Software as a Service (SaaS) chaos occurs when organizations don't have a plan in place for its adoption. It's a common problem for IT organizations, according to Bernard Golden, CEO of consulting firm HyperStratus. "It happens all the time," he said. Unfortunately, organizations often aren't fully aware of the ramifications of not having a SaaS strategy until it's too late.
"People probably realize it's chaotic well after the point that it becomes chaotic. It might be when you realize, 'Gosh, somebody that works for our company quit and we have three SaaS apps, but he has access to four more that are core apps.' There's some sort of trigger point where people go,'Whoa, this is out of control! We need to do something about this,'" Golden said.
Shadow IT -- the adoption of IT, such as SaaS, without the approval of the IT organization -- is one culprit. Business units often find it easier and faster to acquire SaaS to meet business needs rather than go through IT. But the IT organization itself may also contribute to SaaS chaos if it doesn't have a plan for maintaining those applications and vendor relationships.
"You can convince yourself that everything's OK as you try to deal with two, and then three, and then four [SaaS providers], but to me the biggest issue with multiple SaaS providers is staff bandwidth in terms of vendor management and things like that," said Bill Corrington, cloud strategy lead at consulting firm Stony Point Enterprises.
The dangers of SaaS chaos
On the technical side, identity management is a challenge because every cloud provider handles it differently, according to Corrington. "That's where you have an opportunity for some real chaos. That is going to be a staff issue, impacting bandwidth and resources, but it can also create security issues because access control is a fundamental," Corrington said.
Because every SaaS provider handles identity management differently, the temptation is to accommodate each service differently. "If you do a one-off implementation every time you bring on a new service, you're basically going to end up with identity stovepipes," Corrington said.
"When people talk about security being a No. 1 concern, what they really mean is access control. The more ways you're doing identity management, the more you create a risk. Some ways are better than others and the lack of consistency in how that function is done can create the security risk," Corrington said.
Reining in SaaS chaos and creating a SaaS strategy
When it comes to shadow IT, "It's more important to find a carrot than to find a stick," Golden said. He advises organizations to make it beneficial to the business unit to go through IT to acquire SaaS. For example, the IT organization might make it known that it can help business units get better financial terms or help ensure that they are following compliance terms that are important to them as a business unit, according to Golden.
"Finding a way that further improves the using organization's situation is a more fruitful approach than enforcing rules and audits that the IT organization may not have the clout to enforce," Golden said.
Golden also advises organizations to work with business units to create a common process or checklist that is used to guide a consistent approach to adopting SaaS apps. "IT should take the lead because they're more familiar with the requirements, but it should be done in partnership with representatives from the business units," Golden said. "They are tired of the monopoly -- "our way or the high way" -- dealings with IT. So anything that smacks of that is probably not going to be successful."
A SaaS strategy also includes having in place a good enterprise architecture, with identity management as a key piece. "If you have a strategy to leverage cloud services, then it's likely or almost certain that that strategy is going to result in multiple cloud services being used. You need to address upfront the reality of figuring out how to do a good architectural approach to identity management so that you can support that strategy," Corrington said.
"When it comes to identity management, one of the big things is how you are doing the authentication," Corrington said. He advises organizations to conduct an upfront analysis to determine authentication requirements based on an app's sensitivity, business criticality, etc. Then, as you look at specific services, map them to authentication requirements and use the authentication technique that has been defined. "The opportunity is to take a good architectural approach to federating identities with external providers and doing that in a consistent way," he added.
This was first published in August 2012