Hacker News new | ask | show | jobs
by pphysch 964 days ago
If a SaaS is approximately as unreliable and insecure as self-managed software, the only reason to still choose it would be for liability reasons. You get to legally blame someone else if things go wrong.

I'm curious whether companies have faced this hard reality and decided that buying liability insurance + doing things inhouse is more economical & better for business.
4 comments
lolinder 964 days ago
I'm not a lawyer, but I don't think that hiring a SaaS provider shields you from any liability that you would otherwise be subject to. If 1Password were to suffer a massive data breach as a result of this, historical precedent says that there'd be no liability anyway, but if there were liability I can't see them getting out of it by blaming Okta.
link
windowsworkstoo 964 days ago
Yah, this is why third party risk management is a thing. When I ran sec training, I always hammered home the point that a third party security issue is your issue.

Now, sure, technically there may be circumstances when you can technically/legally shift liability. But your customers don't care - they have the relationship with you. So the third parties problems, are your problems.

link
herpdyderp 964 days ago
> If a SaaS is approximately as unreliable and insecure as self-managed software

IF that were true. No way would it be cost effective at my company to try to internally reimplement 1Password's functionality though. I also would not trust it to be more reliable or more secure than 1Password.

link
jonhohle 964 days ago
A base level of competency is expected as well. An SMB with a small staff that sells something non-tech still needs POS, payroll, and other systems and the ability to give employees access to those systems. “Outsourcing security” makes sense for businesses with zero IT staff.

For large companies, however, it seems like a liability, but I would hope an IdP would still be more competent, on average, then internal IT staff (obviously there are tech companies that have needed to deal with this for a long time with success). If a large business’s competency is not tech, there is some likelihood they can’t evaluate the robustness of their IT infrastructure.

link
TedDoesntTalk 964 days ago
> only reason to still choose it would be for liability reasons

That’s not a reason. Haven’t you read any terms of service and user agreements? The vendor never accepts responsibility.

link
pphysch 964 days ago
I'm more referring to SLAs and the like.
link