undefined | Better HN

0 pointsjcims4y ago0 comments

I work for an enterprise-y and this is good advice. Feature-wise a decent audit log and single sign-on are table stakes. If you don't have those we keep looking, but those shouldn't impact your SME customer focus at all and are things that can be upcharged for (particularly the latter). Core value features available via API is also super important because we absolutely aren't going to be logging into your UI. Again something that can trigger differentiated pricing.

SOC2 is one of those non-functional requirements that can open up markets for you but you're going to pay for in time and energy. If enterprise-y is on your horizon I suggest at least understanding it so you don't make decisions that are counterproductive. But wait until you start to hear the music before you get up to dance with that one...it can be a pain.

0 comments

wizwit9994y ago

Yeah, I've seen this approach work a lot. I've found https://www.enterpriseready.io is a good resource to learn more about the features that enterprises care about.

I'm also working on a solution to make part of this easier, specifically audit logs (https://apptrail.com).

biztos4y ago

Sort of O/T but why the free tier for your service?

I would think everyone with a legitimate need for an audit trail is a paying customer, in fact would prefer to pay so there is a contract around the audit trail, and “free tier” would just be a drain on your support resources.

wizwit9994y ago

We offer a free trial to encourage developers to easily try out and integrate the product.

Our free tier can cover low TPS usecases. We offer a free tier because we believe audit logs are too hard to build & consume and would love to see even smaller companies adding audit logs to their products.

1 more reply

jcimsOP4y ago

This looks excellent! Nice work!

winrid4y ago

What questions do you ask around the audit log?

We audit a lot of things but it'd be a good idea to improve that if we can.

Thanks enterprise-y person. :)

jcimsOP4y ago

Basically? who, what, when, were, why and how.

AWS CloudTrail is far from perfect but it has been battle tested as much as any SaaS audit log out there.

Who: userIdentity.arn

What: requestParameters.*, responseElements.*

When: eventTime

Where: sourceIPAddress, sourceVpce, userAgent

Why: userIdentity.issuer/rolesession

How: eventName, eventSource

Baller move is to include internal ops actions in your log.

Main thing is to think of it as a product rather than an a feature. People don't want 10 different audit logs...everything should flow through it. With CloudTrail this extensibility comes through the requestParameters/responseElements sections. Most of the schema is fixed but in these sections its service-specific.

In terms of integration, push audit via webhook or various cloud event/message brokers is ideal, but at bare minimum the customer needs to be able to ingest that data wholesale to integrate with their security stack.

wizwit9994y ago

I would agree, CloudTrail is a pretty good example. The who what where when why is a good starting point. We're building audit logs as a service and our event format looks similar: https://apptrail.com/docs/applications/guide/event-format

j / k navigate · click thread line to collapse

0 pointsjcims4y ago0 comments

0 comments

wizwit9994y ago

Yeah, I've seen this approach work a lot. I've found https://www.enterpriseready.io is a good resource to learn more about the features that enterprises care about.

I'm also working on a solution to make part of this easier, specifically audit logs (https://apptrail.com).

biztos4y ago

Sort of O/T but why the free tier for your service?

wizwit9994y ago

We offer a free trial to encourage developers to easily try out and integrate the product.

1 more reply

jcimsOP4y ago

This looks excellent! Nice work!

winrid4y ago

What questions do you ask around the audit log?

We audit a lot of things but it'd be a good idea to improve that if we can.

Thanks enterprise-y person. :)