Unmanaged, SaaS Creates Uncontrolled Costs and Increased Risk
Software-as-a-service (SaaS) is overtaking business software environments. Projected to grow more than $4.5 trillion in spend in 2022 – a 5.1% increase year over year – SaaS tools are used by more businesses, more than ever before.
In its annual State of the Cloud report, Bessemer Venture Partners states that “the cloud is eating software” and projects that by 2025, more than half of all enterprise software environments will be cloud-based. The majority of these applications will be SaaS.
Over a two-year period, we saw the market cap of SaaS and cloud-based companies more than double. (Image courtesy of Bessemer Venture Partners)
But for many organizations, the growing use of SaaS-based business tools presents enormous challenges. Even though SaaS technology has existed for more than two decades, many organizations and teams struggle to manage this category of software effectively.
Specifically, businesses frequently struggle to define the total cost of their organization’s investment in SaaS and to mitigate SaaS-borne risks.
Based on the experience built from implementing SaaS management practices, Zylo has developed a SaaS Management Lifecycle that establishes an open framework and continuous process for identifying, optimizing, planning, and governing SaaS within a large organization. The Lifecycle creates the ability to immediately address controlling SaaS costs and risks while also providing a plan for future SaaS growth.
Why SaaS Management Matters Now
It’s impossible to account for what you cannot see and rogue SaaS spending has grown to become a massive blind spot for many businesses due to several factors:
Shifts in technology spending to business units, employees
Software purchases on behalf of the business used to be managed exclusively by the IT team. Enterprise software was built to enable entire organizations and required technical expertise to deploy, as well as hardware-based assets such as servers to host the software.
In the early 2000s, software spending began to shift towards individual business units as software publishers began creating business-unit specific products. Examples include Salesforce creating software exclusively for sales teams, Adobe marketing tools to creative teams, and so on.
Based on an analysis of more than $21 billion of managed cloud spending, Zylo data shows that business units and employees now lead IT in SaaS spending and ownership. Business units control 66% of spend and own 40% of SaaS application inventory.
About one-fifth of employees now purchase SaaS using credit cards or expense reimbursement, accounting for 7% of spend, but 37% of SaaS application quantity – creating an enormous challenge to any team tasked with managing SaaS security, compliance, and risk.
In the early 2010s, software spending underwent another shift – this time towards individual teams and employees. With the rise of product-led growth strategies leveraged by software makers such as Slack, Zoom, and Box, SaaS applications have increasingly become acquired not by IT or specific business units, but teams and employees.
The products then spread organically across the organization, often creating enterprise-wide deployments. This trend has also been called the end-user era of software because the end-user, aka the employee, now selects and acquires software, not IT and not specifically business units.
An unfortunate outcome of the end-user era is the corollary growth of shadow IT: when tools and applications enter an organization’s IT environment unbeknownst to IT.
Shadow IT can lead to increased risks and compromised security as applications unknown to IT or IT security teams go unvetted for risk or vulnerabilities that could lead to data breaches or other issues, which carry significant consequences and costs. According to an IBM-Ponemon Institute cybersecurity study, the average data breach in the United States costs more than $8 million.
A company’s compliance with regulations that protect personally identifiable information (PII), such as the European Union’s GDPR or the United States’ HIPAA, can also be put at risk due to shadow IT.
Finally, shadow IT creates unmanaged costs beyond its initial purchase price. From free tools that convert to paid subscriptions to redundant purchases of the same application to organizational dysfunction caused by overlapping functionalities or the use of non-standard tools to unexpected renewals, shadow IT creates real and often significant impacts to the organization’s bottom line.
How to Get Started Managing SaaS
As organizations increasingly recognize the urgency to control costs and manage risks associated with SaaS applications, a logical next step is to ask, how?
Every organization’s technology profile carries unique challenges; this is especially true with the use of SaaS. However, many organizations face the same problems:
- Poor management of SaaS licenses, leading to underutilization and unnecessary costs
- Lack of visibility organization-wide into how SaaS applications are being purchased and deployed, by whom, and application vulnerabilities to compliance and security
- Lack of spend or utilization data about SaaS across the organizations
- Little to no planning for SaaS renewals, leading to reactive renewals and continuing with applications that may no longer be necessary
- Lack of monitoring or other processes to alert technology teams to new incoming applications that require vetting
- No framework for managing SaaS across an organization, including scenarios where teams or employees can practice self-management of owned applications
- No central system of record or inventory system to organize and display essential information about SaaS applications, licenses, costs, users, and other data
Based on these common themes and its experience helping hundreds of businesses incorporate SaaS management into their existing technology management processes, Zylo has developed a SaaS Management Lifecycle to enable SaaS management.
