It's Tax Day. Have you paid the SSO tax?
If you're a startup, you probably haven't. And that's okay — it's costly.
But it can also turn into a huge security risk, which can cost a lot more. And that's not what anyone wants.
In the early days, practically everyone's a super admin on everything. Engineers need to ship quickly to build the product and fix bugs for customers, so they end up with persistent access to production. Support needs access to customer accounts and data to help troubleshoot issues.
Teams grow, people leave, and accidents happen. And when they do, they sometimes take their access with them. It's not until a periodic access review that you find a bunch of former teammates who still have access… a year later.
Working with larger companies and closing bigger deals brings a longer list of requirements and abbreviations to comply with. Whether it's SOC2, HIPAA, or PCI, they all require access reviews and record access requests with their history.
Some high risk in-scope vendors like AWS/GCP or Microsoft/Google Workspace need single sign-on (SSO) to enable multifactor authentication (MFA) and other important security features.
There are some systems and apps that might not need SSO initially, so reducing costs by rotating floating licenses1 might not be a priority at first. But as you grow, the SSO tax accumulates. For example, Salesforce licenses can cost up to $1000 per user per year. At 50 users you'll spending $50k+ per year. At that point you'll start thinking about how to spend less on SaaS.
In the meantime, who has direct access to the production environment is a much bigger risk. And thankfully, there's a way to solve both problems at once.
Everyone having access to everything is the best for productivity but worst for security. Nobody having access is the most secure, but worst for productivity. The middle ground? temporary access.
With temporary access, you can grant access to any system or app on-demand, and auto-revoke it after the granted duration. This way, you can get work done without compromising security.
Persistent access becomes forgotten in a matter of days or weeks. If requesting, granting, and revoking access is as easy as reauthenticating or using 2FA, then teams are able to eliminate the friction of elevating access. No more forgotten, forever access.
We believe so strongly in this approach that we've made it free for all startups and small teams. Our new free tier gives you access to the essential access control features like:
That's why we're making being secure-by-default free for all startups.