SaaS hypergrowth is appropriately termed as SaaS explosion, because now, SaaS solutions exist for every niche and company, from SMBs to large groups. And, SaaS cannot and never will be enough. They are present and used in excess, and for good reason.
But everything that is in excess needs management.
The need to manage these software-as-a-service applications is indispensable and luckily achievable.
What is SaaS Management?
SaaS Management is essentially a process of discovering, managing and governing all the SaaS applications present within an organisation’s technology portfolio and monitoring its apparent (purchases, licenses, renewals, etc.) and unapparent assets or attributes (usage, expenses, compliance, duplications and more.)
It would also have been called SaaS Management even if these SaaS records were maintained through a spreadsheet, but that management procedure would hardly be scalable. Hence the requirement for automation (discussed later in this guide).
When automated, SaaS Management exceeds its functionality because it is interrelated to or facilitates other important company objectives like business organisation, budget optimisation, innovation, technology democratisation and overall digital transformation.
SaaS apps - all that glitters ain’t always gold.
86% of the organisations said that they expect at least 80% of their software needs to be entirely met by SaaS after 2022. And most certainly, there's hardly a need to think twice, if it only takes 7 hours for an employee to implement new software.
Software-as-a-service(SaaS) applications have countless benefits:
Smooth deployment, integration and kick-off with the least possible men and their hours.
Ease of platform or feature upgrades, unlimited scalability, and affordable pricing.
Contractual flexibility, anytime-anywhere accessibility.
Innovative vertical and horizontal SaaS solutions.
But every path has its puddle and even SaaS is not flawless.
It is now impossible to go back on the ease, that the SaaS cloud-hosted subscription model has brought to organisations. The only way out is to identify and address the errors; or simply put - manage the SaaS apps.
SaaS Management: a pressing need?
But when all the companies end up putting a lot of focus on a transition to “cloud-first”, SaaS becomes a cloud silo. The bigger picture is that the cloud-first approach is incomplete without the ‘SaaS Management’ approach.
Why should organisations invest in SaaS Management?
The cost of managing SaaS is far less than the cost of implications that follow if left unmanaged. Research finds that an average of 30-40% of the purchases in the enterprise involve shadow IT spending.
Unmanaged SaaS presents these 4 massive challenges:
1. Conflicting autonomy
Read reviews, compare, place an order and voilà; “your SaaS order is out for delivery”.
SaaS is made to be easy to obtain, and as a result, SaaS apps have changed the way companies, especially employees, engage with IT resources. End-user spending in this area might exceed 480 billion USD in 2022.
According to Accenture, 87% of executives believe technology democratisation is critical in their ability to ignite innovation in their organisation.
SaaS is correctly encouraging freedom for technology choice from the end-user, taking away the burden off the shoulders of IT but this is also where things start going sideways.
In hindsight, the democratisation of technology is decentralising IT. And what is empowering the departments is also taking away control from the IT department. A decentralised IT is one where 400 SaaS applications would have 800 collaborators in sync.
Each SaaS application is found to have scattered collaborators in the following areas:
SaaS vendors or publishers.
Governance teams that organise or control the stack: IT, legal, procurement, and risk management departments.
Consulting firms that optimise and manage the stack.
Business departments or teams that buy and implement the SaaS apps.
It is one of the biggest challenges to organise and bring uniformity to a decentralised IT when it is a result of attractive and unavoidable SaaS solutions whose volume will increase nine-fold by 2030 as predicted by KPMG.
2. Poor visibility
The business departments take charge of their own needs while the IT can sit back. But, freedom is risky when its consequences have no owners.
Poor visibility of the tech stack is due to the following:
Long-lost SaaS apps: Companies keep acquiring tools as and when the need arises. With every problem solved is a SaaS app added to the basket. With this practice, organisations often end up with many apps, with little to no problems to solve. These unused apps exist in the background and the expenses keep piling up for their unrevoked licenses.
Duplicate and Overlapping SaaS apps: In the context of medium to large-sized enterprises, it is not uncommon to find functionally redundant SaaS apps - different apps serving the same purpose, being used by several (or same) departments. These overlaps often tend to go unnoticed. Also, the same apps with separate contracts used across different teams can be found as a result of poor visibility. Had these redundancies been visible from the get-go, there would’ve been a possibility to obtain discounts for larger consolidated contracts.
