As Software Asset Managers we are used to managing both risk and cost. Whilst the two go hand in hand when managing perpetually licensed software there are differences when it comes to SaaS application management. Should we focus more on risk aspects when managing SaaS apps? This article explores that question.
Our activities in relation to managing perpetual licenses are usually focused around the following:
- License Demand – We ensure that our license investment is right-sized by tracking usage and forecasting demand. Typical activities are confirming that there is no over-deployment, that the licenses deployed are in use, and calculating the license purchases required for a new project.
- Audit Defence – By calculating regular Effective License Positions (ELPs) for our key software investments we ensure that we’re ahead of the game and fully-prepared when the auditor comes knocking. If we have confidence in our deployed estate, then it makes audit defence an efficient and professional task. Once word gets around that you have strong audit defence you may find that you’re less likely to be audited.
- Inventory & Discovery – For most asset managers inventory and discovery is a constant battle – ensuring agent coverage and shining a light into the dusty corners of your network. In my experience this was a daily task and is a foundation of your SAM practice. You can’t manage what you don’t know about.
- Strategic SAM – A mature SAM practice should be able to assist architects and other key stakeholders with mid to long term strategy. By understanding what’s deployed, what’s due to go out of support, and what upgrade rights you’re entitled to you can help senior leaders plan their investments in the right area. For example, I would urge all of you to be starting conversations now regarding the end of support for Windows 7 and changes to Office support scheduled for early 2020.
All these activities are primarily focused on the cost side – weak audit defence will inevitably lead to increased costs as risks become realised, for example. In the SaaS world however, our tasks and focus may need to change.
SaaS Application Management
- License Demand – The beauty of SaaS is that in theory you can precisely match demand with consumption and cost. Contracts can be monthly and are rarely long term – although large vendors will be happy to sign you up to the sort of 3-year deal you had when buying perpetual software.
- Inventory & Discovery – As long as you know what you’ve got deployed – and there are tools out there to help you with that – you can accurately track costs for the most common SaaS providers. If your tool covers the product, you’ll effectively have 100% accurate inventory because you’ll be looking at the same data any auditor would use.
- Audit Defence – Saas likely reduces the risk/frequency of vendor-led audits, simply because they already have perfect knowledge of your usage and as such there is nowhere to hide. Having said that, we have heard reports of Salesforce initiating audits, so the risk doesn’t go away entirely.
- Strategic SAM – Forecasting demand when you’re running on monthly contracts is also less important. You can flex your deployment up and down according to, for example, seasonal business. There is still scope to contribute to architectural and strategic decision-making but the lack of fixed assets in a SaaS world potentially gives you greater flexibility.
So, you have pretty good control over cost, there’s low risk of audit, and you can flex your consumption rapidly to meet demand. What do we have left to manage? Does SaaS just end up managing itself?
SaaS Application Risk Management
What we haven’t considered is third-party, legal, regulatory, and privacy risk. These are what you need to worry about, or at the very least be reporting to your internal compliance teams. The reason is simple – the cost of a breach from the perspective of PCI-DSS, SOX, HIPAA, or GDPR is going to far outweigh any cost savings you may get from flexing which Office 365 plan your users are on. This is before you consider the reputational risk of a breach which reaches the public domain, something that is now far more likely given the impact of GDPR reporting requirements.
If customers discover that their privacy has been breached, they may be less willing to buy from you again. And if software is at fault then you could very easily be on the hook during the inevitable post-mortem. Even if managing SaaS risk isn’t your job you should probably start doing this unless responsibilities are clearly defined. SaaS Management is still a relatively new discipline and your internal policies and procedures may not have been updated to account for it. There is a trend in recent breaches and infrastructure failures, such as Equifax and British Airways to find “Someone To Blame” – don’t let that person be you.
Managing a new paradigm
As Asset Managers we are still very much at the early stages when it comes to our responsibilities around compliance in the SaaS world. Security vendors such as Qualys are entering the SAM space with the aim of inventorying our software deployments. Their motivation is different – usually it is about finding vulnerable or unpatched software on-premises – but we may already have this information, and certainly we can act as a trusted source for it. Our challenge is that well-established inventory tools for scanning on-premises deployments aren’t always the best solution for discovering SaaS deployments. Certainly, market leaders such as Snow & Flexera are playing catch-up in getting the right tools into our hands. Fortunately, there is plenty of innovation going on in this market and some of the more recent entrants such as Alpin, Intello, and Torii are actively tracking GDPR compliance status for SaaS apps.
For users of GSuite, some vendors can track permissions granted to 3rd party apps – for example, providing a report of which apps are able to read your email. Permissions such as these are important across the compliance and legal spectrum. Tools that provide some level of automation for onboarding/offboarding employees are also available. Studies have shown that almost 90% of former employees retain access to SaaS apps after they leave, something that is completely unacceptable from a compliance perspective. If such access is discovered during, for example, a SOX User Access Review or Privileged Access Review it is likely to result in an audit finding requiring immediate resolution.
For those of us embarking on a SaaS Management program it is important that risk reduction is focused on, particularly if you’re building a business case. As highlighted above, the financial impact of realised regulatory risks will probably outweigh any cost savings and contract optimisations you may discover. If you know that your User Access & Identity Management processes are weak, work with those teams to build a case for automation and tool and process improvements. You’ll end up with a tool that will also enable you to deliver on your cost reduction targets and the business will benefit from reduced regulatory risk.