I am consistently surprised at how often AAA is left as something to be implemented after perceived "core functionality". Organizational rules should stipulate that MVP's must contain AAA, because I would argue anything that doesn't is not a "viable product".<p>I think it's partially that it usually involves bringing another team into the loop, which can expose your design before you're really ready to share it. I've caused that problem myself; Okta was the accepted SSO solution, but getting creds to auth with it involved talking to Security and going through a review which would take at least 2 weeks, and then a week of actually waiting for it to come through.<p>I really wish more companies using Okta allowed some kind of a mode that is analogous to LDAP allowing anonymous queries for username/password checks. I don't need something that pulls down all the user info, just something that says "given this username and password, is it valid for someone". Rate limit me to 1QPS to prevent brute forcing passwords, that's fine, at least I can PoC with actual auth.
<i>If</i> your architecture is well designed, no data goes over the wire unencrypted, and therefore these pcaps posed no security risk.<p><i>If</i> the system was well designed, it would have had <i>tests</i> that no data was sent unencrypted. For example, port scanners, entropy analysis of packet captures, etc.<p>Not allowing packet captures by any random Joe is just defense in depth at that point.