Hacker News new | past | comments | ask | show | jobs | submit login

Yes, you can achieve that specific part with Keycloak, and you may end up owned in a different, but equally awful way: https://www.keycloak.org/2021/12/cve There's nothing wrong with Keycloak, and me pointing at this CVE isn't meant as a gotcha. The point is that just because you're doing it yourself doesn't mean you're going to have better protection. Doing this well is difficult.

Okta is a security company, and due to a well-organized, well-funded attacker, they were able to be breached. If a similar attacker is trying to breach you, you're likely going to get breached.




> If a similar attacker is trying to breach you, you're likely going to get breached.

I think the logic here is accepting that if an attacker is trying to breach you, you’re likely going to get breached. But, if an attacker is trying to breach someone else, you’re still safe(-ish). With a centralized service, you don’t have to be the target to feel the effect.


But are $YOU, as one of the tens of thousand $YOU companies going to be spear headed in a dedicated, not automated way? Maybe, but I would say there is at least one or even two orders of magnitude difference with Okta or other well-known companies.


There's a cost efficiency point where this argument becomes valid.

At small company sizes, where dedicated security team or an admin with sufficient expertise to do proper setup is unaffordable, risk of Okta breach is lower than risk of automated custom setup breach. When you are big enough to deploy self-hosted solution and maintain it for reasonable cost, then yes, I would agree with you, self-hosted setup may reduce risks. When does that happen? When your company has over 1000 people (to break even with your Okta spending) or when your revenue per employee is high enough to spend every year 200-300k€ just on security.


I would think that 200-300k€/yr is low for this. At that budget for security you've maybe got two or three people, a bunch of software, and you're still building out monitoring and alerting systems. You haven't even begun to shift left and you're nowhere near being able to influence the product development lifecycle. You almost certainly don't have a security operations group capable of running a critical service 24/7.

That said, I would think Keycloak would fall under IT in many orgs. So you need a security org mature enough to have trained IT to the point where they can successfully run something this sensitive and security can have confidence in everything around it.

At a guess, that's not before you have 15-20 people in the security org. Probably something like: alerting and incident response (i.e., ops) is 3-5, vendor management 2-3, governance/audit 2-3, security engineering 3-5, security architecture 2-3, management 2-3, privacy 1-2. Run something like this for a year or two and see how the business as a whole shapes up.

As you say, it's a cost question. At what point does running your own IdP become the most valuable thing your company could do with a given chunk of money? One of the perks of a vendor is that the contract comes with liability. How much is that worth to the company?


Makes sense. Basically you are talking about 1.5-3M in annual spending just on salaries. With average IT spending around 3% in retail and manufacturing companies this will mean, that they must have several billions of annual revenue and security will still be a significant part of their IT budget. For software companies this calculation will be completely different and the threshold can be lower.


If you use anything off the shelf like Keycloak, you're 1 CVE away from being automatically breached too, which is very similar to the situation you'd be in from Okta etc. being breached.


I agree, but it depends on the type of attack. Apparently this LAPSUS$ group uses corruptible employees/contractors to get in. As a small employer with a personal relationship to my employees I have an advantage that I might not want to throw away by delegating security to a company that doesn't have this advantage.


Okta delegated its operations, not its security; it just happens that their operations is your security.

Your company isn't delegating any operations away? Not even support? If they are, what level of access do those people have? Are the internal services they have access to as secure as your perimeter?

Even if they aren't, the attack can come through any internal employee, and your least security conscious person is your weakest link. Again, what do they have access to? Will they be able to use them to move laterally? Spear phishing from an internal employee to another employee is really, really effective.


Comparing my microscopic Keycloak installation to Okta, I'd rather be a needle than a haystack.


Your keycloak instance will be found and indexed via automated scans. It will then be attacked minutes after the next CVE in keycloak, Java, Tomcat, or JBoss is disclosed. If you don’t have the 24x7 security team to handle that reality a managed service is likely a better option.


That's what I meant by being a needle rather than a haystack -- one of many Keycloak instances rather than client to one big SaaS provider.

BTW Keycloak.current has tossed JBoss & friends for Quarkus. In any case, it's been a remarkably safe product over the years.


It doesn’t matter if you’re a “needle” if Shodan has a list of all “needles” readily available to attack. Even script kiddies can write for loops.

Proxyshell and similar recent issues have shown “near-instant compromise” to be the current state of affairs. Most instances are attacked within hours or even days before a vulnerability is disclosed publicly and hits the news.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: