tell you.¹<p>I want to allow SSH into systems. Copying keys about the landscape is one employee departure away from having keys on systems that don't need to be there. The last time I set up LDAP … I had to learn about object classes, and some sort of object-oriented tree database when all I <i>want</i> is a list of users & perms. (I understand LDAP's design better now, and I even like it, but it the onboarding is braindeath.)<p>There are any number of k8s dashboards that would give my coworkers better vis … and basically none that have an auth story.<p>The examples are endless.<p>¹heck, sometimes the error isn't even grammatically correct English.
If you are interested in this topic, can't recommend this book enough: <a href="https://www.cl.cam.ac.uk/~rja14/book.html" rel="nofollow">https://www.cl.cam.ac.uk/~rja14/book.html</a><p>The 3rd edition is expansive (1000 pages, plenty of references) but readable. Free PDFs of previous editions are available at that link.
This list comes up often without discussion:<p><pre><code> https://news.ycombinator.com/from?site=github.com/veeral-patel
</code></pre>
It's a nice list, but still missing core concepts such as backups and system availability.
These are about adding stuff. The overwhelmingly sost effective way to secure things is to simplify them until you have good confidence you understand the thing as a whole which enables you to reason about its security properties on a much better level with high confidence, and enable other people to do the same.