Skip to content

Stop Acting Recklessly. Why You Need a Policy-Driven Approach to Multi-SaaS Automation.


June 15, 2017

6 minute read

alertsmeetsworkflows ftr2

For IT and end users, SaaS is a gateway drug. One app only leads to another.

Over the past few years, companies have rapidly adopted SaaS applications because they significantly improve productivity, collaboration, and communication. Every year, technology budgets shift to favor purchasing these types of applications. In 2017, the largest public cloud market will be SaaS, reaching an expected $76 billion by 2020.

Yet for IT, there is often little budget set aside for administrative solutions to actually manage and secure these applications.

This has left many admins and CIOs reeling. And to deal with the influx of new responsibilities and the mounting multi-SaaS maelstrom, veteran IT professionals turn to what they know best: automation.

Most IT professionals know that automation has been the backbone of IT operations for decades. So, if it’s not broken, why fix it?

Except there’s a problem. Not all automation is created equal.

The Different Shades of Automation

Today, automation is a requirement for any modern IT organization. Without it, there’s no way to get anything meaningful done. Scripting is often the automation method of choice. It’s powerful and lets IT perform tasks in bulk that aren’t possible in native admin consoles. Others have even started using consumer-focused productivity tools like IFTTT, which are built for end users and not intended for IT use.

Regardless, there are aspects of automation that elevate some methods above others. Automation in its best form must be policy-driven, which means it is:

  • Auditable. Can you easily understand which automations are taking which actions, and quickly pinpoint errors as they arise? There needs to be a central IT authority where automations are built and tracked. This authority needs to contain all relevant information such as who built the automation, when it was created, when it’s been run, and which actions it’s actually performed.
  • Contextual. Are your automations aware of what’s happening in related systems and to related objects? Blanket automations that affect every entity, object, or application the same way can cause headaches and force IT to duct tape together ill-conceived workarounds. Instead, automations that incorporate context and run differently depending on the severity of the policy violation or other factors, such as who violated the policy, makes a major difference.
  • Granular. Can you prescribe and enforce true least privilege access to your automation environment? Without granularity and the ability to effectively delegate capabilities, security suffers. To write and run certain scripts or use many consumer productivity tools, IT must extend excessive administrative access.
  • Independent. Is it simple to pass ownership and knowledge of automated processes to new employees, or are they tied to the tribal knowledge of certain individuals? If your organization does not “own” its automations, then turnover is cause for a major concern. The knowledge of how to run, update, and maintain automations shouldn’t be locked away in the brain of the creator.

If your IT automations lack any of the above, then you’re operating from a vulnerable position. It’s reckless. With compliance and government regulations becoming a bigger issue each day, ad hoc scripts and end-user automation tools will no longer cut it. Relying on these types of automation tools now will result in some serious SaaS management debt down the road.

You’ll need to address it someday (and probably sooner than you’d like to think).

A Policy-Driven Answer for SaaS

Automation solutions that check all the “best practice” boxes exist. ServiceNow became the fastest-growing enterprise software company to $1 billion in annual revenue by delivering a modern IT Service Management platform. Before them, companies like BMC and CA Technologies became behemoths by helping IT monitor, manage, and automate distributed and mainframe systems.

Every great shift in IT creates a market for sophisticated, policy-driven automation within that space. With the rise of infrastructure-as-a-service over the past few years, we now have DevOps, with entire departments built to solve these problems and new companies and products bringing innovative solutions to market.

But with $46 billion predicted to be spent on SaaS applications in 2017 – why isn’t there policy-driven automation built specifically for SaaS?

Enter BetterCloud.

Introducing Multi-SaaS Automated Policies

We’re excited to announce the first automated policy engine purpose-built for multi-SaaS environments. Companies adopting SaaS applications as their systems of record now have a solution for securing and managing their SaaS applications in a scalable, effective way.

In BetterCloud, near real-time alerts (delivered through Operational Intelligence) can now trigger fully automated, dynamic, contextual policies (created through Action Orchestration), all governed as necessary through a granular set of privileged access roles (made possible by Privilege Delegation).

