Why isn't there a backlash around charging for security features?

Because it isn't a dark pattern. It's market segmentation, and, contrary to popular belief, market segmentation has two goals, not just one: yes, it soaks price-insensitive customers, but it also provides relief for price-sensitive customers.

"Needs SSO integration" is one of the cleanest market seg signals available to a SAAS startup. Customers that really want SSO integration are overwhelmingly large enough to stop obsessing about SAAS seat costs. What's better, this extremely desirable cohort of customer prospects is increasingly mandated, as a cohort, to seek SSO integration.

A frequent cynical (and, justified) question asked about new services appearing on Hacker News is "where do they make their money?". You know, "if you're not the customer, you're the product"? Well: this is one very straightforward way companies manage to have generous free or cheap tiers.

We're not going to charge extra for SSO integration; we're SAAS customers ourselves, and the sso.tax is, obviously, super annoying. And you can take this idea way too far --- as you would be if you charged extra for 2FA. But "dark pattern" doesn't mean "everything we find super annoying in business". I absolutely understand why SAAS companies tax SSO.

Personally, I hear the arguments about "how you do segmentation". My personal opinion is that that is a lazy cop-out that is only successful in an environment where no one is being held accountable for security or privacy violations.

There are other ways to do segmentation, but they require actually understanding your customer and what they need in order to develop a value proposition.

People will complain about how hard it is to implement. And that's a thing. We as an industry are to blame for that. Tools like Rails, Django, etc. should be setup to support SSO/SAML/OIDC/RBAC/Audit Logs/MFA by default--rather than the default always being 'start with a user table and shit password management'-- so that the cost of those implementations goes down, and so that the "best practices", such that they are, are implemented from the very beginning.

Not at least supporting MFA and audit logs, at this point, should be considered an ethical lapse.

Here's a list of things you could charge extra for:

  - White-glove support.
  - Higher quotas and usage. 
  - Dedicated capacity. 
  - Value-added services. 
  - Dedicated/isolated instances. 
  - Multi-instance configurations (Likely only a feature requested by actual enterprises or resellers)
  - On-prem installs. 
  - Access to greater customizability. 
  - Access to escrowed source code. 
  - White-labeling or branding

There are so many other things you can charge an enterprise extra for. Safety, security, and peace-of-mind in using your service shouldn't ever be a question.

The startup I'm building, we are committing to provide SSO/SAML/OIDC, audit logs, advanced RBAC etc for free for everyone, we want people to pay for actual differentiating features. Am I missing something here?

At some point in the future you will be faced with a dilemma. You will have a customer who can't get these free features to work with their existing systems. On one hand you won't want to give away the time of a senior engineer necessary to fix what is their problem. On the other hand, you won't want a potential large customer to walk away and tell people they don't use your product because "it doesn't work."

Charging customers for features is really charging them to support getting those features to work for them. It means you can afford to support customers and make them happy rather than having to say "The feature is there. Good luck!"

These are not real security features, they are implementation features that only the largest customers will demand, so they really are differentiation: SSO (enterprise kind, not log in with Google), Role based access control (i.e. custom roles, not the usual admins, managers and users), Log auditing.

MFA should be the default. Because one day, Bob in sales is gonna click that link and enter his password that 850 other sites use.

Two points: 1. It’s common (and I think ethical and prudent) to charge for enterprise management of security features. Microsoft, for example, has had a long running practice that in the box with Windows you get everything you need to manage that one system. If you want to manage many systems, you buy a product that does that.

2. I HAVE seen a dark pattern, particularly in “Freemium” software, where security primitives like encryption and access controls are upsells. If you expect me to store my data in your SaaS platform then I believe you owe it to me to provide baseline security controls. Put another way, it’s not freemium, it’s “not-fit-for-purpose trialware” if basic security controls aren’t provided.

There is a backlash around it. https://sso.tax is a perfect example that I'm sure you're aware of. But there are two major ways to look at this:

#1 - From a builders perspective, you've got to figure out what features (security or otherwise) that cost you extra and charge accordingly. In the old days SAML was one of those features was legitimately expensive to implement. Now keep in mind that not everything that costs you extra people will necessarily want to pay for.

#2 - From the sales perspective, what are features that people are willing to pay more for. SSO is something that is more and more frequently a business requirement. You want slack? Require SSO? Well you're paying for Business+ at $12.50/mo/user rather than Pro at $6.67/mo/user... even if you care about nothing else that comes in the Business+ plan.

