A guide to SaaS discovery methods
A combination of factors, including the move to remote work and the need for organizations to respond more quickly to business objectives, has led to a rapid acceleration of SaaS spend. Because SaaS software is easy to try, buy and implement, the procurement of these applications is no longer centralized within IT but has spread throughout the organization. This combination of increased spend and decentralized procurement has led to an explosion of shadow SaaS.
Organizations are increasingly turning toward SaaS management platforms (SMPs) to help them shine a light on their SaaS environments so they can optimize, rationalize, secure and govern their SaaS portfolio. To make that possible, the SMP must first discover the SaaS applications in use within the organization. There are many methods SMPs leverage to find SaaS applications, and we’ll focus on the six most common, including:
- Single sign-on (SSO) platforms
- Financial records
- API connectors
- Agents
- Cloud access security brokers (CASB)
- Browser extensions
Single sign-on (SSO) platforms
Single sign-on (SSO) platforms
SSO allows users to securely access multiple applications with a single set of login credentials. It not only increases employee efficiency and satisfaction by eliminating the need to remember multiple passwords and enter credentials each time they want to access an app, but it also adds a layer of security by preventing the use of weak personal passwords and adding the option to use multi-factor authentication.
SMPs leverage SSO platforms, such as Okta and Microsoft Azure Active Directory, to gather information on known SaaS applications in their environment. SSO data reveals when a user last logged into an application, allowing SMP users to compare purchased and assigned licenses to logins to get an idea of usage and potential waste.
SSO connections are relatively easy to set up, and SMP users enjoy a short time-to-value for this discovery source. There are, however, disadvantages to relying on SSO discovery.
SSO data only reveals information on applications that are known to the organization — you wouldn’t have an application you’re unaware of integrated with your SSO platform, for example. While SSO data reveals when a user last logged onto an application, it does not provide any information on how long the user spent in the app. Whether a user spent two seconds or two hours in an app is beyond the reach of SSO. Finally, for this method to be useful, you need to make sure the SMP you choose integrates with your particular SSO platform.
Financial records
Financial records
Expense reports are another source of information for SMPs. Users can import subscriptions and contracts directly, manually, or an SMP will connect to a spend and procurement platform like Coupa or SAP Ariba and search for keywords that indicate the purchase of a SaaS application. The data retrieved can include information on cost of the app as well as the department and contact information of the purchaser.
Financial records discovery can also uncover shadow SaaS, as many unknown apps that were purchased directly from a business unit without the knowledge of IT will find their way onto an expense report. Once discovered, the organization can begin the process of eliminating redundancies and mitigating security and regulatory risks that could be posed by unknown applications in the environment.
Financial records as a discovery source have their limitations as well, however. First, the data pulled from spend and procurement platforms is very difficult to normalize and often requires human review to yield accurate results. Second, free applications and incorrectly expensed applications escape discovery, leaving blind spots in your SaaS environment. Finally, financial records reveal nothing about application usage, so it’s impossible to determine from the data whether an app represents money well spent or is simply a wasted purchase on an unused piece of software.
API connectors
API connectors
API connectors are probably the most common form of SaaS discovery for an SMP. These connectors allow an SMP to retrieve and aggregate information found in SaaS vendor portals. There are wide variations in what each vendor portal provides, but common data points include: assigned users of the application, user contact information and a list of applications associated with a SaaS subscription.
Some vendors provide information that you can use to determine if users are assigned the appropriate tier for the application or if they are candidates to be downgraded to a less expensive tier. And some vendors even provide usage data, although that is rare and only for online use of cloud applications.
Depending on the SMP, API connectors can be configured in a little as a few minutes and begin returning valuable information immediately thereafter. For example, an SMP user could very quickly see the number of subscriptions purchased vs. number assigned to identify potential opportunities for optimization.
Much like SSO discovery, however, API connectors are only useful for applications the organization already knows about, so they are not helpful in uncovering shadow SaaS. They’re also limited by whatever information the vendor chooses to provide, and some portals are more useful than others. Finally, SMP providers offer a finite number of connectors, so you’re only able to leverage vendor portal information from a fraction of the tens of thousands of SaaS applications available.
Agents
Agents
Agents are installed on individual devices and are most useful in managing hybrid applications that have an installed software component in addition to an online version. Microsoft® 365 is the most well-known example.
Hybrid applications often have tiered pricing, and accessing the software both on-premises and in the cloud comes at a cost. Agents can help you determine if there are opportunities to downgrade users from a more expensive tier to a less expensive tier based on their usage patterns.
As with SSO and API connectors, agents aren’t useful for discovering shadow SaaS. Additionally, their time-to-value is longer than other methods due to their implementation requirements.
Cloud Access Security Brokers (CASB)
Cloud Access Security Brokers (CASB)
A CASB is a software tool that sits in between an organization’s on-premises infrastructure and their cloud provider’s infrastructure. It allows the organization to restrict access to cloud services, limit the transmission of sensitive data and extend the reach of their security policies.
By collecting and analyzing network traffic, CASBs can be used to discover SaaS applications. In fact, they are an excellent way to identify shadow SaaS and mitigate the security and regulatory risks associated with it.
They are unable, however, to detect SaaS usage when the user is not on the corporate network. With the rise in remote work and employees spread all over the world, this is a potentially significant blind spot.
Browser extensions
Browser extensions
Browser extensions offer the most comprehensive SaaS discovery available, as they can discover any type of SaaS application – known, unknown, paid and free. They are deployed on the browser of each managed employee, and they register the login and usage of any SaaS application in the SMP’s discovery engine regardless of whether the employee is on a corporate network or in a remote location when he/she accesses the app.
They offer the most reliable insights for optimization and rationalization while uncovering the potential security and regulatory threats to an organization that come from unknown, unvetted SaaS applications. In fact, it’s not uncommon for users of an SMP leveraging a browser extension to uncover hundreds of previously unknown SaaS applications running in their environment.
This discovery method has the added advantage of detailing not only logins but duration in an application. As mentioned above, time spent in an application is a key indicator of that app’s utility to a particular user.
Browser extensions do require installation on each managed device, and there are privacy concerns associated with this discovery method that often need to be mitigated.
For example, data will likely need to be anonymized in organizations located where there are strict privacy rules. Additionally, it’s important to ensure an SMP’s browser extension is only gathering and distributing information about SaaS application usage and not tracking unrelated browser activity.
Which SaaS discovery method(s) are right for your organization?
Which SaaS discovery method(s) are right for your organization?
Most SMPs offer a combination of several of the discovery methods listed above, and when combined, they can provide powerful insights and opportunities that no single discovery method can offer. For example, comparing applications discovered via financial data or a browser extension with applications accessed via your SSO platform can highlight applications that should be going through your SSO but aren’t. Combining data from API connectors and a browser extension can help you identify users with individual licenses that should be leveraging the corporate agreement.
When choosing an SMP, it’s important to understand which discovery methods the provider employs and how those methods match your goals for managing your SaaS environment.