Rant engaged. As a person who feels responsible for ensuring what I build is secure, the security space feels inscrutably defeating. Is there a dummies guide, MOOC, cert, or other instructional material to better get a handle on all these things?
SSH keys make sense. But certificates? Is this OIDC, SAML, what? Is it unreasonable to request better and deeper "how to do {new security thing}" when PKI is a new acronym to someone? Where can I point my data science managers so they can understand the need and how to implement measures to have security on PII-laden dashboards? As so on.
I feel for you. Security is a complex, evolving topic, with a dizzying array of concepts.
At work, we develop Teleport (https://goteleport.com/) to provide a secure access solution that is also easy to use and hard to get wrong. (Note: you cannot truly have "hard to use" and "secure" access, because people will always develop "backdoors" that are easier to use but not secure.)
If you are interested in some accessible writing about security check out: https://goteleport.com/blog/
On SAML: https://goteleport.com/blog/how-saml-authentication-works/
On OIDC: https://goteleport.com/blog/how-oidc-authentication-works/
I can recommend the YouTube channel too: https://www.youtube.com/channel/UCmtTJaeEKYxCjfNGiijOyJw
Teleport seems like a genuinely cool product.
With that said, the company really needs to improve its interview process--my experience was downright terrible, and Glassdoor shows that other people had a similar experience
Their pricing is bat shit crazy. Stay far, far away.
I agree, our enterprise product is quite expensive. Let me explain why:
* We are going through several security audits by third party agencies several times per year. We are trying to hire the best security agencies to audit our code and it is quite expensive.
* We are recruiting globally and try to place our comp at 90th+ percentile of the compensation as listed in opencomp.com and other sources we have access to.
* Our sales process also takes time, and the sales team employs sales engineers, sales and customer success specialists to assist with deployments of such a critical piece of the infrastructure.
* For all our employees we have wellness benefits for home office improvement, personal development, healthcare packages.
All of these factors above add up and we charge a lot for building a quality security product supported 24/7 across the globe.
However, this might not work for everyone, and we have a completely free and open source version that people can use without ever talking to our sales team: