Software as a Service (SaaS) adoption is continuing to increase in most businesses. If your experience is like mine, your daily work and personal life illustrate this trend. About a decade ago, Office 365 was my first work-related and personal significant foray into this space. But SaaS offerings have multiplied over the last several years to include almost every kind of application or service.
How does an organization develop their SaaS management capabilities in this environment? You will need a team of roles to manage the inventory; evalutate, approve, and procure; implement, operate, and support; and manage users and usage.
Inventory
If you do not already have a SaaS inventory, the first step is to take stock of your existing SaaS usage across the organization. If you don’t know the SaaS applications in use then you cannot manage them. Surveys or Interviews with stakeholders from your lines of business or departments in the organization may yield some information, but you are likely to miss many SaaS applications with that method. It is probably best to start with a technical approach to getting the usage information. Technology options for detection include:
- Microsoft Cloud App Security can detect the SaaS applications in use.
- Other Cloud Application Security Broker (CASB) or dedicated web application detection/inventory products.
Once you know the SaaS applications in use (or at least most of them) follow up with surveys or interviews to understand and document the usage scenarios more deeply.
Additionally, you will need a set of processes and systems for managing their life-cycle. Many SaaS life-cycle and inventory management tools are available (see resources below), or you may choose to roll your own solution. Make sure you design the work flows and processes for how the SaaS life-cycle should work in your organization.
Here are some of the things that your SaaS inventory management should include for each SaaS offering in use:
- Inventory records
- Spending and cost center(s) tracking and reporting
- Contract Life-cycle (Renewals, Adjustments, Cancellations)
- Request process for onboarding a SaaS offering
- Evaluation and Approval Process for onboarding a SaaS offering
- Internal Owner(s)
- License/Seat Counts
- Categorization/Tagging
- Capability/Feature documentation
- User Roles (for the Inventory/SaaS life-cycle)
Once you have an inventory of SaaS offerings in use, your organization will want to evaluate them for approval and continued usage. You will need a team for that.
The SaaS Team and Process
The SaaS life-cycle requires participation from multiple roles in your organization. Some of these roles may be part of your formal SaaS management team and others may contribute to the process in various ways. For example, you are likely to need the following roles:
- Legal
- Contract negotiations and renewals
- Data retention policy
- Litigation hold policy
- Security & Compliance
- Authentication and access policy
- Data classification and protection
- Required configurations and/or integrations
- Compliance with regulations and contractual obligations
- Monitoring
- Procurement & Asset Management
- Change Control/Change Board
- Organizational Change Management
- Learning & Training
- Technical Integration and Configuration Management
- Testing
- Support Desk
Planning to set up your core team, your processes, and alignment with other roles and resources is a significant part of the SaaS management effort. Inventory of SaaS applications in use may demonstrate the need for SaaS management and define the types of roles needed for your management effort.
Evaluate and Approve
Your organization will have a set of requirements for SaaS vendor qualification based on your internal policies, regulatory environment, and organizational preferences, among other considerations. Develop a set of standards that you can use to qualify or disqualify (or possibly rank) SaaS offerings. Your standards might include:
- Regulatory compliance
- Security compliance
- Encryption standards
- API standards
- Integration capabilities
- Availability & resiliency
- Update & release frequency
- Configuration capabilities
- Support options
- User learning options
- Historical track record
Your evaluation process may include the following:
- Qualify the SaaS vendor
- Compare the vendor and solution against your standards and rank the vendor/solution
- Check for duplication of functionality with existing applications
After you have an approved or qualified inventory of SaaS applications consider how to manage the users and usage.
Implement, Operate, and Support
Common tasks for the team implementing, operating, and supporting SaaS applications are:
- Configuration of the application or service
- Documentation of the configuration
- Testing
- Integration with identity and access solutions
- Integration with other applications
- Validation that the configuration and service meet policy as expected
- Classification of the data in the application or service
- Workforce education
- Configuration of authentication, access, and data controls
- Review audit and usage data (integrate with SIEM)
Some best practices for rolling out SaaS offerings to your users include enabling single sign-on, enabling multi-factor authentication, automating the user life-cycle, and preparing communications and support for end-users.
User and Usage Management
For each SaaS offering the organization approves and implements, the following may be required:
- Requests and approvals
- License assignments
- User roles (in the SaaS application)
- On boarding users
- Off boarding users
- Self-service portal
- Auditing
- Access reports
Minimize the long term workload related to managing users and usage by
- automate usage, audit, and access reports.
- automate on boarding and off boarding processes
- provide self-service options (an employee portal for self-enablement or requests).
- integrate with your identity and access management.
Resources
SaaS Management Applications and Platforms