[xvolter]

Actually, SSO is usually a requirement for even basic security audits. So SSO is essentially required for companies operating in specific sectors, regardless of their size. Healthcare and military contracts are two obvious ones, but any company dealing with sensitive information, going through SOC compliance, or similar will likely need to enforce SSO to enforce and audit access policies.

Besides, SSO is a major convenience. Assuming that SSO = large company is a flawed perspective, although, I understand the reasoning you're conveying. I believe, however, that only very small companies (less than four people) can easily avoid SSO, because it is complicated to deal with on/off-boarding employees, SSO helps.

And I agree with OP in most regards, for most services, advanced security controls should be available. I think it is far more likely that most companies segregating their security features are not secure by design, so the functionality they're offering is poorly implemented, and by restricting access they limit the amount of support they need to provide to those features.

[tptacek]

I don't know which security audits you're referring to. PCI doesn't require SSO for all SAAS apps. There's no standardized HIPAA/HITECH audit at all. SOC2 is probably the primary driver for SSO adoption, and even SOC2 doesn't actually require SSO (SSO is just the easiest way to meet a bunch of SOC2 security scope requirements). SOC2 is also the price-insensitivity threshold product managers are relying on for segmenting: most sane companies don't SOC2 until they're past product-market fit and are reliably closing sales (anybody who tells you to speculatively SOC2 before then is selling you something).

Again: it's obviously an inconvenience, or the sso.tax wouldn't be super annoying. I would of course prefer it if SSO were free everywhere.

This is another comment that makes insinuations about the competence of companies that tax SSO. But you can just look at the sso.tax site and see several companies with world-class security teams, so that argument doesn't work so well.

[JshWright]

> There's no standardized HIPAA/HITECH audit at all.

HITRUST is the standardized audit for companies that care about HIPAA/HITECH, but your argument certainly holds there as well (everything you can say about SOC2 is just multiplied by an order of magnitude or two for HITRUST).

[CoffeeOnWrite]

Do you really believe that these world-class security teams have the authority to influence this detail of the pricing models of their organizations, or the political naivete to fight this fight?

[tptacek]

In some of these places, yes. It's a seller's market for this kind of talent, for whatever that's worth to you to know.

[CoffeeOnWrite]

Ok this is a _fascinating_ comment. (thanks for the discussion as always by the way!)

Is there a link between the market for security engineering talent and the leverage that the security engineers have within their organizations? Are you seeing anecdotes play out in the industry that inspire hope that the balance of power in business decisions is shifting toward the engineers?

[tptacek]

I don't think engineers automatically agree with you that organizations should pay less money for the services they're working on, is the issue here. It feels like a lot of people on this thread are convinced that Very Annoying Things are, per se, moral catastrophes. But they aren't. Services cost what they cost.

A literally equivalent way to look at the SSO tax is "the no SSO rebate". As a security engineer, I'm not prepared to launch a moral crusade over SMBs who don't adopt SSO on all their random SAAS apps; meanwhile, we're SSO on everything, and it costs us extra money, and that's life in the National Foosball League.

[CoffeeOnWrite]

I’m the commenter that’s not on a moral crusade, or even annoyed, I just question the business justification for gating SSO in this day and age :)