How to Create a SaaS Governance Policy
We can all agree that the last few months have been turbulent and unpredictable across all industries. Market volatility, supply chain issues, and record-setting inflation rates have impacted small businesses and large corporations alike.
But in the midst of this instability, it’s clear that two things have remained consistent. Companies of all sizes rely on SaaS more than ever before—and it’s high time for IT to solidify its processes for managing and securing a large (and growing) cloud-first environment.
To help define these processes, Gartner® recently published a report on establishing an effective SaaS governance policy that secures the perimeter and gives all employees ownership over the software procurement process. This report offers an extensive framework for building out a governance policy and explores why a SaaS management platform (SMP) should be at the center of it.
You can read the full report by clicking the link below. In the meantime, let’s explore a few of our key takeaways from Gartner latest research on managing and securing your SaaS environment.
A SaaS governance policy keeps your environment secure
Back in 2019, we reported that 62% of IT professionals believed their biggest insider security threat came from well-meaning, but negligent employees. We believe not much has changed over the last three years.
Gartner believes that there are two factors at play. First, it has never been easier for employees at all levels to add a SaaS application to your organization’s environment. Without a process or the right tool for discovering and managing your company’s use of SaaS, Gartner adds that SaaS adoption will still occur, but in ways that are “suboptimal and risky.”
“If you don’t explicitly discover and manage your use of SaaS, SaaS adoption will still occur but in ways that are suboptimal and risky.”
How to Establish Effective SaaS Governance, Gartner Inc.
Gartner also reports that SaaS buyers tend to focus on the immediate functional requirements and ignore longer-term issues, which leads to incomplete analyses of security requirements. To remedy these challenges, Gartner recommends what it calls a full lifecycle approach to SaaS governance.
These are obviously huge challenges for any IT team to solve. The key to doing so effectively? Gartner says a growing number of its clients are leveraging SaaS management platforms to centralize their IT support. The venn diagram below illustrates just one example of how you might administer an effective SaaS management approach with an SMP.
It’s no surprise that Gartner urges IT or the business units to adapt to more agile approaches to managing and enabling continuous change. Doing all of this work manually increases the potential for human error, which can be especially costly when it comes to maintaining security compliance and protecting sensitive data. As we’ve seen with many customers, BetterCloud’s automated workflows and alerts enable IT teams at all stages to handle the long list of tasks in the diagram above, while also freeing them up to work on more strategic initiatives.
Creating a holistic SaaS governance policy
Shockingly, Gartner reports that many organizations still rely on a Microsoft Excel spreadsheet to track the applications in use across all business units. In response, Gartner shared, “no effective governance is possible without some form of written directive to set the rules and provide a basis for enforcement.”
At a minimum, the three basic SaaS control policies that follow must be established, including:
- Approve all SaaS use through a defined process. IT cannot automatically veto requests for SaaS, but must work with business stakeholders to create a flexible, practical and cooperative process to acquire appropriate new SaaS capabilities and steer inappropriate ones to better solutions.
- Assign accountability for SaaS. If the IT organization is not maintaining responsibility for a particular SaaS application, then the owner is typically a business unit (BU) manager or department head.
- Maintain a comprehensive cloud application inventory. The defined approval and responsibility acceptance processes must include the formal registration and tracking of SaaS use with IT. This is where an SMP comes in very handy, providing IT with a comprehensive look of all the SaaS in use at any time.
The Gartner vision for a holistic SaaS governance policy also urges IT to think about control requirements during the entire app usage life cycle. It is critically important during the purchase phase to consider the potential security risks associated with each SaaS application, and how those threats might evolve as use changes over time.
Assessing risks and analyzing controls
While there isn’t a “one-size fits all” approach to assessing the risk of each potential app, Gartner recommends reducing the potential threats introduced by various SaaS apps with compensating tools. These include access management (AM) tools, SMPs, vendor risk management (VRM), and more.
An SMP like BetterCloud offers the ability to create and enforce SaaS usage policies, such as limiting the number of administrative-level accounts. It also helps monitor the use of SaaS with alerts and centralized dashboard visibility.
Gartner also recommends using free SaaS with the utmost caution, and never with sensitive or business-critical data. To reduce risk, SaaS usage policies should specifically address the use of free SaaS, and steer users towards sanctioned apps. An SMP can provide IT leaders critical visibility into shadow IT usage so they can take appropriate action to enforce policies and protect their environment.
Actions to take from purchase to end of life
According to Gartner, to implement a strong SaaS governance policy IT should plan to take a series of actions throughout the entire lifecycle of a SaaS app. The initiation phase includes recommendations for purchasing, implementation, and user provisioning. It even covers actions IT might not think of immediately, like contingency planning in the event of an app outage or failure.
Once an app is implemented, IT should plan for continuous management and monitoring as it becomes more widely used. One of the most critical tasks during this phase is keeping up with license management, to make sure that you are only paying for licenses you are actually using. IT should also look for ways to automate SaaS security actions, such as:
- ensuring sensitive data isn’t moved into an inappropriate location
- keeping tabs on shadow IT, and
- ensuring user access levels are at the minimum required.
This is where a SaaS management platform like BetterCloud can really help. Sensitive data can be automatically located, and IT alerted as to exactly where and what file it resides in. Users can be instantly logged out of risky shadow IT and notified that their actions violate policy. Excessive super admin accounts can be automatically detected and removed. All of these functions enable IT to take a proactive approach to the security activities involved in SaaS governance.
Even when a SaaS app is being decommissioned, Gartner recommends that IT take steps to proactively manage its end of life. Many of these activities involve the migration, destruction, or backup of critical data that might have resided in the app.
Overall, Gartner recognizes that IT leaders have a growing burden of responsibility when it comes to SaaS. Companies seem to have an endless appetite for more and more SaaS apps, and those tools are increasingly critical to business success.
Gartner recommends IT create and follow a thorough and ongoing strategy for managing SaaS. From reducing the risks from shadow IT to optimizing usage, there are activities to be done throughout the entire lifecycle of an app.
Download the full report to get all the details on how to more effectively govern SaaS usage. You can also schedule a demo of BetterCloud to learn how to centralize and automate governance activities.
Disclaimer: GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
[i] Gartner “How to Establish Effective SaaS Governance” by Charlie Winckless, Jay Heiser, 27 December 2021 – ID G00757704