The vast SaaS offerings of today are changing how IT operates. It is not a surprise anymore, that the number of software is growing more than ever, and that software is being consumed more as a service.
Moving your organization to consume more cloud services, whether that’s IaaS or SaaS is a paradigm shift for the organization as well as for the IT.
The ease of setup and signup of SaaS creates an illusion that SaaS doesn’t need to be managed. With a click of a button, employees can sign up and start using a new SaaS. If your employees are tech savvy, they can administrate their own line of business SaaS they are using. You no longer need to care about security patches, compute-power-allocation or upgrades. So why does SaaS need to be managed and why should IT care about its lifecycle?
We need to acknowledge the fact that while many of the traditional software management tasks are now no longer relevant when software is consumed as a service, there are still many tasks that are left at the doorstep of IT, and some of them are more challenging than before.
For example, just the simple task of tracking your SaaS inventory is no longer trivial. The information is scattered around various tools and keeping an Excel file is always outdated. Another problem, for example, is knowing who is using which SaaS? Even when using SSO tools like Okta and Onelogin, it is still almost impossible for the IT to know the real usage, as many SaaS still remain outside the SSO scope.
Who are your local admins? Which SaaS should be retired? Are your employees utilizing the SaaS offering properly? Which data is being shared?
In order for IT to fully grasp SaaS management, they must first acknowledge the fact that SaaS, like traditional software, has its lifecycle. Every SaaS that is introduced to your organization, lives there, and one day might leave it. If you don’t own the SaaS lifecycle, then you don’t manage it. If you don’t manage it, then it will quickly get to the point where you feel you are out of control. The broad offering of SaaS, as well as the rapid adaption of them in the organization, can quickly outrun your IT if not handled properly.
We can clearly divide the SaaS into these 5-lifecycle periods:
Let’s go over each and every one:
When a SaaS is introduced to your organization either explicitly by a proper purchase order request or implicitly by an employee who signed up, then this SaaS needs to be mapped in your system. Proper discovery is overwhelming, we know, as this is the point where people are most surprised by the number of mapped SaaS. The number of mapped SaaS is usually in order of magnitude higher than people originally estimated, and the long tail of SaaS being used by only one or two employees is very long.
Each SaaS (both the vendor and the product) should be reviewed according to your company’s policies and regulations. IT must be aware of its security risks, cost, reason for using it, integration with existing tools, overlapping with other tools, compliance fit and more. Some tools are quick to review as their usage or reputation is high, while others might have deeper impact on your organization and may need more stakeholders involved to understand the full picture.
A sanctioned SaaS is one that is approved by IT, legal, security, and other stakeholders. Cost estimate is known and approved. A clear business owner is assigned to the SaaS. Employees are educated that this SaaS has been sanctioned. All SaaS detailed is documented, and the contract and terms of use can easily be retrieved. All renewal dates are set on a forecast plan and renewal notifications are set.
Two aspects to SaaS must be constantly monitored. Cost and Utilization. SaaS costs can easily slip away. Many SaaS are offered in a pay-per-usage or pay-per-seat licensing model, the cost of which when not monitored can quickly get out of control. Utilization is usually not transparent by most vendors. Only in the rare case will a vendor proactively notify you about employees who occupy a seat but are not really using the SaaS or are barely making any benefit out of it. For these reason, it is important to review your SaaS tools once in a while, and obtain all relevant info about the cost and usage in advance.
It is not a rare scenario to find quite a few orphan, duplicate, and unused SaaS. While many people are eager to introduce new tools into your organization, just a handful are actively cleaning the garbage after them.Retiring a SaaS is an important task that should not be ignored. It is important from a security, cost, and time POV. Do not underestimate the value cleaning up the SaaS table can bring to your organization. It is also useful to add the note or the reason for the retire, since some tools find their way back into the company when the reason for their original retirement is unknown.
As your organization grows, the use of cloud-based services is likely to increase. Using a SaaS management tool has become a mandatory tool in the IT toolbox. Trying to map your SaaS and manage its lifecycle just by using Excel and other ad-hoc tools is not the most effective way to manage the job properly.By using a SaaS management tool that can provide automatic mapping and discovery, real SaaS usage, associated costs and all the info you need, constantly updated and easily retrieved, puts IT in control of the organization.
Give Torii a try! It’s a simple and quick setup and it gives you the instant visibility and SaaS lifecycle management you need.
Originally published at blog.toriihq.com on January 22, 2018 by Uri Nativ.