Excess and automatic renewals: Unlike the one-off procurement step for SaaS tools, the renewals of their packages are recurrent. While there are two options to renew licenses, manually and automatically, both create an equal degree of chaos without proper visibility of the deadlines. A missed deadline often culminates in another stretch of payment.
The anonymity of ownership and users: More often than not, data leaks and security breaches are traced back to these SaaS tools. In such scenarios, the situation goes haywire if there’s no one responsible for it. It is imperative to assign an owner to every SaaS procured, and there is a possibility that one app has many owners across different departments. But an owner is different from the users, who are always more than a handful and are not appropriately listed.
Offboarding: 20% of companies have had data breaches from ex-employees. There’s little to no process in place in most companies for offboarding employees from all the SaaS apps they previously had accessibility to. If ex-employees’ licences remain unrevoked, the company pays their bills until they offboard them completely. As previously discussed - user anonymity can unknowingly culminate into offboarding ambiguity. If you don’t know who used the app, you’ll never be able to guess that they were supposed to be offboarded before it’s too late.
Usage: Even if companies find out a way to manage unused, duplicate, overlapping and excess SaaS apps by mapping every detail manually through an excel sheet, the tangible ROI of these SaaS apps can only be proved through its utilisation or the level of adoption by the respective teams. Tracking usage also improves future purchase decisions.
3. Increased security risks
SaaS apps are not inherently dangerous but in most organisations, their presence is in hundreds and each of them acts as an exposure point for risks increased by a factor of 10.
“Many risks can be traced to these SaaS apps: they store personal and corporate data and constitute an ideal entry point for potential hackers, since IT departments are yet to find a way of detecting vulnerabilities in these apps.”
Managing the SaaS apps has been given little to no priority compared to the on-prem giants. IT Governance has mature practices and policies to administer the on-prem software because of the large financial risks that could result from their non-compliance, while the SaaS applications are largely ignored as their costs are insignificant comparatively. But the same cannot be said about the risks posed by these SaaS tools.
3 key security risks and concerns arising from unmanaged SaaS are:
3.1. Shadow IT - it all begins here
The infamous Shadow IT, more recently known as underground digitalisation, refers to the systems, software or applications that individuals in an organisation procure and use without the knowledge of the IT department.
It applies to the context of ‘SaaS’ even more so because they are the quickest known way to digitalise.
The size and scope of this problem are widely underestimated. Beamy has consistently discovered 3 times more shadow IT apps than the already-known SaaS apps in client organisations.
80% of employees have admitted to using SaaS apps at work without getting approval from IT. Autonomous end-users (or employees) find no reason to involve the IT department in the SaaS procurement procedure. Additionally, most product-led SaaS are self-service models or are increasingly becoming so.
Thus, ‘SaaS’ can rightly be interpreted as a double-edged sword - as it inspires freedom and autonomy but creates havoc when let loose. Consequently, this digital transformation sprouting inside the business departments inevitably leads to unmanageable SaaS sprawl and spending behind the scenes.
3.2. Data Exposure
A lot of enterprises’ data makes its way into the SaaS tools, and it can be compromised because of any of the following reasons:
Data storage: Where is the data stored, and who controls it?
Companies trust third-party SaaS providers to host their business information data, at times sensitive like client records. But the vendor’s data storage policy is hardly ever discussed while signing a service level agreement (SLA) with the provider.
Lack of information on the location of the company’s data and whether the company has control over it or not - is too big a risk to take when the consequences can cost $4.24 M (Global average cost of a data breach)
Misconfigurations: Who has access to SaaS security settings?
SaaS increasingly being owned by business departments for specific job-related tasks would also mean that they have access to the SaaS’ security settings without being trained to set up the configurations.
Access management: Who has access to your data?
Accessibility levels remain undefined on both, the customer and vendors’ sides and hence lack control over any sensitive data.
Data flow: The data flows and is shared with employees or even a third party, with access rights also changing. Changes, some of which will never be restored to the original, summon risks.
It’s extremely easy to get caught in any of the risk factors mentioned above because no two SaaS applications are the same and, so are their security environments.
In fact, they are complex with attractive integrations, and extensions. And most importantly, are super ambitious, with new updates and new features always popping up on their roadmaps.
