Good old software discovery
Discovery of all the installed software in the traditional sense is a daunting task on its own. But at least we know where to look, and the methods are more or less clear. Well, in most cases. There are desktops and servers, the easy part. Then there are mobile devices that make our task a bit more complicated but the concept is still easy to grasp – it's all about discovering installed software and integrating multiple data sources.
But life would be too boring without challenges, and to compensate for that, we have BYOD ("Bring-Your-Own-Disaster"), which is now exacerbated by the COVID-related surge in work-from-anywhere. If there is software on my home computer that I use to do my work, it, in most cases, should be licensed to the company I work for, and the licence should allow commercial use. So what about installing the company's discovery agent on my own device? That is not going to happen, sorry. That is an example of when tools aren't enough, and software usage and BYOD policies come to play, and let's hope all the employees strictly follow them. And how do you monitor that?
Still, it's mostly about installed software. It's there as a binary image or being executed in RAM. It's there on the servers, desktops, laptops, tablets and phones.
Discovery of... subscriptions?
SaaS rarely comes with its own software. And when it does, the app's presence on devices doesn't necessarily mean that there is a corresponding subscription.
In SaaS discovery, we are looking for what an ex-colleague of mine used to call "money sinks". Where does our money go to? What are the subscriptions we are paying for? Who are the users?
There are two ways to achieve our goal. One is through analysis of employees' online activity. The other one is through discovery of all SaaS-related payments (i.e. subscriptions). If you wish to see the whole picture, both play their critical roles, and neither should be overlooked.
Tracking of online activities
Our discovery tools must at least be able to track all online activities before filtering them down to only SaaS-related ones, which is performed at the next step – Recognition, and there'll be another article about it. We need a way to see all what our users visit online. The discovery scope is not limited to HTTP(S). There may be SaaS applications that also use SSH, SFTP and other protocols.
First attempts to do SaaS discovery used to concentrate on client devices only via browser plugins. Two well-known tool vendors offered solutions that used a Chrome browser plugin as the core. The limitations are so obvious, I'm not sure I have to explain them but here you are. Firstly, you would have to restrict all your users to Chrome only, on all platforms, which are probably Windows and OSX, and maybe Linux(es). That would require revoking a ton of rights from users so they aren't able to install or run other browsers, remove or disable Chrome plugins, use Incognito mode etc.
There are also apps that connect to SaaS services directly. Those cannot be monitored by a Chrome plugin either.
Client-device-based monitoring should not be completely taken off the table though. It has its use on company-owned devices outside of the perimeter. It is a valuable piece of the whole puzzle. So what can we do? Monitoring must be performed transparently to the user and regardless of the browsers or apps in use, preferably at the protocol level. Would it be in a form of a local proxy, or some hook in IP – I'll leave it to the techies. One thing to remember, the question of revoking admin rights still stands. A user with elevated privileges can disable virtually everything on their device.
Going back behind the organisation's perimeter, there are other devices, on which such tracking is virtually impossible: smart devices and thin clients. With thin clients, if they connect to a remote desktop solution inside the perimeter, or say, in Azure, monitoring of activities can be performed locally by agents installed on the said remote desktop solution. Smart devices are more difficult to track, and I don't personally know any solution that could spy on all online activities on an iOS or Android device. It does not mean they do not exist. It just means I need to do my homework. And if such a solution is found, it would obviously be restricted to devices managed by the organisation. Can you mandate your users to install tracking on their personal devices used for work? Probably. It depends. How do you define "usage for work", and where does it stop?
Inside the perimeter, we could ditch all the above, and instead implement a full-on Chinese-style proxy wall that spies on all traffic. But we will have to deal with encrypted connections somehow. HTTPS always hides URIs (i.e. SaaS application calls). In most cases, it even hides the server names. The latter is changing with HTTPS SNI extension being rolled out everywhere but one cannot guarantee that every SaaS provider will require and therefore enable SNI. One can employ a form of a Man-in-the-Middle injection on the proxy, although one must consider legal implications of that as well as that SaaS providers may detect it and alert the user, or even entirely disable access to the servers.
Stepping outside the perimeter, there is Wild Wild West (no www-related pun intended). If the company owns the device, local monitoring may help. But I cannot think of a client-device-based technical solution for users' own devices, internet cafes (do they still exist?) etc.
While I was typing this, a friend of mine had interjected with "you can monitor activities through the SaaS admin consoles or APIs". And I had to remind him that before you monitor who and how uses a SaaS subscription, you need to know what to monitor. We're still talking about the discovery stage, remember?
With all the workforce being forced to work from home now, albeit temporarily, the majority of SaaS connections happen outside of the perimeter.
So how do we detect that? The implementation may be daunting but the idea itself is simple...
Follow the money
If there is a SaaS subscription, someone has to pay for it, and that someone is you, i.e. your organisation. I would assume that if you are thinking about the SaaS discovery and management, that it is driven by will to optimise expenses.
The problem with SaaS is that it is not an IT service, at least in the traditional way. Individuals, departments and outsourcing companies do not necessarily have to go to the IT department to procure it. SaaS, in that regard, has overtaken all of the "traditional" Shadow IT in volume; it has become The Shadow IT itself.
But the money is still taken from the organisation's pot.
The obstacle to overcome here is the quality of expense tracking. Think about tightening the grip on expense reports and service provider (outsourcer) bills. SaaS may be either intentionally or unintentionally hidden behind generic words like "Cloud expenses", "IT expenses", even travel expenses (i've seen it myself), embedded in the overall service bill etc.
Without policy-based expense report standardisation, this kind of tracking would be impossible to automate. But it does not mean you cannot do it. When there's a will, there is a way. If optimisation is one of the board's objectives, use the board's power to help you sort it out.
How to select a tool
When selecting a tool, or rather, tools, I would advise against looking for a silver-bullet solution. Think about the whole SaaS discovery as a puzzle, and tools and policies being its pieces.
If your existing tool can only do Chrome-plugin-based monitoring, there is no reason not to employ it. If there's a vendor knocking on your door with a smart device tracking solution, they may have just brought you another piece of the puzzle. Now all you need is to integrate it.
But even before that, please take a step back and think about...
Think about why you're doing this in the first place. What are your goals, metrics, targets? Who are your best allies in the organisation? What is that person on the board that is interested the most? I bet it'll be someone responsible for optimising the overall budget.
And if you haven't yet started your SaaS management journey, and if you somehow value my word of advise, I would suggest to begin with the answer to just one question: "What is the share of SaaS in the organisation's expenses?"
This article is also available in Portuguese here.