> There is no need to wait months to build Single Sign-On (SSO), Directory Sync, Audit Logs, Privacy Vault, and other boring stuff that enterprises ask for anymore, now you could plug them within hours
Having had to rip out Auth0 and similar products and replace them with in-house OAuth/SSO solutions that actually work and can be fully customized at several B2B SaaS companies, I find this claim very dubious.
Also, many enterprise clients will want SOC-2, in which case you can't really ducktape things together. Everything has to be designed from the ground up with enterprise and security in mind.
I was reading an article by the other day about a person who had a disability that caused them to be highly disturbed by meaningless animations on the web.
I might have voted it up but those stupid memes drag this article down to a low level.
Fair point, thanks for bringing this up. Never thought of it as a distraction, but I will consider it for my next blog posts. But please bare with me; I used to be a profesional clown (no joke), so I'm usually fooling around :)
I saw an article on some Cosmo-esque sex talk site which did the same thing. It was a listicle with stupid GIFs throughout. The paragraphs were about 8 words wide on my screen, and each GIF was as if they just typed the list item title into a Giphy search.
It is a bad trend. Memes are one thing... Animated ones are a way of saying "Look at me, not the content".
EDIT for extra observation: I blocked them in uBlock, which was nice. However, Reader mode in Firefox has them! And you can't block element in reader mode. Perhaps "disable animated GIFs" needs to be a checkbox for that feature in Firefox.
Even as someone who's doesn't struggle with them, there's way too many for too little text here. It puts me off reading it and also highly distracting when I'm trying to. I ended up just deleting them from the DOM, they add nothing.
Seems like these enterprise-in-a-box services are taking off and I like the role that they play in the ecosystem. That said there's a lot more to it than what Boxy offers – a lot of what enterprises need is about configurability and flexibility for wildly varying use-cases, as well as general compliance. It looks like Boxy (authors of this post) are building more logging and governance features soon which I think will be useful for them.
I just read your blog post and found it interesting; thanks for sharing it. I'm one of the co-founders at BoxyHQ, agree that there is more to it, enterprise requirements are always different, some certifications could be standard but if you double click each enterprise has its own complexities.
From our side, we have started with these features since we have seen they are common pain for early-stage startups, but in terms of our vision, we are focusing on developer-first security tools. And we believe that there are many opportunities to help close the gap between compliance and security.
Cool, glad you enjoyed it (I enjoyed yours as well).
The developer-first security angle is interesting – not sure if you include this in your categorization of security, but what I most frequently see SaaS companies / developers struggling with is data governance. For example, ensuring that they can comply with GDPR or CCPA deletion requests, store data in local geos, etc. A lot of this gets built by SaaS companies in-house.
The flexibility piece is different but comes up in sales more IME. Essentially every CRUD action in an enterprise SaaS app ought to be logged and accessible by API (which creates the same root problem of requiring a lot of developer time). But it manifests very differently in sales cycles from complying w/ GDPR:
* Regulatory compliance is often more of a box checking exercise for buyers (like SOC2)
* Having flexibility to log and manipulate everything via API is often a line-by-line evaluation of "can you meet X use case that we have for data integration" or "can you handle Y risk that we're worried about"
IMO this is a pretty narrow definition of enterprise-ready, which is often actually more of a focus on being able to map a large organisations process into your application, and also how it scales with the number of users (ie your app is made for 1000 people to use rather than 10, and scales from a process/organisational perspective not just a technical perspective).
Small organisations are more willing to change processes to match your application than large companies, particularly if your process hasn’t been battle tested in other large organisations.
I understand why it's perceived as a narrow definition, and your point makes totally sense, usually we as startups think of our own product as a pain killer, but there is an end to end bigger problem for the enterprise and our solution is just a piece of it.
We are initially focused on common undifferentiated enterprise features, but this is just the first step, we have broader plans for developer-first security tools.
Isn't this sort of necessary, given the miniature wave of ransomware/cybercrime that we've been going through? We've been saying that companies need to improve their security - isn't this it?
------------------------------------
This is somewhat tangential, but a really good "emotional transfer moment":
This is exactly how some people feel about government regulation - this emotion, right here - that it's arduous, stifles innovation, hurts startups trying to get off the ground with a shoestring budget, and just gets worse every year.
