Getting Started Guide: 6 Best Practices for SaaS Management
With most SaaS applications used by organizations falling outside of IT's purview (Shadow IT), a crucial question arises: How can I secure my organization's sensitive data while keeping up with the ever-changing SaaS landscape?
This question may feel overwhelming or even insurmountable, but that's why we've got you covered with a list of six best practices for Saas Management to get you started:
- Have a System of Records for all your SaaS
- Classify application lifecycle
- Map users and usage
- Record contracts, licenses, and renewal dates
- Govern security and compliance
- Control SaaS costs and optimize spending
1. Have a System of Records for all your SaaS
Keeping a single record of all your SaaS applications is the foundation of SaaS management. You can't manage what you don't understand (not to mention what you don't even know about), so constantly updating and validating your record is crucial for reaching your SaaS management goals.
But, just logging the names of your SaaS applications isn't enough. Instead, include important attributes in your system of records, including (but not limited to):
- SaaS application name
- Link to website
- System owner
- Legal and compliance info
Your system of record can be stored in Excel, another database, or a dedicated SaaS management tool. Keep in mind, having a SaaS management tool in place will help to automate a majority of this work, and provide more visibility into your tech stack, users, and app usage.
2. Classify Application Lifecycle
The SaaS application lifecycle is a concept you need to be aware of. The idea is that SaaS applications go through five stages of "life" while implemented in your organization. Understanding these stages gives you a strong foundation for managing your SaaS applications by enabling you to better classify and organize them.
Below is a commonly used SaaS application lifecycle:
- Mapped - a tool you know about, but that has not yet been classified to any of the below stages
- In review - in process of assessing and reviewing the tool, including price, functionality, and security compliance
- Managed - a sanctioned tool that has been reviewed and approved for internal use
- Optimized - a paid tool that has been reviewed for cost and utilization waste and updated accordingly
- Retired - a tool that must be removed from an organization's tech stack (only after revoking all user accounts)
Note 💡: The SaaS Application Lifecycle is a very important concept. Read more about it here.
3. Map Users and Usage
Once you've completed your list of SaaS applications and their respective lifecycle stages, you should map the actual users of each application and the frequency of their usage.
Mapping application usage serves multiple goals:
- Access management
- Cost management
- Employee offboarding
Access management ensures that only relevant people have access to their respective systems. Not only does access management keep your data secure, but it also helps your organization meet privacy policies and compliance regulations.
For most SaaS tools, additional seats cost money. Keeping track of the registered users for each application and their usage rates empowers IT to deactivate costly, underutilized licenses, and even get rid of abandoned or duplicate applications altogether.
By minimizing waste, your company can reallocate funds to new, revenue-generating initiatives and tools.
Did you know that security and compliance regulations mandate the removal of offboarded users from an organization's SaaS applications?
In fact, policies regarding offboarding employees have only become more stringent since the passage of the latest GDPR regulations.
Mapping the users and usage of your organization's SaaS applications will help streamline the employee offboarding process, providing your IT department with a single source of truth as to which applications the offboarded user must be removed from.
But, here's the catch… without an automated SaaS management tool, your map of users and usage will inevitably become outdated and prone to human error. And, even the most diligent record keeper will experience difficulty manually tracking SaaS users (and their usage) for several reasons:
- SaaS applications don't always provide users' usage API.
- There are no API standards for accessing user data from various SaaS applications.
- SaaS usage can be very dynamic and changes daily. The ease of signing up and logging off of SaaS tools creates a high application adoption and turnover rate. Meaning, the records you've logged today might already be out-of-date tomorrow.
If you're a small organization of up to 50 employees, you can probably overcome some of these hurdles by communicating with each user. But, as your company grows, not only will this task become harder, more time-consuming, and prone to costly human errors, it will eventually become impossible (imagine communicating with 100 or even 1,000 users!). That's why it's important to implement an automated SaaS Management tool to keep track of your organization's users, their usage, and access for you.
4. Record Contracts, Licenses, and Renewal Dates
One of the key factors of SaaS management is keeping all relevant documents of a SaaS application.