This will accelerate the shift away from patchwork SaaS administration and enable IT to create a central authority for policy enforcement and all multi-SaaS automations.

Let’s run through a few example policies.

Policy #1: Group Permissions Out of Compliance

Google Groups management is notoriously difficult, and group permissions are surprisingly powerful. Many times, Google Groups are created with the membership setting “Anyone can join” without the knowledge of the creator, especially in organizations that allow their end users to create Google Groups.

If these groups contain sensitive or confidential emails (imagine an HR group, or your executive team), then anyone in your organization can join the group and view those emails. And you may have no idea.

Here’s how you might enforce this policy in BetterCloud:

  • BetterCloud scans your environment to detect this Group setting change.
  • Within seconds of a new Group being created or an existing Group being updated, BetterCloud detects this change and can trigger an alert.
  • But, you may have some groups where this setting is allowed (like
  • Based on this alert and the contextual rules you’ve set, BetterCloud can kick off a Workflow to change the Group membership settings, add an IT team member to the group, make that IT team member a Group owner, and send a notification through email and/or Slack.

Here’s what the Workflow would actually look like. Once this is created, it runs automatically.

BetterCloud Policy - Group Permissions

Groups are incredibly powerful in G Suite, controlling visibility of emails like in the example above, as well as sharing settings in Google Drive in some cases. Policies around Group membership settings keep this in check.

Policy #2: Super Admin Access Granted Unexpectedly

Admin access should always be protected and monitored. Knowing this, let’s say your organization has a policy that there is only one super admin account for Salesforce, and you have created a series of role-based privileges to delegate granular access to other members of your organization.

If a second super admin account is ever created, you know something must have gone wrong.

Here’s how you might enforce this policy in BetterCloud:

  • BetterCloud constantly scans your environment to detect new user accounts.
  • Within seconds of that new super admin account being created, BetterCloud detects this account and their permission level, which can trigger an alert.
  • Based on this Alert, BetterCloud can automatically trigger actions through a Workflow. For example, the policy could automatically suspend the new account, and send a notification to IT and security via email and/or Slack.

Here’s what the Workflow would actually look like. Again, once this is created, it runs automatically.

BetterCloud Policy - Super Admin

You can replicate this in BetterCloud for G Suite, Slack, Dropbox, Zendesk, JIRA Software, and JIRA Service Desk. If you’re already a BetterCloud customer, you can connect those applications here.

Policy #3: Illicit Email Forwarding

Email forwarding is a common and easy way for data to escape IT’s grasp. All it takes is an employee forwarding a work email to a personal account or a friend to constitute a data breach or fall out of compliance. This actually happened to Boeing this year and will likely cost the company millions.

With that in mind, IT teams should want to know when employees are forwarding email to personal email addresses, and have a policy in place to meet the needs and requirements of their business and industry. An automated email forwarding policy can stomp out behavior that’s potentially suspicious, or simply ignorant.

Here’s how you might enforce this policy in BetterCloud:

  • BetterCloud constantly scans your environment to detect changes to user’s email settings.
  • If email is being forwarded to a personal account (e.g. Gmail, Yahoo, or Outlook accounts), a BetterCloud Workflow will immediately disable email forwarding for the user.
  • BetterCloud will then send a customizable email to the user with IT and/or Security CC’ed.

In seconds, email forwarding is disabled, an email alert is sent to the user regarding his or her violation, and the relevant admin is notified. You could even send a message to the admin via Slack if you’d like.

BetterCloud Policy - Email Forwarding

About BetterCloud

BetterCloud is the first Multi-SaaS Management Platform, enabling IT to centralize, orchestrate, and operationalize day-to-day administration and control across SaaS applications. Every day, thousands of customers rely on BetterCloud to centralize data and controls, surface operational intelligence, orchestrate complex actions, and delegate custom administrator privileges across SaaS applications.