As a Security/IT person, I absolutely hate that features I consider to be "required" (like SSO and APIs) are extra costs when we're the customers. The best I (and others like us can do) is convince our businesses those items should be part of the default feature set and not charged extra for.

Nobody knows what these things are or why they need them. The only thing that makes companies care about security is when it can be used to close more deals, or comply with regulations. That means you're either targeting MM+ customers or are MM+ yourself. Until then, if a company can jettison audit logs to save $20/seat, they will. And providing them that option may be exactly the mental gymnastics you need to close the deal.

I also don't agree it's a dark pattern. Implementing and storing audit logs takes up time and space, so it makes sense to charge more for them. Having your engineers spend time on meta-features like SSO rather than the next product roadmap feature has an opportunity cost so you should get some cash out of it to balance things.

I'm just thinking of a standard B2B SaaS context. If you're in the security field selling to security professionals then maybe these features are table stakes?

SSO also costs many companies a few hundred thousand dollars to implement.

Not everyone is using AWS cognito or auth0, and thus has to add on SSO to an existing authentication method.

Even if you are using Cognito or Auth0, its still annoying to implement in their systems, and THEY charge you additional for it as well.

Add on to that its a clear segment of customers, it really makes sense to charge more for it.

I’ve been working in the infosec industry for some time now. I think that most of my peers are either aware of this practice, and see themselves as powerless or openly criticizing this issue. The criticism happens mostly inside of closed rooms and segregated areas (like Twitter bubbles). The practice itself doesn’t qualify as a dark pattern though.

Respected infosec Podcaster Patrick Gray had a show recently about this topic exactly:

https://risky.biz/soapbox56/

I'm a SaaS owner. SSO/SAML/etc. take time to implement and maintain. They are also a very good indicator of company size, which typically means deeper pockets. So why do services charge more for them? Because they can. But I agree with the sentiment -- things like MFA (!) and API audit logs should be available to everyone (logs being very useful for debugging).

SSO integration is a simple way to delineate between Enterprise and Not Enterprise. I'm unsurprised that it raises the charging band.

There are very few teams in the typical organization that can unilaterally veto a purchase. Security is one of them, and the easiest to get to reject the free version by restricting security features.

In your model, the enterprise version is a marginal cost. Customers get 3/4 of the product for free, and decide whether they want they want to pay for the other quarter. A lot of people won't, or they'll write a batch script to replicate the single feature they want, or etc.

In the "restricted security features" model, customers either get 0 features because security won't let them deploy it, or they get all the features.

It also encourages startups to use the product since it's free... for now. A 3 person startup doesn't really need SSO or RBAC. They eventually will, as they grow, and they'll already be locked in.

I think Enterprise Security Features will eventually trickle down to all plans. Years ago we required Premium subscription to have forced HTTPS and we didn't have a single bush back - but it was shameful act from 2000s, especially after Let's Encrypt came about. Essential (keyword) security features should absolutely be included in all plans in this day and age.

Admittedly, it's easier to segment plans based on such top level features you listed (not required by everyone but required mostly by Enterprise customer) than having matrixes of features that make usability of the software a nightmare just because you're not on a specific plan. Developing and ploying software with feature flags that change the workflow can be a nightmare. Not to mention segmented documentation that's impossible for your customers to follow / use.

That said, I know you're coming from an idealistic point of view, BUT be careful providing some features that require high touch to freeloaders - assuming you'll have a free tier. Question to ask yourself is - can a multimillion or even billion company use our free tier comfortably - if the answer is yes - then you'll struggle making money.

This is one of the big reasons I initially fell in love with FOSS; you get all the enterprise features out of the box, or at least they were not artificially fenced out. It's also the reason why I'm not generally very enthusiastic about open core stuff. I do note that this sort of market segmentation has been going on for very long, notable example would be Windows XP, where "Home" edition can not join to AD domain.

The enterprise level security I've often noticed is around integration with SAML or LDAP. Both of those do take time and effort and I appreciate charging extra for it. As for RBAC, MFA, etc those should be made at a lower level like RBAC could be at a Teams level. MFA of course should be for everyone.

This could be viewed as shortcoming in open source licenses too.

Many companies take an open core approach but license some features (maybe security related, management, scalability, etc.) with proprietary licenses and charge for them.