And with more SaaS apps will come more gaps & loopholes in the security.
3.3. Regulatory compliance:
With this comes the need to protect it. Lawmakers around the world are increasingly demanding data protection abidance from the IT departments and are trying to regulate it through GDPR, SOC 2, external audits, security certifications and more.
The gap in the company’s understanding of its SaaS environment and the reality of the data being stored in a non-compliant way, point to the need for data protection laws. The General Data Protection Regulation (GDPR) is European personal information (name, IP, email, etc.) law regulating data stored both online and offline (in hindsight it applies to all the companies in the world with a global footprint.)
Fines of up to 50 million euros (roughly $21,338,800), or up to 4% of the company’s worldwide annual revenue from the preceding financial year, whichever is higher are imposed for GDPR violation.
4. Exponential effect
Over 30% of new SaaS tools are added to the technology portfolio, year over year, in Beamy's client organisations.
Even enterprise-level software companies are moving toward the SaaS model.
And accordingly, each SaaS problem identified today will have an exponential equivalent in the coming years if the SaaS environment remains unmanaged with time.
Additionally, by 2024, some 70% of IT departments will lack the relevant roles, skills, and tools to support SaaS-enabled digital transformation (Source: Gartner), hence adding to the disarray.
These forecasts, when compounded over the years of growth of digitalisation in companies, increasing headcount and complexity among different business departments and business units, will only result in an exponential increase in the risk factor compared to today.
Therefore, digital transformation is accelerating but not without speed bumps and potholes.
How do these challenges pose a threat to your organisation?
Without investing in SaaS Management today, digitalisation will only be rapid but vulnerable in the long term. Thereby making your organisation exposed to the following categories of risks:
Cybersecurity risks from incidents like data exposure (data loss and breaches) and cyber attacks.
Operational risks, as incidents, often lead to major business interruptions.
Regulatory risks arise from non-compliance with laws and lead to unexpected fines.
Reputational risks from losing years of earned reputation to a changed public opinion.
Financial risks from the unplanned spending and waste and the disturbing current and future finances (often losses)
Organisational risks from failing to scale the business objectives and implementing strategies correctly.
Role of SaaS Management
The challenges of the SaaS sprawl: autonomy, lack of visibility and security concerns cannot all be fixed with one stitch. It is a process that begins with understanding the aforementioned challenges and then setting forth a framework with clearly defined goals related to each challenge.
End goals can be decided by asking the following questions:
What are the must-have SaaS apps? Which apps can be done without?
How do we know the exact location of all the sensitive information in the SaaS stacks?
How do we know if our company’s SaaS stack is compliant with all concerning regulations?
How do we respond to security incidents? What is the procedure that should be followed?
There’s no one-stop solution or possibility to answer these and several other questions at once, as there’s a big gap between what IT think they know about the company’s SaaS environment and what the reality is.
The SaaS Management approach is what bridges this gap. It is about scanning the SaaS environment in real-time, automating this step and other required actions, and fitting like a glove when the IT is ready to set out a framework of regulations to back and industrialize the SaaS Management across the company.
SaaS Management Strategy
The holistic view of a SaaS Management strategy is a step-by-step process that encompasses identifying the problem and solving it, based on accurate data-driven insights of the tech ecosystem of the company.
Manage your SaaS in 5 steps:
Step 1: Discover
Comprehensive recognition of the problem should be the first step of any strategy. But in the case of SaaS Management, there exist problems one does not, and cannot know of.
While not all SaaS applications are risky, double the risk lies in not knowing which ones are.
SaaS applications are purchased and used across the organisation by different business units, departments or employees without proper sanctioning.
The recognition or discovery step is when the IT department initiates a review, or more formally, an audit across all the levels of the organisation for discovering and cataloguing sanctioned and unsanctioned (Shadow IT) SaaS applications.
The audit should ideally include the financial footprint from the SaaS purchases, employee navigation logs, SSO data and can also be extended to a screening of the personal devices, increasingly in use in hybrid working environments.
Step 2: Categorise
Categorisation should be the immediate step after gaining visibility of all the SaaS apps. The categorisation is maintaining an updatable system of record of who uses what.
Each SaaS app discovered, can be labelled under an application stakeholder(s) which can be a department or even an end-user.
It should also be possible to obtain specific and latest SaaS-related data and insights through categorising, like;
Total number of SaaS, number of overlapping or unused SaaS.
