As Software Asset Managers we are used to managing both risk and cost. Whilst the two go hand in hand when managing perpetually licensed software there are differences when it comes to SaaS application management. Should we focus more on risk aspects when managing SaaS apps? This article explores that question.
Our activities in relation to managing perpetual licenses are usually focused around the following:
All these activities are primarily focused on the cost side – weak audit defence will inevitably lead to increased costs as risks become realised, for example. In the SaaS world however, our tasks and focus may need to change.
So, you have pretty good control over cost, there’s low risk of audit, and you can flex your consumption rapidly to meet demand. What do we have left to manage? Does SaaS just end up managing itself?
What we haven’t considered is third-party, legal, regulatory, and privacy risk. These are what you need to worry about, or at the very least be reporting to your internal compliance teams. The reason is simple – the cost of a breach from the perspective of PCI-DSS, SOX, HIPAA, or GDPR is going to far outweigh any cost savings you may get from flexing which Office 365 plan your users are on. This is before you consider the reputational risk of a breach which reaches the public domain, something that is now far more likely given the impact of GDPR reporting requirements.
If customers discover that their privacy has been breached, they may be less willing to buy from you again. And if software is at fault then you could very easily be on the hook during the inevitable post-mortem. Even if managing SaaS risk isn’t your job you should probably start doing this unless responsibilities are clearly defined. SaaS Management is still a relatively new discipline and your internal policies and procedures may not have been updated to account for it. There is a trend in recent breaches and infrastructure failures, such as Equifax and British Airways to find “Someone To Blame” – don’t let that person be you.
As Asset Managers we are still very much at the early stages when it comes to our responsibilities around compliance in the SaaS world. Security vendors such as Qualys are entering the SAM space with the aim of inventorying our software deployments. Their motivation is different – usually it is about finding vulnerable or unpatched software on-premises – but we may already have this information, and certainly we can act as a trusted source for it. Our challenge is that well-established inventory tools for scanning on-premises deployments aren’t always the best solution for discovering SaaS deployments. Certainly, market leaders such as Snow & Flexera are playing catch-up in getting the right tools into our hands. Fortunately, there is plenty of innovation going on in this market and some of the more recent entrants such as Alpin, Intello, and Torii are actively tracking GDPR compliance status for SaaS apps.
For users of GSuite, some vendors can track permissions granted to 3rd party apps – for example, providing a report of which apps are able to read your email. Permissions such as these are important across the compliance and legal spectrum. Tools that provide some level of automation for onboarding/offboarding employees are also available. Studies have shown that almost 90% of former employees retain access to SaaS apps after they leave, something that is completely unacceptable from a compliance perspective. If such access is discovered during, for example, a SOX User Access Review or Privileged Access Review it is likely to result in an audit finding requiring immediate resolution.
For those of us embarking on a SaaS Management program it is important that risk reduction is focused on, particularly if you’re building a business case. As highlighted above, the financial impact of realised regulatory risks will probably outweigh any cost savings and contract optimisations you may discover. If you know that your User Access & Identity Management processes are weak, work with those teams to build a case for automation and tool and process improvements. You’ll end up with a tool that will also enable you to deliver on your cost reduction targets and the business will benefit from reduced regulatory risk.