UPDATED 10:49 EST / JUNE 22 2022

APPS

Conquering ‘shadow IT’: How enterprises are trying to tame the cloud software beast

Like many companies, high-performance sporting equipment maker Catapult Sports Pty Ltd. used to give its employees wide latitude to choose their own software-as-a-service applications. But as its information technology department prepared a campaign to achieve compliance with a key security standard, its lack of visibility into the services employees was using became a liability.

“There was a lot of shadow IT,” said Kimberly Wood, vice president of information technology and chief information security officer, referring to technology spending that is not under the jurisdiction of the IT organization. “We didn’t have any visibility into what software was out there. We wanted to control spending, standardize the usage and limit what was used.”

After evaluating several SaaS management platforms, Catapult Sports settled on technology from Zluri Technologies Pvt. Ltd. The software connects directly to SaaS applications via application programming interfaces and pulls out information about who is using them, how much they’re spending and whether there are any potential regulatory conflicts.

It was eye-opening to see the number of active licenses attached to ex-employees or users who had never used the software at all, Wood said. “We’ve only had Zluri for a couple of months but I’d say we’ve saved $150,000 by eliminating shadow IT, pulling back on some services and not overbuying,” she said. “We have a lot of expensive software coming up for renewal and being able to quantify the real count of what we needed to purchase will probably save us hundreds of thousands of dollars.”

SaaS explosion

Catapult Sports realized six-digit savings by using SaaS management software, said IT and security chief Kimberly Wood. Photo: LinkedIn

Whether they know it or not, a lot of companies are probably in the same boat. SaaS management software firm Productiv Inc. analyzed activity collected from thousands of teams and found that the average company’s SaaS portfolio grew more than 44% between 2019 and 2021. Security teams were the biggest power users, with an average of 73 applications per group, while retail firms grew their SaaS portfolios by an average of 131% between 2019 and 2021.

Zylo Inc., which sells SaaS management software, says research shows that the average enterprise has about 600 SaaS applications in use, only one-quarter of which are managed by IT. It estimates as many as 10 new applications are brought into a typical company each month.

Tracking and optimizing SaaS usage is a relatively new challenge, and just under half of IT organizations say they’re confident that they can identify and monitor unsanctioned SaaS usage on company networks despite the fact that more than three-quarters see such apps as a security risk, according to BetterCloud Inc.

“With large companies [shadow SaaS use] is always at least two or three times what they expect and I’ve seen it as much as 10 times more,” said Andréa Jacquemin, chief executive of Beamy SAS, a Paris-based SaaS management company that recently raised $9 million in a Series A funding.

Limited visibility

The limited visibility many organizations have into SaaS usage often dates back years to the time when SaaS was first storming the enterprise. Beleaguered IT groups that were snowed under by user requests for new applications saw salvation in the ability to let people attend to their own IT needs, often with nothing more than a credit card. That changed the dynamics of software provisioning and the genie isn’t likely to go back into the bottle.

Productiv’s Chandarana: Focus is shifting from “how you manage the estate to how you enable your people.” Photo: Productiv

“If you stifle the ability of people to use the best technology for their job, it can damage the employee experience,” said Eric Christopher, co-founder and CEO of Zylo. At companies without IT asset management and procurement functions dedicated to SaaS, he added, “we typically find twice as many SaaS instances as the IT team is aware of.”

Traditional IT service management and the popular Information Technology Infrastructure Library framework for managing the lifecycle of IT services focused on reliability and availability. “Those are no longer the key tenets of what operations administration is about,” said Aashish Chandarana, chief information officer at Productiv. “It’s about making sure you have the tools your staff needs.” The focus is shifting, in other words, from “how you manage the estate to how you enable your people.”

Users typically don’t deploy SaaS applications with the deliberate intention of end-running the IT organization, experts say. Unintended proliferation is usually the result of one of several factors:

Decentralized budgeting: Subscription costs are hidden in expense reports that are approved at the department level and never subjected to IT scrutiny. The organization misses out on volume discounts because it doesn’t have a consolidated view of what it’s using and software costs may be mislabeled. “Salesforce.com gets classified as a marketing expense instead of as a software expense,” said Zylo’s Christopher.

