Look, you're talking about the exceptions. I'm talking about the rule. We are in violent agreement! A friendly kind of violent. :)
> flipping "min pw complexity"
I couldn't disagree more about this, but that's a particular sore point of mine. Otherwise, yeah, cloud services in general give you abilities like this. I mean, so does on-prem -- AD DS has the same (actually, far far far better) switch, but cloud is where the action is.
> selling to dev and IT teams about finally rotating a pw to something complex [...] just that easy of a fix.
Yes, and that isn't selling failure so much as security incompetence from the top. If you have a solid core, it's easy to throw switches when you see a blemish on the surface. If the core is rotten, that surface defect is not going away, even if you do catch it and even if you do fix it! The security team is only as good as the leadership.
Late, but I actually think more accurately we're talking about doing sec at > 200 headcount companies, vs <200 or more likely <100 head count companies.
I firmly agree with what you're saying, violently agree perhaps! But I think the scope of a smaller SaaS company means the sec team has an amount of technical and people agency that's sort of unheard of at the bulk of companies.
That's true, that's perhaps "exceptions," but a not unimportant amount of SaaS vendors are at that headcount/company profile .
> flipping "min pw complexity"
I couldn't disagree more about this, but that's a particular sore point of mine. Otherwise, yeah, cloud services in general give you abilities like this. I mean, so does on-prem -- AD DS has the same (actually, far far far better) switch, but cloud is where the action is.
> selling to dev and IT teams about finally rotating a pw to something complex [...] just that easy of a fix.
Yes, and that isn't selling failure so much as security incompetence from the top. If you have a solid core, it's easy to throw switches when you see a blemish on the surface. If the core is rotten, that surface defect is not going away, even if you do catch it and even if you do fix it! The security team is only as good as the leadership.