Part of this is because traditional open source licenses tend to assume all time and resources are donated freely. It’s hard to sustain one or more people in terms of money, and some run the risk of another company reusing your source in their product.

I think some viable alternate approaches to earn money through open source would go a long way towards avoiding open core approaches. But until that happens companies will do what they need to in order to keep revenue flowing.

Backlash? Can you be more specific? Do you mean some kind of organized boycott? Complainy blog posts? What exactly would you expect? Generally, companies do what makes them a profit and customers either buy it or don’t buy it. We no longer have the institutional means for anything else.

A better example would be that the Home version of Windows doesn’t include BitLocker disk encryption.

It's insane to me that SaaS providers are trying to productize data encryption at rest on their platform. How is that my responsibility as a customer? I'm paying for a seat license.

I am happy to pay for the implementation and ongoing maintenance of what these systems accomplish. Why should corporations give things away for free simply because they relate to security?

Simply, these features have a legal standard to uphold and the software vendor may be liable for these features misbehaving.

For example, your healthcare software incorrectly exposes Patient Health Information (PHI) due to a bug in your RBAC. You don't just ship a patch that fixes this, you are liable for the PHI exposure up to $150k per PHI exposure...

How do you prevent this? You charge more for these features and use that money to purchase liability insurance.

TLDR: Because they can.

SSO is the one feature a SaaS company can use to force people that can afford it up to higher tiers when their usage remains low but the the value to the customer is high enough to justify the tier increase because of a mandated SSO requirement etc.

Who charges for security features?

Because often those security features come with a lot of excess infrastructure and architecture/re-engineering requirements. Would you prefer we lifted the fee for everyone including small businesses who don't need it to keep the margins we've got?

I agree it's silly binding features to tiers, for example having to buy an Enterprise license to get MFA is ridiculous (looking at you _every_ Oracle competitor). You _should_ be able to pay a per-seat, per-resource or flat fee to get each additional feature. Security isn't for Enterprise only.

I'll give you some fair examples:

Audit logs: Every action every user makes on the platform, usually for a fixed period - often between 2 and 7 years. For thousands of users, or in publicly shared websites or end-user-customer-facing websites, this can be hundreds or millions of extra users all generating hundreds and thousands of logs each per year. And if we add any more features to the platform? The problem compounds, and it gets more expensive to support the additional resources. We also have to integrate with every SIEM or partner with a third-party to expose the functionality, none of which use the cheap "bulk data export" option but incrementally export logs continuously using shitty CRUD API's we developed for the front-end. God help us all if I chose AWS and I don't get to meet with someone who reports to Bezos to negotiate a deal. I'm gonna get screwed.

SSO/SAML integration: For a subset of our customers, say 5%, we have to allow and cater for the design of major IdP's. Even billion dollar companies like Slack can't cater for the design of Google Groups and integrate with them properly, how the fuck am I with my mere 100-person engineering team supposed to cater for each and every IdP and weird implementation they require? Great, now I've got to retrofit my architecture to support design choices made by companies who only care about authentication and RBAC of a very generic company structure. They don't need to cater for everyone, but now I do?

MFA/2FA: Now I have to add support for either email or SMS because "hardware tokens are too hard" or "we need a backup option for if I lose my phone", and a whole 24/7 operational process to support it because every now and then that shitty cell tower in Turkey or New Zealand goes down and that one, critical SVP at their holiday home can't login. Great, my support staffing costs have gone up exponentially, and it's only to cater the 2% of dinosaur executives that can't figure out how a fucking Yubikey works without calling me for support like I'm their fucking grandkid.

None of this is easy. It's all hard because tech's expensive, process is expensive and most importantly people are expensive.

Anyone who questions Enterprise SaaS software costs in 2022 doesn't understand the end-to-end cost of running and supporting Enterprise software. There's no such thing as a free meal, just because you're used to paying $2/mo for your shitty personal blog which integrates with all the modern security features you've come to expect at an Enterprise, doesn't mean it'll translate to your custom Enterprise CRM or your wacko-Enterprise integration.

I think the nature of your startup also plays a role with it. Many SaaS propositions do not even target the "enterprise" customer and never have to deal with CIOs and CISOs. What is the nature of your startup that you want to (commendable in my opinion) immediately address these features?

holding hostage security features behind payment is what is wrong

security should be the default, no matter if you are wealthy or not

otherwise you create the recipe of a shitty civilization, wich you already have, too bad