Introduce policies surrounding access controls + authentication

[antdking]

a recent discussion has taken place about how best to address enterprise customer concerns on policies relating to holding of customer data.

While this issue isn't going to target a full solution to this problem, there are some key points that I feel most projects should adhere to.
I fully expect this to turn into a sliding scale, where basic requirements are:

• per user access to services
• every developer has most rights for ease of use
• bastion service for accessing service ports on infrastructure

to super hardened, where requirements are:

• per user access to services, with enforced MFA (maybe all of "what you know", "what you have", "what you are")
• follow principle of least privilege
• auditable access to sensitive material