Assets like contracts, and renewal periods.
Usage and spending per application.
Degree of compliance and more related subjects.
Step 3: Systematise
Rationalising and standardising is the first step towards scalability.
After having enough visibility of all the SaaS apps and a record of other associated data, the IT managers should be able to set up processes to be able to standardise and industrialise all the activities related to a SaaS application lifecycle from its purchase to expiry within an enterprise.
Step 4: Automate
Sadly, a spreadsheet doesn’t fill itself and the strategies drawn remain unapplied without automation.
Automating the management of SaaS - is unifying all the different, but interdependent steps of the SaaS Management Strategy using a SaaS Management Platform (SMP).
Mammoth tasks, from the detection of all SaaS in an organisation to offboarding a user can be automated. Automation is coupled with real-time reporting with alerts and notifications.
For example, an application found to be non-compliant is pushed to the IT managers for efficient decision-making. Automation using an SMP tool saves time and helps the IT department develop and update policies to regulate the SaaS environment by continually monitoring the automated processes and data.
Step 5: Govern
The need for governance to secure the SaaS ecosystem of a company remains unrecognised unless a serious vulnerability shows up or has already turned into a major risk factor.
Discovering the SaaS does not minimise the risk they pose, hence the need for governance.
A governing framework should be set forth with defined guardrails and security protocols for compliance directives (mandates such as GDPR, SOC 2), risk assessments and risk response measures and disaster recovery (DR) strategies.
SaaS Management strategy is incomplete without a governance framework to formulate actions when a risk or vulnerability is detected, reduce the downtime and draw prevention measures for the future.
What is a SaaS Management Platform (SMP)?
What are the features of an ideal SaaS Management Platform?
SaaS discovery: The procurement of SaaS apps is an ongoing process and an SMP tool, once fully operational, allows ongoing discovery or detection of sanctioned or unsanctioned SaaS apps in the organisation and even across hybrid working environments.
Procurement process management: A well-defined pre-procurement and procurement method can guide the end-users to follow the same steps whenever they make a purchase. Reviewing the desired SaaS, cross-checking with the ones present in the SMP’s SaaS database to avoid redundancies, getting approval from the related managers using this SMP solution and being transparent about the purchase should be the steps that are followed for any purchase made across the organisation. This helps in creating benchmarks for best practices, thus allowing informed decision-making.
Onboarding and offboarding of SaaS application: The decision to deploy a certain SaaS should be followed by a regulated onboarding process of the app in the company’s tech stack. This decision will depend on a comparison with existing applications and more such attributes made available in the SMP dashboard. Dashboard filters can help compare relevant features to make a quick decision. When any such apps are no longer required, an offboarding plan should be in place and followed for complete and secure offboarding of the application.
SaaS renewal and vendor management: An overview of application renewal dates can help establish a process of reviewing, accepting or challenging a renewal using the tool to notify or start a discussion with all the concerned stakeholders. SMPs also help in vendor management, when the renewals are initiated by one stakeholder and the client-vendor relationship is managed by another stakeholder (e.g. the finance department.)
SaaS license management: SMP or SAM (SaaS Asset Management) tools also allow the management of licenses and their optimisation by avoiding overused or underused licenses compared to the application’s utilisation. Over-utilisation of licenses can lead to violation of license agreements and underuse leads to unoptimised spending.
SaaS spend management: While every step of SaaS Management is aimed at optimising SaaS spending, a standard procedure is needed to regulate the budget. SMP allows tracking the spending per application which can be optimised by having a clear picture of all the unused, overlapping, unimportant SaaS and their renewals, cancellations and possible consolidations.
SaaS access control: Development of internal policies is possible through SMPs by allowing access to the SaaS apps and their resources, only to the concerned department, teams or employees and keeping it so. Thereby ensuring control over who gets access to what.
User lifecycle management (ULM): A guide for new employees to have a view of all the applications they should be onboarded to and the amount of control they can have over them when they join the company. Similarly, a guide for offboarding an ex-employee as soon as possible to avoid risking any data leaks or breaches is an important feature of an SMP.
Real-time reporting: Important notifications, forms, alerts and insightful reports can be pushed back and forth internally to involve other stakeholders in the decision-making and externally to the vendors as and when needed.