Today, SaaS is the system of record.\nOrganizations are trusting their mission critical data\u2014like employee, customer, identity, and finance data\u2014to SaaS applications. But as the world shifts to SaaS, IT is finding that industry best practices do not exist yet. There\u2019s no ITIL for the modern SaaS environment.\nAnd there\u2019s a lot that IT professionals don\u2019t know about SaaS management. In fact, 78% of IT professionals are either teaching themselves how to manage SaaS apps or just getting started. There\u2019s no official certification or foundational level of knowledge yet.\u00a0\nTo help navigate this uncharted territory, here are six guiding principles that will help you avoid common pitfalls as you manage multiple SaaS applications. We\u2019ve developed them based on surveys and conversations and thousands of modern IT professionals over the past few years. When these principles come together, they result in a secure, efficient SaaS environment and ensure IT success.\n#1: Centralization \u2013 Seeing All Your Disparate Data in One Place \nThe foundational challenge found in all SaaS environments is data sprawl. Organizations used to be homogeneous; in the past, they were purely Microsoft or IBM or Google shops. But today, organizations are using dozens of best-in-class SaaS apps. As a result, data is massively sprawled across multiple SaaS applications. \u00a0\nThis brings us to our first guiding principle: centralization. IT must bring all of this data into a single place and normalize it in order to get their hands around it. There are so many different types of data objects (like files, users, groups, and calendars) and they all live in multiple different places (like Google Drive, Box, Slack, and Salesforce).\nFundamentally, IT must be able to see everything in one place. So, the first step to effective SaaS management is to centralize all your data in one view.\n#2: Discoverability \u2013 Finding the Need-to-Know Information Amidst All Your Data\nCentralization is only the first step. Your data might be in one place now, but here\u2019s the next challenge: How do you find the most critical data and make sense of it? If you have several hundred employees, then you have millions of data objects in your environment: users, groups, files, folders, third-party apps, etc.\nOur second guiding principle is discoverability. IT needs the ability to take a massive data set and sort and filter it quickly. For example, can you easily discover which users are automatically forwarding corporate email to their personal email addresses? Or how many publicly shared files you have? Or which users don\u2019t have two-factor authentication enabled? Or which groups are publicly visible? If you can\u2019t find this information quickly (or at all), then you\u2019re not set up for success.\n#3: Insights \u2013 Surfacing Only the Most Important, Relevant Alerts at the Right Time \nThink of all your users in front of their computers all day. They\u2019re sending hundreds of Slack messages, adding Chrome extensions, sending emails, and sharing files with others. The amount of activity is massive. But imagine if IT was alerted every time an email was sent or a file was shared\u2014they\u2019d be overwhelmed by the sheer volume of noisy alerts.\nAs a result, our third guiding principle is insights. IT needs a way to boil down all that information and only surface the most important, relevant alerts at the right time. For example, IT might want to be alerted only if a finance employee publicly shares a spreadsheet that contains credit card information, not when anybody shares any file publicly.\nA good mantra for alerts is quality over quantity. This can mean all the difference between a secure environment and one that\u2019s breached. Alert fatigue is a real threat and can easily give rise to data breaches. (Remember, the 2013 Target data breach occurred because of alert fatigue\u2014IT admins ignored multiple alerts.)\n#4: Action \u2013 Taking Action on Data in Bulk\nHaving all of this SaaS data is good, but that\u2019s only half the battle.\nOur next guiding principle is action. Once you have centralized data and effective insights, what do you do, exactly, with those insights? You need to be able to take action (i.e., make changes and remediate the issue) based on those insights. This can be a single change, multiple changes done in bulk, or changes across SaaS apps.\nThe ability to take action in bulk is an important one because managing SaaS apps involves a tremendous amount of repetitive, manual tasks. This is especially true for onboarding, offboarding, and user lifecycle management (examples: updating sharing permissions for multiple files, moving multiple users into groups or channels, or disabling email forwarding for multiple users). Many native SaaS admin consoles do not provide the ability to take bulk action, whether it\u2019s across a set of users, groups, files, third-party apps, or devices.\nThese repetitive tasks are paralyzing, frustrating, and they also prevent IT from focusing on strategic value-add work. The ability to take action en masse can make a huge difference in terms of time savings and productivity.\n#5: Automation \u2013 Automatically Running Workflows \nThe fifth guiding principle, and arguably the pinnacle of all of the guiding principles, is automation. This refers to the ability to automate workflows and policy enforcement. It\u2019s not easy to do\u2014it takes time to get approval, build and test automations, and iterate on them. It doesn\u2019t just happen overnight. But IT can start automating repetitive tasks that are prone to human error, like onboarding and offboarding. Automation is particularly critical because it gives IT the ability to respond quickly if there\u2019s a breach. If you don\u2019t have automation set up to automatically remediate violations, then it could take days, weeks, or even months to respond.\n#6: Delegation & Auditability \u2013 Creating Granular Access Roles and Auditing User Activity \nOur sixth and final guiding principle is delegation and auditability.\nDelegation means the ability to create granular access roles and delegate admin permissions to others in your org. What\u2019s key is delegating the least amount of access people need to do their jobs\u2014aka implementing the least privilege model, which is a security best practice.\nVery often, users will request temporary elevated access for a task or project. You shouldn\u2019t give them super admin (essentially, root) access, but IT often has no choice. Why? Because SaaS app roles are often binary\u2014it\u2019s either super admin or end user, nothing in between. Users end up keeping super admin access for weeks, months, even years, and this over-assignment of super admin access becomes dangerous.\nAuditability, on the other hand, refers to the ability to audit what all your users are doing. This kind of accountability is critical across SaaS apps. When multiple admins are working in multiple admin consoles, it\u2019s very difficult to ascertain who accessed what and when, which actions were taken, which issues were remediated, and how they were remediated. An IT administrator would have to download logs from each SaaS application and parse through the one by one, manually correlating events across all of them. Automation engines and scripts are often not recorded in audit logs, which gives an incomplete picture of user activity. Additionally, auditability is important from a compliance perspective. Some audits (like SOX) require documentation of when specific privileges were granted or revoked, so you need to have thorough logs.\nBest practices for modern SaaS environments have yet to be defined. But as organizations continue to adopt SaaS, these six guiding principles will serve as a solid framework to guide their SaaS management practice and ensure IT success.\nTo learn how you can apply these guiding principles in your IT organization, check out our book, Controlling Your SaaS Environment.