“Mission critical” and “irreplaceable” are two different things.
OKTA, CRWD, DDOG, etc. are all to some extent mission critical in that if they go down or otherwise fail, the entire company could be crippled. One of our hospitals is part of the UHC network. They’re a big old corporation trying to run health care, and from my experience, those companies are terribly slow to adapt to new technologies and extremely cheap, so their IT departments are not exactly run by people at the top of their class. A few weeks ago they were hit by a ransomware attack that reached corporate servers and forced them to shut down the entire network. The hospitals were running with paper charting, even some phone lines were down, imaging was very limited (unable to move images from the machines that acquire them). They’re still working to get things back up and running, and of course, their priority is to get billing up and running (including the process of charging people for food in the cafeteria) rather than fixing the patient care issues. (Kind of sarcastic here, but unfortunately not entirely).
Their response was to blame the attackers and say there was no way to prevent this. But they run outdated antivirus software, probably without any monitoring of servers. I don’t know for sure but I bet they would have had a much better chance of surviving the attack if they were using some of the companies the board follows.
So these companies are certainly mission critical. But that doesn’t mean they can’t be replaced. Any identity management company could displace OKTA by just selling themselves to the corporation and saying they’ll handle the migration. In medical terms, a ventilator is mission critical but you can still migrate from one mission critical device to another. The process of that migration (data, user education, APIs, etc) may be a hindrance, and the difficulty of such a process probably contributes to the perceived “stickiness”, but there aren’t many (or any?) services that are truly irreplaceable. It’s really one of the risks of SaaS versus companies selling goods; Nvidia sells a card and gets all that money upfront, while SaaS companies hopefully earn that money over the life of a customer, but are at risk of being displaced.
MongoDB is probably one of the hardest to displace once integrated, but it’s not impossible. Zoom might be one of the easiest from a technological standpoint. CrowdStrike and DataDog could actually be completely removed and the company will still run albeit in a vulnerable state. Fastly going down would shut down the web site, although presumably, those enterprise customers would have a fallback plan for any extended outages.
As for Okta, I’ll admit I don’t know all of the technological capabilities. Its core business as a single sign-on and identity management service is really just a layer of abstraction. Is there some technical reason why Ping couldn’t just come and migrate all that information to their systems? Or companies could just enable users to log in to each system individually?