Today, SaaS is the system of record.
Organizations are trusting their mission critical data—like employee, customer, identity, and finance data—to SaaS applications. But as the world shifts to SaaS, IT is finding that industry best practices do not exist yet. There’s no ITIL for the modern SaaS environment.
And there’s a lot that IT professionals don’t know about SaaS management. In fact, 78% of IT professionals are either teaching themselves how to manage SaaS apps or just getting started. There’s no official certification or foundational level of knowledge yet.
To help navigate this uncharted territory, here are six guiding principles that will help you avoid common pitfalls as you manage multiple SaaS applications. We’ve developed them based on surveys and conversations and thousands of modern IT professionals over the past few years. When these principles come together, they result in a secure, efficient SaaS environment and ensure IT success.
#1: Centralization – Seeing All Your Disparate Data in One Place
The foundational challenge found in all SaaS environments is data sprawl. Organizations used to be homogeneous; in the past, they were purely Microsoft or IBM or Google shops. But today, organizations are using dozens of best-in-class SaaS apps. As a result, data is massively sprawled across multiple SaaS applications.
This brings us to our first guiding principle: centralization. IT must bring all of this data into a single place and normalize it in order to get their hands around it. There are so many different types of data objects (like files, users, groups, and calendars) and they all live in multiple different places (like Google Drive, Box, Slack, and Salesforce).
Fundamentally, IT must be able to see everything in one place. So, the first step to effective SaaS management is to centralize all your data in one view.
#2: Discoverability – Finding the Need-to-Know Information Amidst All Your Data
Centralization is only the first step. Your data might be in one place now, but here’s the next challenge: How do you find the most critical data and make sense of it? If you have several hundred employees, then you have millions of data objects in your environment: users, groups, files, folders, third-party apps, etc.
Our second guiding principle is discoverability. IT needs the ability to take a massive data set and sort and filter it quickly. For example, can you easily discover which users are automatically forwarding corporate email to their personal email addresses? Or how many publicly shared files you have? Or which users don’t have two-factor authentication enabled? Or which groups are publicly visible? If you can’t find this information quickly (or at all), then you’re not set up for success.
#3: Insights – Surfacing Only the Most Important, Relevant Alerts at the Right Time
Think of all your users in front of their computers all day. They’re sending hundreds of Slack messages, adding Chrome extensions, sending emails, and sharing files with others. The amount of activity is massive. But imagine if IT was alerted every time an email was sent or a file was shared—they’d be overwhelmed by the sheer volume of noisy alerts.
As a result, our third guiding principle is insights. IT needs a way to boil down all that information and only surface the most important, relevant alerts at the right time. For example, IT might want to be alerted only if a finance employee publicly shares a spreadsheet that contains credit card information, not when anybody shares any file publicly.
A good mantra for alerts is quality over quantity. This can mean all the difference between a secure environment and one that’s breached. Alert fatigue is a real threat and can easily give rise to data breaches. (Remember, the 2013 Target data breach occurred because of alert fatigue—IT admins ignored multiple alerts.)
#4: Action – Taking Action on Data in Bulk
Having all of this SaaS data is good, but that’s only half the battle.
Our next guiding principle is action. Once you have centralized data and effective insights, what do you do, exactly, with those insights? You need to be able to take action (i.e., make changes and remediate the issue) based on those insights. This can be a single change, multiple changes done in bulk, or changes across SaaS apps.
The ability to take action in bulk is an important one because managing SaaS apps involves a tremendous amount of repetitive, manual tasks. This is especially true for onboarding, offboarding, and user lifecycle management (examples: updating sharing permissions for multiple files, moving multiple users into groups or channels, or disabling email forwarding for multiple users). Many native SaaS admin consoles do not provide the ability to take bulk action, whether it’s across a set of users, groups, files, third-party apps, or devices.
These repetitive tasks are paralyzing, frustrating, and they also prevent IT from focusing on strategic value-add work. The ability to take action en masse can make a huge difference in terms of time savings and productivity.
#5: Automation – Automatically Running Workflows
The fifth guiding principle, and arguably the pinnacle of all of the guiding principles, is automation. This refers to the ability to automate workflows and policy enforcement. It’s not easy to do—it takes time to get approval, build and test automations, and iterate on them. It doesn’t just happen overnight. But IT can start automating repetitive tasks that are prone to human error, like onboarding and offboarding. Automation is particularly critical because it gives IT the ability to respond quickly if there’s a breach. If you don’t have automation set up to automatically remediate violations, then it could take days, weeks, or even months to respond.
#6: Delegation & Auditability – Creating Granular Access Roles and Auditing User Activity
Our sixth and final guiding principle is delegation and auditability.
Delegation means the ability to create granular access roles and delegate admin permissions to others in your org. What’s key is delegating the least amount of access people need to do their jobs—aka implementing the least privilege model, which is a security best practice.
Very often, users will request temporary elevated access for a task or project. You shouldn’t give them super admin (essentially, root) access, but IT often has no choice. Why? Because SaaS app roles are often binary—it’s either super admin or end user, nothing in between. Users end up keeping super admin access for weeks, months, even years, and this over-assignment of super admin access becomes dangerous.
Auditability, on the other hand, refers to the ability to audit what all your users are doing. This kind of accountability is critical across SaaS apps. When multiple admins are working in multiple admin consoles, it’s very difficult to ascertain who accessed what and when, which actions were taken, which issues were remediated, and how they were remediated. An IT administrator would have to download logs from each SaaS application and parse through the one by one, manually correlating events across all of them. Automation engines and scripts are often not recorded in audit logs, which gives an incomplete picture of user activity. Additionally, auditability is important from a compliance perspective. Some audits (like SOX) require documentation of when specific privileges were granted or revoked, so you need to have thorough logs.
Best practices for modern SaaS environments have yet to be defined. But as organizations continue to adopt SaaS, these six guiding principles will serve as a solid framework to guide their SaaS management practice and ensure IT success.
To learn how you can apply these guiding principles in your IT organization, check out our book, Controlling Your SaaS Environment.