SaaS discovery is really easy if you’re an end user. You can probably find a product that meets your needs with a Google search and a credit card. However, SaaS discovery from an IT management and governance perspective is a whole different beast.
In the past, there haven’t been a lot of easy ways to detect application usage in the browser or restrict user activity without creating hyper-restrictive internet usage policies.
Enter SaaS discovery platforms.
These platforms do more than just help organizations tackle their shadow IT challenges; they can significantly enhance operations. SaaS discovery platforms boost productivity, cut costs, and bolster security.
In this article, we’ll take a deep dive into SaaS discovery to explain how.
What is SaaS discovery?
SaaS discovery is the process of identifying and documenting the use of SaaS applications within an organization. The key artifact produced by the SaaS discovery process is a SaaS inventory. Organizations can then use that inventory to inform business decisions and improve overall IT governance.
Specific benefits and use cases for SaaS discovery include:
- Visibility. As we can see with many shadow IT examples, IT teams and MSPs often simply don’t know what SaaS products their end users access. This in turn creates a major gap in infrastructure visibility. SaaS discovery can directly fill these gaps and
- Data security and compliance. Lack of visibility directly impacts data governance, security, and compliance. For example, a well-intentioned employee could easily violate HIPAA data governance rules by storing data with the wrong cloud service. IT can’t prevent or correct what they can’t see.
- Cost optimization. License costs can add up fast. And, basically any employee with a credit card can start racking up those costs. SaaS discovery helps teams identify what apps are in use, how often they are used, and then make informed decisions about where they can reduce duplication and wasted SaaS spend.
- Increasing efficiency and productivity. Putting dollar costs aside, SaaS feature overlap can negatively impact employee productivity and efficiency. For example, an employee could be using a shadow IT app that duplicates capabilities in an existing approved app. Getting everyone on the same tool could streamline productivity and knowledge sharing. Alternatively, sometimes a shadow IT app can benefit more employees than just the person using it, and official adoption can make an entire team more productive.
5 traditional SaaS discovery methods
One of the best things about SaaS products is just about anyone with internet access can use them. However, that creates a significant challenge if you’re responsible for creating an inventory of SaaS apps.
So, let’s take a look at five ways to answer one of the most important SaaS discovery questions: How can you discover SaaS apps in your environment?
1. Surveys and questionnaires
Spreadsheets, surveys, and questionnaires are the traditional way to build a SaaS inventory. These manual approaches have the advantage of being cheap, easy, and get you talking to users and customers. However, snapshots in time that depend on self-reporting can be inaccurate.
As a quick example: Can you name all the SaaS apps you used this month?
- Pros: Cheap and easy
- Cons: Manual, error-prone, snapshot that is very quickly out of date
2. Accounting and payment card records
Another approach to tracking down SaaS apps is to review records from accounting such as employee expenses and credit card transactions. These records have the advantage of capturing the SaaS software that’s costing you money. But, they won’t catch freeware that could create security and compliance issues.
- Pros: Catches all/most paid subscriptions
- Cons: Time-consuming manual process, requires access to financials, no insight to usage, no freeware visibility
3. IT change management
A rigorous IT change management policy can help control SaaS usage and define standards employees must follow. It also, at least in theory, keeps IT in the know about employee software usage and encourages alignment throughout the organization.
However, a manual change management process suffers from many of the downsides of surveys and questionnaires.
- Pros: Enforces standards, encourages alignment
- Cons: Manual reporting and documentation is tedious, process is easy to subvert, error prone
4. Traditional software asset management tools
Tools like remote monitoring and management (RMM) software that enable management can help with SaaS discovery to some extent too. These tools are fairly easy to manage and tend to have inventory capabilities built in.
However, they also have a very on-prem focus and typically lack robust support for SaaS apps. For example, an RMM might report on a browser that is installed on a PC, but won’t easily tell you what SaaS apps a user accesses.
- Pros: Built into a management tool, coupled with other administrative features
- Cons: Highly-limited SaaS capabilities, device-focused rather than user-focused
5. DNS logs
Your DNS logs can capture every outbound request from your network to an FQDN for a SaaS app. As a result, with some configuration, you can capture records of effectively all the SaaS apps that are used in your network. The downside is DNS log monitoring can be complex to configure and it’s easy to get a false positive (reading a blog on Slack.com and using Slack.com for a call take you to the same domain).
- Pros: Discovers “everything”
- Cons: False positives, complex configuration
Auvik SaaS Management for SaaS Discovery
Frankly, all five of those options present a square peg/round hole situation when it comes to SaaS discovery. Yes, they can help you get the job done. But no, they don’t come close to offering a seamless experience or an accurate picture of what’s going on at any given time.
What you need is a robust, purpose-built tool, like Auvik SaaS Management (ASM).
Let’s take a look at what makes ASM different and how it has saved IT departments and MSPs significant time and money while improving overall SaaS visibility.
Addressing the cloud visibility gap
Traditional tooling like RMMs do a great job of providing endpoint visibility. And network management tools like Auvik Network Management (ANM) give IT a good picture of the network. However, what goes on in the browser has traditionally been a black box.
