undefined | Better HN

0 pointsmbesto4y ago0 comments

If you're small then the benefits of SSO aren't really there anyway. When you're a team of 10, what benefit is SSO really giving?

0 comments

5 comments · 2 top-level

sebmellen4y ago· 2 in thread

Unfortunately this is not true when you're trying to undergo a SOC 2 audit.

mbestoOP4y ago

First, there is no requirement by SOC2 that says you "must use SSO for all applications". SOC2 talks about "logical access controls". For a team of 10, you would simply have a policy that states "any time a new developer comes on, they have to use MFA to access GitHub and this is enforced because we check the box in GH, blah blah" and "any time a developer leaves the company, we revoke all access, blah blah".

Also, if you're going to spend $20k+ on SOC2 because your clients require it, then spending the $20k on GitHub shouldn't be a problem because your clients should be paying for it (i.e. your ACV should be high enough to cover these things).

sebmellen4y ago

Yes, but SSO makes writing those policies (across all apps) much simpler. I think it's too bad that SSO is so heavily taxed, because it's quite an elegant way to solve account provisioning.

Interesting site: https://sso.tax/

1 more reply

orphean4y ago· 1 in thread

I work in a small company and we have to have SSO for compliance reasons (SOC II, HIPAA, NIST, etc)

It’s dumb but without it trying to tick all the compliance boxes is much more annoying.

AtNightWeCode4y ago

You go through a review, and somebody asks who this guy xxx123 is that made this change, and somebody vaguely recalls it is some consultant that for some reason still have access to everything but quit two years ago. Love those meetings.

j / k navigate · click thread line to collapse