Comment by jordanb
6 hours ago
Funny I used to work in an org with Okta.
Having your own auth workflow was instant fail with the well architected framework committee. Using Okta was instant pass.
I don't necessarily disagree with that policy but given that Okta was breached several times while I was working there, it was interesting the extent to which our CSO had blinders about it.
Liability is the answer! If you build an auth system and it fails, it's your backside. If Okta fails, it's theirs. Enterprises buy products as much as they buy protection from problems.
They don't offer any meaningful reimbursement if they lose your data so what does that matter ?
Some of its about sharing the pain.
e.g. when Crowdstrike takes down Windows across the worlds or AWS east coast falls over everybody hurts. At that point the story is easy, you point at the broken thing, mumble something about improving resilience, and everyone just moves on.
Roll your own system and have it taken down / breached specifically? There's noone to point at. It's hard to make the narrative anything except it being your fault.
You have (the perception of having) someone to forward the claim to once you're hit by one where the damages are quantified in money like a life insurance or disability payout caused by the data loss?
It's about shifting the blame, not compensation. You're paying for "not my problem," not "it always works and I get reimbursed when it doesn't."