SaaS challenges: Discovery
As an old saying goes, you cannot manage what you cannot measure. So how can we discover all of the SaaS applications an organisation uses? Regardless of the tool vendors' advertising, the answer is not simple.
Good old software discovery
Discovery of all the installed software in the traditional sense is daunting. But at least we know where to look, and the methods are more or less clear. Well, in most cases. There are desktops and servers, the easy part. Then there are mobile devices that make our tasks a bit more complicated. However, the concept is still easy to grasp – discovering installed software and integrating multiple data sources.
But life would be too dull without challenges. To compensate for that, we have BYOD ("Bring-Your-Own-Disaster"), which is now exacerbated by the COVID-related surge in work-from-anywhere. If there is software on my home computer that I use to do my work, it, in most cases, should be licensed to the company I work for, and the licence should allow commercial use. So what about installing the company's discovery agent on my device? That is not going to happen, sorry. That is an example of when tools aren't enough. Software usage and BYOD policies come to play, and let's hope all the employees strictly follow them. And how do you monitor that?
Still, it's mostly about installed software. It's there as a binary image or being executed in RAM. It's there on the servers, desktops, laptops, tablets and phones.
Discovery of subscriptions?
SaaS rarely comes with its own software. And when it does, the app's presence on devices doesn't necessarily mean that there is a corresponding subscription.
In SaaS discovery, we are looking for what an ex-colleague of mine used to call "money sinks". Where does our money go? What are the subscriptions we are paying? Who are the users?
There are two ways to achieve our goal. One is through analysis of employees' online activity. The other one is by discovering all SaaS-related payments (i.e. subscriptions). If you wish to see the whole picture, both play critical roles, and neither should be overlooked.
Tracking of online activities
Our discovery tools must at least be able to track all online activities before filtering them down to only SaaS-related ones. That is performed at the next step – Recognition, and there'll be another article about it. We need a way to see all that our users visit online. The discovery scope is not limited to HTTP(S). SaaS applications may also use SSH, SFTP and other protocols.
First attempts to perform SaaS discovery used to concentrate on client devices only via browser plugins. Two well-known tool vendors offered solutions that used a Chrome browser plugin as the core. The limitations are so apparent that I'm not sure I have to explain them, but here you are. Firstly, you would have to restrict all your users to Chrome on all platforms, probably Windows and OSX, and maybe Linux(es). That would require revoking a ton of rights from users, so they aren't able to install or run other browsers, remove or disable Chrome plugins, use Incognito mode etc.
Some apps connect to SaaS services directly. Those cannot be monitored by a Chrome plugin, either.
Client-device-based monitoring should not be taken entirely off the table, though. It has its use on company-owned devices outside of the perimeter. It is a valuable piece of the whole puzzle. So what can we do? Monitoring must be performed transparently to the user regardless of the browsers or apps, preferably at the protocol level. Would it be in the form of a local proxy or some hook in IP – I'll leave it to the techies. One thing to remember, the question of revoking admin rights still stands. A user with elevated privileges can disable virtually everything on their device.
Behind the organisation's perimeter, there are other devices on which such tracking is virtually impossible: intelligent devices and thin clients. Suppose thin clients connect to a remote desktop solution inside the perimeter, or say, in Azure. In that case, activities can be monitored locally by agents installed on the remote desktop solution. Smart devices are more difficult to track, and I don't personally know any app that could spy on all online activities on an iOS or Android device. It does not mean they do not exist. It just means I need to do my homework. And if such a solution is found, it would be restricted to devices managed by the organisation. Can you mandate your users install tracking on personal devices used for work? Probably. It depends. How do you define "usage for work", and where does it stop?
We could ditch all the above inside the perimeter and instead implement a full-on Chinese-style proxy wall that spies on all traffic. But we will have to deal with encrypted connections somehow. HTTPS always hides URIs (i.e. SaaS application calls). In most cases, it even hides the server names. The latter is changing with HTTPS SNI extension being rolled out everywhere. Still, one cannot guarantee that every SaaS provider will require and enable SNI. One can employ a form of a Man-in-the-Middle injection on the proxy. However, one must consider the legal implications of that. Also, SaaS providers may detect that and alert the user or even entirely disable access to the servers.
Outside the perimeter, there is Wild Wild West (no www-related pun intended). If the company owns the device, local monitoring may help. But I cannot think of a client-device-based technical solution for users' devices, internet cafes (do they still exist?) etc.
While I was typing this, a friend interjected, "you can monitor activities through the SaaS admin consoles or APIs". And I had to remind him that you need to know what to watch before you monitor who and how uses a SaaS subscription. We're still talking about the discovery stage, remember?
With all the workforce being forced to work from home now, albeit temporarily, most SaaS connections happen outside the perimeter.
So how do we detect that? The implementation may be daunting, but the idea itself is simple.
Follow the money
If there is a SaaS subscription, someone has to pay for it, and that someone is you, i.e. your organisation. If you are thinking about SaaS discovery and management, I would assume that it is driven by the will to optimise expenses.
The problem with SaaS is that it is not an IT service, at least in the traditional way. Individuals, departments and outsourcing companies do not necessarily have to go to the IT department to procure it. SaaS, in that regard, has overtaken all of the "traditional" Shadow IT in volume; it has become The Shadow IT.
But the money is still taken from the organisation's pot.
The obstacle to overcome here is the quality of expense tracking. Think about tightening the grip on expense reports and service provider (outsourcer) bills. SaaS may be either intentionally or unintentionally hidden behind generic words like "Cloud expenses", "IT expenses", even travel expenses (I've seen it myself), embedded in the overall service bill etc.
This kind of tracking automation would be impossible without policy-based expense report standardisation. But it does not mean you cannot do it. When there's a will, there is a way. If optimisation is one of the board's objectives, use the board's power to help you sort it out.
How to select a tool
When selecting a tool, or rather, tools, I would advise against looking for a silver-bullet solution. Think about the whole SaaS discovery as a puzzle, and tools and policies being its pieces.
If your existing tool can only do Chrome plugin-based monitoring, there is no reason not to employ it. If a vendor is knocking on your door with a smart-device tracking solution, they may have just brought you another puzzle piece. Now all you need is to integrate it.
But even before that, please take a step back and think about the goal.
Think about why you're doing this in the first place. What are your goals, metrics, and targets? Who are your best allies in the organisation? Who on the board is interested the most? I bet it'll be someone responsible for optimising the overall budget.
If you haven't yet started your SaaS management journey, and if you somehow value my word of advice, I would suggest beginning with answering one question: "What is the share of SaaS in the organisation's expenses?"
Talk to a Cloud economics expert
We are an independent consulting business that sells no licenses or Cloud services. That is on purpose, so our advice is unbiased.
Please use the form below and tell us about your challenges. Our senior team member will contact you ASAP for a free-of-charge discovery call to discuss your SaaS and Cloud economics.