In recent years, SaaS adoption has been like the Wild West: a somewhat chaotic “free-for-all” frontier with lots of unknowns.
In fact, 78% of IT professionals are either teaching themselves how to manage SaaS apps or just getting started. That makes sense. There’s no official certification; industry best practices don’t exist yet. You don’t know what you don’t know, and that’s not your fault. Effective SaaS management requires a willingness to learn, a proactive attitude, and resourcefulness (some might even say gumption).
After interviewing, surveying, and talking to thousands of modern IT professionals over the last few years, we’ve identified six elements that are integral to a successful SaaS management strategy. Our founder and CEO David Politis recently wrote a book called Controlling Your SaaS Environment that discusses these elements at length in the context of a six-part framework.
Here are the six essential elements of a successful SaaS management strategy:
1) Centralization — seeing all your data in one place
The very first element of a successful SaaS management strategy is Centralization. This is the foundation.
SaaS applications create a huge, complex, interconnected sprawl. Think of all the data objects that reference, interact, control, and/or rely on each other: users, groups, mailboxes, files, folders, records (like tasks, opportunities, contacts, calendars), third-party apps (that have been installed from app marketplaces and authorized by users), logs, metadata, permissions, devices, etc. Yikes. Data begets data; the sheer amount of data is unmanageable. It’s also “living”—it’s always being changed, deleted, and added to—which makes it harder to manage.
This SaaS sprawl spreads like kudzu and leads to a loss of administrative control. How do you get visibility into all that data across multiple apps? If you can’t see it all in one place, you can’t really manage it effectively.
IT and security teams no longer natively have root access to users, data, files, or settings. That access is available purely via APIs (or not at all). This inhibits IT’s ability to even see what’s in their SaaS environment, let alone troubleshoot or secure it.
IT teams cannot control an environment they do not have visibility into. Therefore, Centralization is the first step to effectively managing your SaaS environment.
2) Discoverability — finding critical information easily
The next element of a successful SaaS management strategy is Discoverability.
By Discoverability, we mean: Can you actually find critical information? For example, can you find out which users are automatically forwarding corporate email to personal email accounts? Or how many super admins you have across your SaaS apps? Or how many files are publicly shared and contain PII? Or if any of your organization’s groups or calendars are public on the internet? Or if any risky third-party apps are connected? Or if any ex-employees or external users still have access to your data?
If you can’t find this information easily (or at all), then you’re not set up for success.
The stakes are extraordinarily high. Third-party apps can potentially access corporate data and privileged users. Competitors can view public data files and conduct corporate espionage. External users can abuse their access rights and steal or damage data. Therefore, IT needs to be able to discover, filter, and find relevant data objects so that it can secure its SaaS environment.
3) Insights — receiving relevant, actionable alerts
Alerts are great in theory, but in reality, they’re often false alarms: irrelevant, dismissible, and impossible to keep up with. This makes it all too easy to develop alert fatigue, which is a very real threat. Remember the Target breach in 2013? Target’s security team had actually reviewed—and ignored—urgent warnings from a threat-detection tool on its network because the alerts were so common.
Therefore, the third element of a successful SaaS management strategy is Insights. By Insights, we mean alerts that are actually important, relevant, and actionable. Insights are an effective way to solve the “You don’t know what you don’t know” problem. They help fill gaps in IT’s knowledge, essentially providing the information IT didn’t even know it was missing.
Effective insights can:
- Ensure compliance with policies and/or regulations. Example: IT receives an alert when a user forwards emails containing PHI to a personal email account.
- Correlate high-risk activities. Example: IT receives an alert when an employee mass downloads Salesforce records in the span of seven days, logs in repeatedly from home on the weekends, and forwards email to a personal email account (these events may predict employee resignation).
- Prevent unauthorized data access. Example: IT receives an alert when a user modifies group settings and changes them to Public on the Internet or Anyone Can Join.
4) Action — taking action on data in bulk
The fourth element of a successful SaaS management strategy is Action.
By Action, we mean the ability to take action on data and remediate issues in bulk. Native admin consoles often do not allow IT to take action in bulk (either within a single SaaS app or across multiple apps) because they were not purpose-built for IT. This means IT must complete actions one at a time, which results in highly manual, tedious work.
Ideally, IT should use element #3 (Insights) to surface issues, and then use element #4 (Action) to remediate them.
- IT receives an alert that 30 users are automatically forwarding company email to personal email accounts → IT disables email forwarding in bulk and sends a message to the security team via Slack.
- IT receives an alert when any file containing the word “Confidential” is shared publicly → IT unshares all files containing the word “Confidential” in bulk across all SaaS apps.
5) Automation — automating workflows
The fifth element of a successful SaaS management strategy is Automation.
As companies adopt more SaaS applications, on- and offboarding processes and user lifecycle management become exponentially more repetitive, complex, and time-consuming.
Not only does the volume of work increase, but so does the pace. If it hasn’t already, IT will hit a wall where it can no longer keep up with the manual, repetitive work that SaaS applications create. Automation is necessary to save time, reduce human error, and automatically remediate issues. The key to any valuable IT automation is the ability to be highly granular and customizable. This way, when certain triggers take place, the problem will automatically be remediated, thereby creating a self-healing environment.
- IT receives an alert that 30 users are automatically forwarding company email to personal email accounts → IT automatically disables email forwarding in bulk and sends a message to the security team via Slack.
- IT receives an alert when any file containing the word “Confidential” is shared publicly → IT automatically unshares all files containing the word “Confidential” in bulk across all SaaS apps.
6) Delegation and auditability — delegating access roles and auditing user activity
The sixth and final element of a successful SaaS management strategy is Delegation and Auditability.
First, let’s tackle Delegation: IT must implement the principle of least privilege. Having too many super admins is an inherent security risk. Every additional administrator causes a linear-to-exponential growth in risk.
However, implementing the principle of least privilege in SaaS environments is impossible for two reasons: 1) There’s no unified view of admin privileges across apps, and 2) Many SaaS apps offer only binary options: super admin or end user, with nothing in between. IT teams may not necessarily want to grant an employee carte blanche, but they are left with no other option.
Thus, they need Delegation: the ability to create custom CRUD roles in SaaS apps with specific, granular privileges, so that IT can delegate access roles to different business units and keep their environment secure.
And finally, Auditability refers to the ability to, well, audit user activity. There’s no easy way to thoroughly track an admin’s actions in SaaS apps. An IT admin would have to download logs from each individual SaaS app and parse through them one by one, manually correlating events across all of them.
Together, all six of these elements form a holistic SaaS management strategy—one that enables IT teams to manage, secure, and support their mission critical apps effectively.