[mhp]

The part that bothers me the most about this is that our app has all of the certifications and controls that they would need - they just don't know that. Soc2/3, ISOs, Fedramp, etc (trello.com/security). But as you point out, you have to get it approved and that requires navigating a lot of internal roadblocks.

[xemdetia]

I think you misunderstand the roadblock. Especially for any higher security like FedRAMP it is up to the FedRAMP certified holder to vet and have a very solid understanding of that remote service or system they are using at a moderate to deep level. Most sec people will do enough research to know if the service provider are at least an immediate no or not, but even if they are same-or-better FedRAMP level you still need to document them in your SSP (a system security plan for your whole org from HR to Engineering). This also doesn't prevent the situation that you then need to do a deep dive with this other organization to find out how FedRAMP their FedRAMP program like this, because more often than not organizations hide a lot of skeletons on what features/services are actually FedRAMP and what are features they intend to have FedRAMP 6-10 months from now.

Then you have to keep on them forever, and stay apprised of features people would like you to use but aren't FedRAMP appropriate yet or do not have appropriate controls. I think you would be surprised how many SaaS providers really don't meet the muster under scrutiny, or your engineering teams are trying to use features that just haven't been brought into compliance yet. For example, the number of times I have had to use https://aws.amazon.com/compliance/services-in-scope/ (click the FedRAMP tab) as a hammer is extremely high. Then you get on the phone with AWS and you find out that only a certain subset of the service that meets their FedRAMP do not provide adequate controls for your usage of the service. There's a lot of defer to vendor and defer to user games being played by both sides and you have to go line by line and figure out who is responsible for what. More often than not the service's people that are catering to the customer are not appropriately educated too, so there's layers of escalations by a security team just to get someone who can answer security questions accurately.

So no, a security person can only see from most organizations that you tried to attest to some of these random certifications, but that doesn't mean I have an accurate map of how I'm supposed to meet my compliance goals with your stuff.

(This is not aimed at any one provider in particular, just my personal feelings on where this 'internal roadblock' argument falls apart).

[cameronh90]

We have blocked Trello accounts in our org, mainly because SSO and enforced 2FA was locked behind Trello Enterprise. The department that wanted to use it couldn't get budget approval for that plan, which leaves no alternative but to block it.

(And as I understand it, Trello Enterprise doesn't even get you SSO without paying additionally for Atlassian Access? The website seems to be inconsistent on this point.)

We have teams that would definitely like to use Trello, but $4200/month as the minimum tier was too much.

[mhp]

It's the other way around. You only need to buy Atlassian Access to get the SSO + enforced 2FA for your Trello (and also any other Atlassian product) users.

Trello Enterprise (optionally) would secure your content (i.e. attachment restrictions, power-up restrictions, token restrictions, audit logs, team management).

[cameronh90]

That doesn't appear to be what the website says: https://trello.com/en-GB/enterprise

"Exclusive Enterprise Features: [..] SAML SSO via Atlassian Access"

Similarly, on the pricing page: https://trello.com/pricing - it lists "SAML SSO via Atlassian Access" only on the Enterprise column.

[mhp]

I'm sorry it's confusing. It's trying to say that SAML SSO is provided via Atlassian Access - but you don't need to buy Enterprise to buy Atlassian Access - it's a totally separate product (and does not require Enterprise). We are in transition right now (formerly SSO was provided by Enterprise) and so our final pricing page isn't quite where it needs to be.

[PragmaticPulp]

It’s not just about having the right certifications and controls. Any approved app has to be worked into the system, included in audits, reviewed periodically, and so on.

It becomes overhead for the teams involved in maintaining security and compliance. The cost of that overhead is likely several orders of magnitude higher than Trello’s relatively simple monthly fee.

If the whole company goes in on Trello, that’s one thing, but jumping through the hoops to get and maintain approval for a small number of people just isn’t worth it. That’s why the behemoth, everything-to-everyone tools dominate at heavily regulated companies.

[dQw4w9WgXcQ]

Trello is fantastic on the personal end, would love to have an AWS GovCloud offering. So many projects tired of using over-complicated JIRA and Github/Gitlab Issues are not enough... Alas we are stuck using Wekan as a shoddy drop-in for now.

[addicted]

We were significantly more productive with Trello as our project management tool (and this was way before, when checklists were a major new feature) than anything since. We’ve tried all the major ones.

Unfortunately Trello did not satisfy management because it didn’t easily give them metrics that serve little to no purpose other than changing the team’s incentives from encouraging a great product to meeting metric targets.

[mhp]

We have some things coming out this year in this area but in the meantime, check this out: https://bluecatreports.com/