The Zylo SaaS Management Lifecycle
The SaaS Management Lifecycle represents an open, flexible framework that any company can immediately use to meet today’s needs and start managing SaaS applications more effectively.
Organizations can begin the Lifecycle beginning in any phase, then work towards developing a more mature SaaS management process as short-term needs are met.
The objective of the SaaS Management Lifecycle is to create both immediate and long-term actions to control spending and reduce risk.
Identify every SaaS application within the organization
For many organizations, discovering the entire inventory represents the first step in developing SaaS management processes. Most organizations underestimate the number of applications operating within their environment. Zylo data shows that a large organization maintains about 600 applications on average.
However, companies consistently underestimate the number of applications used by their organization. Multiple methods exist for discovering and inventorying SaaS applications and their attributes:
Manual spreadsheet inventory
Technology-owning teams may survey their organization, requesting teams and employees to self-report their SaaS application uses. This approach can be problematic for larger organizations due to the length of time it takes to collect the information, the high likelihood of inaccuracies in reporting, and the lack of continuous monitoring needed to keep an up-to-date inventory.
Cloud access security broker (CASB)
CASBs are primarily designed as security tools intended to be installed on hardware, monitoring data that flows between the company and cloud-based data centers. However, If end-users access applications on a personal device, that data will not be reported, making the ability to discover all SaaS limited.
Web browser plugins
Browser plugins can help sniff out SaaS tools. These plugins are installed on company-managed devices and capture details about application usage based on browser activity. This approach is relatively affordable and straightforward to implement. However, it can be somewhat easy to circumvent. If an end-user bypasses traditional web browsing by enabling private or incognito mode, usage data regarding SaaS applications will go uncollected which can increase costs and risk.
Single sign-on (SSO)
SSO tools can significantly improve SaaS application management. With one set of login credentials, users can access a wide variety of applications. However, as a discovery tool, SSO is a parietal solution at best, as only IT-managed applications are typically added to an SSO platform. The use of personal devices to access SaaS applications or circumventing SSO with a manual sign-on can prevent full discovery.
Finance-based SaaS discovery involves analyzing financial records to uncover any SaaS purchases. By analyzing Accounts Payable and expense reimbursement records, SaaS spend through IT, LOB, and end-user applications accounts can easily be tracked and inventoried.
By tracking the money, an organization can identify all SaaS tools being utilized, regardless of the procurement process. This approach is also feasible from a compliance perspective as no PII is necessary to uncover all applications. For some organizations, providing the needed access to financial data prohibits the use of finance-based discovery.
Build a system of record for SaaS
When completing a discovery process, it’s of crucial importance to record multiple characteristics for each application. This ensures that SaaS applications and their metrics can be compared apples to apples.
These data fields can and will form a system of record that allows technology managers to make informed decisions about the ongoing use of each application, as well as opportunities to reduce costs and optimize future spending.
A system of record can take the form of an actively managed spreadsheet or an automatically updated inventory provided by a SaaS management platform like Zylo.
Ideal SaaS application attributes to capture in a system of record:
- Total spend on each application
- AP vs. Expensed purchases
- Ownership (business unit, team, employee)
- Categorization, function
- Number of licenses and users
- Compliance status (if applicable)
- Security profile
- Contract terms
- Renewal date, notification period
Monitor for new SaaS applications
Once the discovery process has established the current state of SaaS inventory, it’s essential to monitor the environment for new incoming applications continually and update the system of record. Zylo data shows that an average large company may see as many as eight new SaaS applications enter their environments every 30 days. Without an ongoing process that discovers and monitors these new applications, the inventory becomes out of date quickly, and shadow IT may once again grow.
Other factors also signal the need to monitor and update the SaaS application inventory continually. Employee attrition is a prime example of why managing SaaS on an active basis is a vital safeguard against risk.
When an employee leaves the organization, all access to their SaaS-based applications should be terminated as well to prevent potential data leaks or breaches. More than half of all data breaches are due to malicious or criminal attacks, according to IBM and the Ponemon Institute’s annual cybersecurity study, and these attacks have been known to be instigated by disgruntled former employees. Unsecured and unmonitored SaaS applications represent an open vulnerability to these types of attacks.
Read More about the SaaS Management LIfecycle, including how to Optimize, Plan, and Govern SaaS applications
Table of Contents The Goals of SAM and SaaS Management are...
Table of Contents Takeaway #1 – Defining SAM Tool Requirements is...