No one should have to pay you to use your product securely

This is a topic near and dear to my heart as I’m big on access control and believe it is foundational to an amazing security program. Part of that is having a centralized identity provider (iDP) and putting all of your apps behind that provider to use it as the chokepoint for access security. There you can do things like enforce two-factor across the stack (go FIDO/WebAuthN only!), location based access, device assurance / endpoint requirements, behavioral detection and other controls to make sure that both the individual and their device are meeting your requirements.

This has been increasingly difficult to do as many executives, product managers and sales leaders have decided security is a feature and not table stakes in the usage of their product. Look at most pricing plans for your favorite SaaS tools and you’ll notice SAML/SSO/SCIM locked behind an enterprise tier with a “contact us” button. These plans adds tens (sometimes hundreds) of thousands of dollars of cost just because a company wants to use a product in a secure manner while meeting their business obligations. This forces many companies to make a business decision around using a product securely or saving the money to meet another business need. This is well known by business leaders who set these plans/tiers because they know security, compliance and privacy are forcing functions and will often require companies upgrade to an enterprise plan even though they may not utilize any other of the features in that plan. What these leaders are telling us is “pay us to use our product in a manner that meets industry standard security, compliance and privacy obligations” which should be unacceptable. Security, compliance and privacy are not a feature, they are foundational.

What is more frustrating is we are seeing even more things that should be foundational to an any SaaS product sold being put behind these higher tiered plans. Core capabilities such as basic RBAC, activity logging, data residency (especially for European entities) and API access are being put behind more expensive enterprise plans because they are a forcing function. Not only are these companies making their customers less secure they are making them less efficient by requiring manual processes around access, account reviews and activity monitoring. No one should have to pay you extra to use your product in a secure manner.

With many lawmakers, agencies and bodies focused on new regulations/laws in the space I wonder if we should ask them to include language mandating SaaS vendors of a certain size to include industry standard security, compliance and privacy requirements as core into their platform or face accountability for breaches while using their products. I wouldn’t think we need to force companies to make it so their customers can be safe and secure while using their products but then I remember it required new laws and regulations for all automakers to include seatbelts standard in their products. Maybe we need a digital seatbelt law so we can all be a bit more safe while using the products we need to run our business.