ASM addresses this cloud visibility gap by integrating with browsers, identity providers via SSO, and using collector software to inventory and capture granular information on SaaS apps, desktop programs, and business applications.
For example, ASM can provide detailed usage metrics—not just simple logins—for cloud software that may have otherwise gone completely undetected.
Improving cloud security and compliance
One of the biggest cloud security challenges IT faces is the inability to easily detect insecure behavior such as account sharing and improper use of service accounts. Not only can ASM detect risky cloud behavior, it can alert an administrator so they can take corrective action.
Additionally, ASM directly supports multiple CIS Critical Security Controls, including these safeguards:
- 2.1 Establish and Maintain a Software Inventory: Administrators can build and maintain a detailed application inventory directly within ASM.
- 2.3 Address Unauthorized Software: By addressing shadow IT with the help of Auvik SaaS Management, IT can reduce unauthorized software risk.
- 3.14 Log Sensitive Data Access: ASM provides detailed security logs that can enable administrators to audit application usage and access.
- 5.1 Establish and Maintain an Inventory of Accounts: With ASM, organizations can create a central inventory of accounts and improve their onboarding and offboarding practices.
- 5.3 Disable Dormant Accounts: With visibility into application and user activity, IT can disable unused accounts that are chewing up license count and creating security risk.
- 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients: Browsers and email clients are high-value targets for threat actors. With an ASM application inventory, IT can help ensure that only supported and up-to-date browsers are in use.
Cost management and optimization
By aggregating data such as software contracts, SaaS app inventories, and user activity, ASM can provide teams with detailed reports and insights that can have a major impact on the bottom line. For example, a product adoption report can help IT understand if a recent software investment is being used or ignored. They can then scale their license spend accordingly.
How to run SaaS discovery using Auvik
Now that we know what SaaS discovery is, let’s jump into how to run a SaaS discovery with Auvik SaaS Management (ASM). If you don’t already have an account, you can sign up for a free trial here. Within 30 minutes, you’ll be up and running.
Step 1: Deploy connectors
With ASM, we have two ways of performing SaaS discovery:
1. A quick scan that integrates with your identity provider
2. A SaaS agent that can integrate with a variety of different tools including popular remote monitoring and management (RMM) and Apple management platforms
As you can see below, ASM guides us through the process. There’s even a custom script option if none of the other tools are applicable to your deployment.
We’ll run a custom install on a Windows machine for this example. You can choose whichever integration option you prefer to follow along.
Step 2: Allow time for collection
Now, let the collectors run for a bit. You’ll start getting meaningful data in minutes, but remember that ASM monitors activity and users don’t access all their apps all the time. Expect to see a fair amount of new insights over the course of the first few days.
Here’s an example of some of the findings we have already:
As you can see from this second image, ASM is already catching potentially insecure practices like a user leveraging personal credentials.
Step 3: Catalog the apps
Now we can start categorizing apps to help with reporting, visualization, and analysis. For example, since I know Microsoft 365 is an approved app, I’ll set the “Lifecycle Stage” to approved.
We can also assign a business owner to help track who is responsible for an app.
Step 4: Determine shadow IT
As you go through the classification process, you’ll likely find some shadow IT apps you weren’t expecting. We like to categorize the shadow IT discovered into three different lifecycle stages:
- Not Approved for apps that simply shouldn’t be in use in the environment
- Discovered for apps that haven’t had any meaningful analysis yet
- Evaluating for apps, including former shadow IT apps, we’re considering for implementation
It’s critical to make shadow IT review a regular practice. Utilizing ASM’s reports is a great way to do just that, such as the top 10 unused applications report (in the Quarterly Business Review section).
Beyond QBRs, we recommend checking in on shadow IT at least once a month.
Of course, simply quantifying shadow IT isn’t enough. Make sure you have a process in place to remediate it, either by adopting new apps or enforcing policies that restrict access to unapproved apps.
Step 5: Load application contracts
Contract data enables you to track contract and expiry dates so you can take a proactive approach to renewals and subscription management. You can add contract information on a per-app basis in ASM and use this data to directly inform SaaS spend management strategy and licensing decisions.
For example, you can compare application usage tracked in ASM to contract costs. Like with shadow IT, make sure to regularly review and assess your contract spending.
Step 6: Set up workflows and alerts
Effective alerting is a key aspect of a SaaS management platform and can drastically increase overall visibility. ASM enables automated workflows and alerts for a variety of scenarios:
- Applications with specific risk category are detected
- Insecure behavior like account sharing is detected
- New service accounts are detected
Step 7: Implement onboarding and offboarding workflows
Ineffective employee onboarding is one of the biggest inhibitors of productivity. And, slow or incomplete employee offboarding is a significant security risk.
ASM can help streamline both processes by providing clear visibility over the apps you must include in your onboarding processes and supporting a detailed offboarding report to streamline offboarding workflows.
SaaS discovery is a key component of effective SaaS management. The right solution can help you improve productivity, optimize costs, and strengthen your security posture.
Of course, there’s nothing like trying it for yourself.
See Auvik SaaS Management’s SaaS discovery in action, by signing up for a free (no credit card required) trial today!