Will we ever get past talking about IaaS vs. PaaS vs. SaaS? Perhaps not. Gartner recently published a list of the Top 10 Trends Impacting IT Infrastructure and Operations for 2019. Sitting at Number 8? Software as a Service (SaaS) denial.
Basically, most organizations have been hyper focused on Infrastructure and Platforms as a Service — migrating to cloud VMs, hiring admins for Azure and AWS ecosystems, learning Kubernetes and Docker.
Meanwhile, shadow IT and the overall enterprise trend is to initially prefer SaaS. Of course, SaaS has made inroads with IT departments even at the enterprise level, especially Office 365. But without Infrastructure and Operations teams taking SaaS seriously, your overall IT environment could be opened up to security risks on top of integration problems, fragmentation, and service delivery concerns.
Are you in SaaS denial? Do you have blinders on as you focus entirely on IaaS adoption or other more pressing matters? Now is the time to get ahead of the SaaS adoption hurdles by being proactive within your IT and operations departments.
SaaS might be purchased as a large-scale strategic investment involving several departments, notably IT and Finance. Others might be one-off solutions for a single unit or even an individual within a department. IT needs to have insight and some involvement in any SaaS. All users must be trained in a system of record, providing key information to IT about any SaaS that is outside IT management.
Basic records include contract costs, term length, any fine print, active users, and utilization information. Your governance should go beyond this basic information to identify who takes ownership of each SaaS tool. Attach business drivers and overall investment and/or ROI to each application. Assess each SaaS application to be certain that its functionality is not already provided by an existing tool.
Tracking and regularly auditing this information helps avoid shadow IT sprawl while also justifying the investment. It also helps keep track of who is a given SaaS application, where they might access it from, and when the platform is likely to be used. An overall roadmap for SaaS lifecycles can now be generated.
Company and client data must be treated as confidential and governed accordingly. If you use SaaS, ensure that data residency is within official repositories, such as O365, internally managed cloud storage, internal network shares, and any C-level approved SaaS services.
Essentially if it is not under IT purview, confidential data should not be stored there. That includes personal machines, which should only be used for draft copies of sensitive information. IT must be able to access and control any confidential information at will.
Consider implementing a data loss prevention tool, which can scan your SaaS environments and interface with APIs to look for contextual clues that information has been leaked.
In addition to data governance, you may want to consider encryption both at rest and in transit. Many SaaS applications at the enterprise level offer encryption options. Sensitive information stored in multitenant SaaS environments is well worth the added administration costs of encryption.
Practice regular, strong penetration and vulnerability testing, especially for large-scale SaaS applications that will be used by a wide swath of your organization. Train users on common social engineering attacks like phishing — user access controls are more essential than ever when traversing public networks for SaaS access.
With that in mind, role-based access controls, multi-factor authentication, and strict password requirements are all recommended.
Finally, logging and monitoring controls should be implemented to catch unauthorized access attempts, uploading or downloading of large data quantities, or suspicious activity, such as a login from a user that originates from a foreign country.
SaaS brings with it a new set of challenges as far as working with and alongside your legacy IT investments in software and hardware. On-premise applications may end up with older versions of data or entire data siloes. Access control policies may need to be implemented for each SaaS deployment rather than universally from workstation logins. Networks may need to be changed or updated to accommodate data transfer.
Many SaaS applications include APIs that can be used for stronger integration with your existing IT platforms, but they could be complicated or require significant investment in technology and staff on your part. Third party integration service providers do exist, but to begin, implement a company-wide practices around integration. Integration decisions should be made before a new app is purchased. Decide how that data will move throughout your overall IT environment. Determine how security will work within the app. Can you use Active Directory or other access control systems? Does the app offer native connectors to any of your existing SaaS platforms?
Ultimately SaaS governance comes down to designing a repeatable set of procedures and collecting relevant documentation so you are better able to monitor and administrate your standard corporate security, compliance, and product evaluations. Don’t get too bogged down by your monthly IaaS statements or PaaS troubleshooting — you have users, right now, that are buying some new app subscription. Don’t let corporate data escape your purview.
Retain some amount of flexibility; after all, the cloud is all about reacting in real time to dynamic business needs. There is a balance to be found between agility and governance. It’s up to each individual organization to figure out the right mix for them.