Looking for your NDA with a vendor? Searching your inbox for the contract renewal date? With all this data spread around in your ERP, inbox, and internal communication tools, it's very hard to find what you need, when you need it.
Storing all relevant documents for each of your SaaS vendors in an accessible folder eliminates the frantic and time-consuming struggle of finding them under pressure, as well as real the threat of losing them altogether.
Finally, make sure you have readily available access to your apps' renewal dates. And, if you haven't done so already, strongly consider implementing a system that notifies you of upcoming renewal dates to avoid costly mistakes.
5. Govern Security and Compliance
Using SaaS services creates a big challenge around security and compliance. How can you be sure if you are still compliant (and secure) when dozens of your organization's SaaS tools are handling sensitive data?
Compliance is no longer just a business best practice, but law. The new GDPR regulations make security governance and compliance a mandatory factor for all organizations that have any European customers.
Here are three steps to take to keep your organization's security and compliance under control:
- Deploy a Single Sign On solution (SSO)
- Map your SaaS subprocessors and their compliance statements
- View the granted permission levels to the various SaaS tools
Deploy a Single Sign On solution (SSO)
Single Sign On is an authentication service that grants a user access to several software services simultaneously by inputting a single login credential. Most SSO services will only require a user to sign in once, meaning the user will not need to re-verify their authentication factors moving forward.
Many SaaS tools offer the ability to connect to SSO solutions. Connecting as many SaaS applications to your SSO provider will ensure better security and more granular control over users' SaaS application access.
Note 💡: For more information and tips about implementing an SSO solution, check out this guide.
Map your SaaS subprocessors
Having an accurate and up-to-date list of all your SaaS suppliers is necessary in order to understand which customer data you share, such as PII (Personal Identified Information) or any other sensitive data. By verifying that the compliance statements of your various SaaS vendors align with your company standards, you can be confident that you are compliant and your customers' data is safe.
View the granted permission levels
When your employees sign up for SaaS tools, they might be required by the SaaS providers to grant access to their accounts. This is very common when employees sign up or log in using the OAuth 2.0 protocol, which is widely used in tools like G-suite, Office-365, Slack, and more.
Although common, giving SaaS tools access to employee accounts may expose your organization, and its sensitive data, to more security threats. While some SaaS tools only require a company email address, others might request sensitive information, like access to contacts, calendars, and even the ability to read and/or send emails on your behalf.
Only through keeping an up-to-date list of all granted permissions can you ensure that your organization is secure (while also educating your employees about SaaS security best practices).
6. Control SaaS Costs and Optimize Spending
Keeping SaaS costs under control is challenging, especially when SaaS spend is spread across several business units. Plus, the various payment methods, such as credit cards, invoices, and wire transfers, further reduce SaaS spend visibility for IT. When visibility is low, the spend control is low, which quickly leads to wasted money.
That's why it's important for IT and other necessary departments to have access to an easily readable and up-to-date SaaS spend dashboard. Once the various business units have good visibility on cost, they can control it, save money, and reduce waste.
Keeping SaaS cost under control is a challenging task when SaaS spend is spread among different business units. The various payment methods, such as credit cards, invoices, and wire transfers, reduce the SaaS spend visibility for IT. When visibility is low, the spend control is low, which quickly leads to wasted money.
It is important to create a SaaS spend dashboard that is presented to the IT and various business units in a human, readable way. Once the various business units have good visibility on cost, they can control it, save money, and reduce waste.
As SaaS usage continuously grows, effectively managing your organization's tech stack will become increasingly difficult, ultimately leading to waste, security exposures, compliance violations, and many manual processes.
Implementing SaaS management best practices will help eliminate these serious and costly oversights.
Torii is a SaaS management tool that covers all the critical aspects listed above, and many more.
Note: this article was originally posted August 2018 and has been updated to reflect the most recent data.
Uri Nativ has over 19 years of software engineering experience as both an engineer and a hands-on manager. He founded the Klarna Engineering center in Tel-Aviv, holding the position of VP Engineering & Site Manager. Uri has broad experience building B2B enterprise products from his days at VMWare, EMC, nLayers, and Sanctum.