Quick Guide: SaaS Management 101
It’s no longer uncommon to have several dozens of SaaS applications used by employees in your organization. In fact, many organizations easily engage three to four hundred SaaS applications. While IT might not always be aware of all of them, their use is widespread throughout the company.
These SaaS applications are used across all departments as well. The Sales, Marketing, R&D, HR, Project, and Product departments all use these tools, relying on them for everything from daily operations, like Salesforce, Marketo, and Github, to other tools that improve productivity, such as Trello, Box, and LucidChart.
This explosion in SaaS tool offerings, as well as in their adoption by employees and companies, imposes new challenges for IT. How will you manage all those tools? What steps need to be taken? What available tools can help you gain visibility into (and exercise control over) all the SaaS applications in use?
In order to manage your SaaS, follow these six best practices rules:
- Have a System of Records for all your SaaS
- Classify application lifecycle
- Map users and usage
- Record contracts, licenses, and renewal dates
- Govern security and compliance
- Control SaaS cost and optimize spending
1. Have a System of Records for all your SaaS
A single system of records for all your SaaS is the foundation of SaaS management. You can’t manage what you don’t understand, so your SaaS system of records should be complete and up-to-date.
While your SaaS system of records can store a lot of important information about your SaaS, it should at least contain these important attributes, per application:
- SaaS application name
- Link to website
- System owner
- Legal and compliance info
The system of record can be stored in Excel, another database, or a dedicated SaaS management tool.
2. Classify Application Lifecycle
SaaS application lifecycle is a concept you need to be aware of. The idea is that SaaS applications go through several lifecycle states while in use in your organization. Understanding this concept and the different states gives you a strong foundation to managing your SaaS applications, helping you better classify and organize them.
Organizations may each define their SaaS application lifecycle differently according to their needs. Here, we propose a simple lifecycle classification that is widely used in many organizations:
- Mapped - a tool you know about, but that has not yet been classified to any of the states
- In review - in process of assessing and reviewing the tool, including price, functionality, and security compliance
- Managed - a sanctioned tool that has been reviewed and approved for internal use
- Optimization - a paid tool subjected to the optimization process to find opportunities to reduce costs
- Retire - a tool that must be closed and all user accounts revoked
For a more detailed information about the concept of SaaS application lifecycle, please refer to this article, .
3. Map Users’ Usage
Once the list of applications and their lifecycle state has been established, you should map the actual users of each SaaS application and the frequency of their usage.
Mapping application usage serves multiple goals:
- Access management
- Cost management
- Employee offboarding
Access management ensures only the relevant people have access to the systems they need, in turn, keeping your data secure and making sure you meet privacy policies and compliance regulations.
For most SaaS tools, additional seats cost money. Keeping track of the registered users who actually use the application enables good cost control over SaaS applications. When you don’t understand the real SaaS usage, money is wasted on underutilized licenses or duplicate tools.
Only when you have accurate mapping of the application users will you be able to remove access once it is no longer needed, commonly when employees leave the company. Security and compliance regulations mandates the assurance that offboarded users no longer have access to SaaS applications after they leave the company. This is even more significant today with the latest GDPR regulations.
Here is where the situation becomes more complex to manage, without a SaaS management tool. Keeping track of the actual users for each application is very difficult for several reasons:
- SaaS applications don’t always provide users’ usage API.
- There are no API standards for accessing user data from various SaaS applications.
- SaaS usage can be very dynamic and changes daily. The ease of signing up and logging off from SaaS tools is such that, even if you have captured the current state today, it might already be out-of-date tomorrow.
When you are a small company of up to 50 employees, you can probably get this under control, as you know the employees and can easily communicate to resolve the above issues. But as your company grows, this task becomes harder, even impossible, without an keeping track of all users and their access to SaaS tools.
4. Record Contracts, Licenses, and Renewal Dates
Keeping all relevant documents of a SaaS application is a good practice as it will help you save both time and money.
Looking for your NDA with a vendor? Searching your inbox for the contract renewal date? With all this data spread around in your ERP, inbox, and internal communication tools, it is very hard to find what you need, when you need it.
Storing the relevant documents of the SaaS vendor together with your SaaS system of records is just the logical thing to do, and ensures all relevant documents and information are stored where you expect to find them.
Keeping your renewal dates, as well as a system that notifies you ahead of time when the renewal is coming, completes your system of records.
5. Govern Security and Compliance
Using SaaS services creates a big challenge around security and compliance. How can you be sure if you are still compliant when using dozens of SaaS tools, all handling sensitive data?
How can you guarantee your data security when the data is spread among all those tools?
The new GDPR regulations make the above not only a good business practice, but also a mandatory one by law if you have any European customers.
These three actions must be taken to keep security and compliance under control:
- Deploy a Single Sign On solution (SSO)
- Map your SaaS subprocessors and their compliance statements.
- View the granted permission levels to the various SaaS tools.
Deploy a Single Sign On solution (SSO)
SAML 2.0 is the common standard these days for access and authentication to multiple web applications using one set of login credentials.
Many SaaS tools offer the ability to setup their accounts access using SSO. Connecting as many SaaS applications to your SSO provider will bring you better security and granular control over SaaS application access.
For more information and tips about implementing a SSO solution, checkout this guide.
SaaS subprocessors mapping
Having an accurate and up-to-date list of all your SaaS suppliers is necessary in order to understand which customer data you share, including whether you share PII (Personal Identified Information) or any other sensitive data. By verifying that the compliance statements of the various SaaS vendors align with your company standards, you can be confident that you are compliant and that your customers’ data is safe.
View the granted permission levels
When your employees sign up to SaaS tools, they might be required by the SaaS providers to grant access to their account. This is very common when employees sign up or login using OAuth 2.0 protocol, which is widely used in tools like G-suite, Office-365, Slack, and more.
Those permissions might expose your organization to further risk than you might be aware. While some SaaS tools may require only the employee email address, others might request sensitive information, like access to contacts, calendar, and to even read or send email on your behalf. Only with an up-to-date list of all granted permissions can you keep your organization secure (while using the knowledge to educate your employees about SaaS security best practices).
6. Control SaaS Cost
Keeping SaaS cost under control is a challenging task when SaaS spend is spread among different business units. The various payment methods, such as credit cards, invoices, and wire transfers, reduce the SaaS spend visibility for IT. When visibility is low, the spend control is low, which quickly leads to wasted money.
It is important to create a SaaS spend dashboard that is presented to the IT and various business units in a human, readable way. Once the various business units have good visibility on cost, they can control it, save money, and reduce waste.
The landscape of software usage is changing, and as SaaS usage grows, effectively managing SaaS is now mandatory. If IT doesn’t manage their SaaS tools, the situation quickly spins out of control, resulting in money waste, security exposures, compliance violations, and many, many manual processes.
Keeping SaaS management best practices is more important now than ever, and the sooner organizations realize this, the easier the process will be for IT (and the quicker the gains).
Torii is a SaaS management tool that covers all the critical aspects listed above, and many more.
Uri Nativ has over 19 years of software engineering experience as both an engineer and a hands-on manager. He founded the Klarna Engineering center in Tel-Aviv, holding the position of VP Engineering & Site Manager. Uri has broad experience building B2B enterprise products from his days at VMWare, EMC, nLayers, and Sanctum.