The parallel to conventional software infrastructure would be: Hire staff, or contract local expertise from reputable businesses, to build and maintain your software (probably using existing technologies rather than writing everything from scratch) on bare-metal or colo, rather than reaching for fully managed PaaS for your entire stack.

Or for comms, run a team- or company-wide chat server rather than relying on Slack/Teams/Discord.

Either you're missing my point (and maybe I didn't express myself super clearly), or you're pitching a false dichotomy.

> who has more expertise at building and running an SSO service than a company that's selling that service

OP illustrates well the consequence of that line of reasoning. I'm certain this is just the beginning as more too-big-to-fail vendors get compromised.

The cloud is just somebody elses' computer, "Move fast and break things" mean things get broken, etc.

Whenever we get subscription services for "smart security" involving cloud-connected cameras, AI-controlled locks and drones, would you also consider that as the one-size-fits all over having security guards or contracting companies like Securitas or your local equivalent?

> now you're on the hook for managing it and keeping it secure

You always were. There is no free lunch.

> who has more expertise at building and running an SSO service than a company that's selling that service?

If Okta gets away with this (and the Equifax breach and subsequent outcome suggests they will) it proves that the market doesn't actually care about security, thus a company selling that service has little incentive to actually invest in security.