(now, of course, the thing that those people need to understand is that some amount of regulation is necessary. but, the thing that other people need to understand is that just because some amount of regulation is necessary, doesn't mean that you can be loose with it and allow it to metasize - law needs to be written with the same care and eye toward the future as code, and then also like code, needs to be refactored to reduce "tech debt" and keep it sane. this, currently, does not happen, and virtually nobody advocates for it)
(ironically, we have way more leverage over what kinds of regulations the government puts in place than over the effective regulations like SOC2/HiTrust that are "enacted" on clients of larger companies. not sure what to do about that one...)
I think its similar to running a bank, if you cannot protect the value (money) then you are not really a good bank. The problem is people have been pretending they are not a bank and trying to skirt protecting their customers for the better part of 20 years, especially in SaaS.
Reading about SOC2 compliance, as a solo founder it would be impossible for me to get SOC2 compliance because there is just one of me right? Every time I read the requirements it's always: this person for X, this person for Y, this person for Z, which makes it seem like if you don't have a full team working on a project, it's impossible to get SOC2 compliance because there aren't enough people.
Yes, it's not practical, and by design. In effect, this is simply acknowledging the reality that if they want to ensure a certain process, then someone has to bear the overhead of monitoring and control; so if a company wants to buy some sensitive service from a solo founder or a smallish company then they have to take responsibility themselves, and they can only delegate this duty to vendors only if the vendor actually has certified capability to do this high-overhead process.
It has some parallels to earlier initiatives like PCI DSS for payment cards which effectively said "If you can't do this list of requirements, then you'll have to delegate the sensitive stuff to someone who can", ensuring that every mom&pop pizza shop doesn't have a full list of their customers credit card numbers unencrypted on a publicly exposed database. It doesn't prevent all breaches, of course, but it did make them fewer.
It depends on the risk tolerance of your customer, but you would likely fail.
The reason being: What happens if you get struck by a bus? Your business dies overnight (or until the hosting bill doesn't get paid) and now your customers are screwed.
Many of the controls are about what happens when staff depart, both planned and unplanned? What is the power structure in the org? How do you prevent employees from damaging your business operations?
Resilience is important to any enterprise, and many audits now evaluate how hardened your business is.
Maybe a morbid startup idea of "I'll ensure business continuity if you die so you can pass SOC2" lol
This is, unfortunately, a legitimate reason not to make solo suppliers a part of your supply chain. Inability to implement things like mandatory vacations and separation of duties does mean only you need to be compromised to become a threat vector, and that is easier than compromising multiple people. It doesn't mean you can't run a solo business, but you should focus on selling to organizations that are not likely to become the target of a supply chain attack.
I wonder if you can hire a law firm or a consultancy to help with this. They would have people on staff who can be legally designated as your point-of-contact for a given role?
I was a bit disappointed to see yet another authentication service advertised. I'm still looking for a reasonable open source (or SaaS) framework for managing workflow / action assignment & tracking. It seems like everyone who builds one immediately tries to sell it with a front end rather than a component.
Would love to hear more about the "framework for managing workflow / action assignment & tracking" that you are looking for. Could you please elaborate a bit more?
Once you hit a certain scale it is probably inevitable that users will want to assign, receive, and manage actions (or events, or triggers) inside the product. "Workflow" or "work management" orchestrates all of the backend activity that ensures actions can be recorded, zip around to assignees, have statuses updated, comments entered, and so on.
There are a few tools out there like Elsa and Microsoft Rules Engine that stay in the backend, but are still fairly rudimentary in nature. So far as I know there's no "plotly" or similar A-tier framework that solves this problem for workflow. Most groups that have done it instantly monetize it with their own front end (Asana, Monday.com, etc.) which makes it difficult to justify the effort to integrate if you are going for a lighter weight application. Hope that helps clarify!
This sounds super interesting to me, particularly as an API-first or API-focused product to be used inside other products. I’ve been chewing on a related idea for managing aspects of data compliance. My email is my username at gmail if you’d be up for a conversation about this.
Absolutely, we mention this excellent resource in the blog. Also https://www.enterprisegrade.io/ to take a self-assessment of your enterprise readiness.
Having had to rip out Auth0 and similar products and replace them with in-house OAuth/SSO solutions that actually work and can be fully customized at several B2B SaaS companies, I find this claim very dubious.
Also, many enterprise clients will want SOC-2, in which case you can't really ducktape things together. Everything has to be designed from the ground up with enterprise and security in mind.