Lax user account administration: Users sign up for a SaaS account – or it may be provisioned by the IT organization for them – and then leave the company. The account stays active and continues to generate charges.

Overprovisioning: In most companies new employees are outfitted with a standard set of applications pertinent to their jobs. No one ever checks to see if they are using them.

Insufficient user training: Although this problem isn’t limited to SaaS, it can have a significant impact on the value the company sees for the dollar. “If you leave Slack deployed on its own, it’s a pretty expensive chat app,” said Productiv’s Chandarana.

Catapult Sports’ Wood has seen multiple sources of SaaS waste. “There were people putting stuff on their own credit cards for reimbursement,” she said. Former employees sometimes continued to have access to applications that were paid for by the company. And oversight of what people were using was spotty.

“Zoom, Google Workspace and our phone system were the three biggest sources of waste,” she said. “People were provisioning everybody on these services whether they were using them or not.”

Security risk

Beamy’s Jacquemin: Actual SaaS use is between two and 10 times greater than IT is aware of. Photo: LinkedIn

The consequences extend beyond cost. Unsupervised use of SaaS applications by employees who lack sufficient training can cause sensitive data to be left out in the open or abandoned in cloud file shares that remain active long after a person has left the company. “Having so many different places where a company’s data lives open you up to more risk,” said Zylo’s Christopher.

While market-leading cloud applications such as Salesforce and Adobe Inc.’s Creative Cloud are considered secure, not all of the 17,000 SaaS companies in the U.S. alone are transparent about the measures they take or other parties they work with.

“They may have only 20 employees and no security people,” Jason Clark, chief security and strategy officer at cloud security provider Netskope Inc., said in a May 2021 interview with SiliconANGLE. “Small SaaS providers may also have data-sharing relationships with others that aren’t disclosed or are documented only in the fine print of license agreements nobody reads.”

That’s why Clark turns off automatic transcription of conference calls. “There could be 100 providers that have access to my data,” he said. “I guarantee one of them will have bad security practices.”

Going mainstream

The situation has spawned a host of startups that propose to help rein in the SaaS beast. Verified Market Research forecasts the global market for SaaS management platforms will grow from $113 billion in 2020 to $716 billion in 2028, a compound annual rate of better than 27%. Gartner Inc. expects that half of organizations using multiple SaaS applications will centralize management and usage metrics by 2026, up from 20% last year.

Some impressive investment has rolled into the market. AvePoint Inc., which focuses on the management of office productivity applications, has raised $430 million in funding, according to Crunchbase. Torii Labs Ltd. has raised $65 million, BetterCloud nearly $187 million, Productiv Inc. $73 million and Zylo more than $35 million. In addition, traditional software asset management vendors, cloud platform management, cloud security and even some IT service management vendors are getting into the game.

Vendors come at SaaS management from a variety of angles. Some tie into the APIs exposed by applications directly and harvest as much information as they can about usage. Others comb through accounting records to identify expenses that indicate a rogue application is being used. Some can automatically suspend or cancel accounts, while others simply report. And some can match usage to a vendor’s licensing provisions to recommend bigger discounts.

The distinction is important, Gartner wrote in last year’s report. “SaaS apps integrated with the [SaaS management platform] in a one-way fashion can only identify issues, whereas bidirectional integrations will identify issues and can take action,” wrote analysts Chris Silva and Manjunath Bhat. “Not all tools will offer bidirectional integration with all relevant SaaS apps, and a mix of one-way and bidirectional integrations with the SMP across the SaaS portfolio is common.”

Zylo provides a secure, RESTful API that customers can use to customize the data they retrieve. Companies that use Zoom videoconferencing, for example, can see which employees are using the service, how many run meetings beyond the 40-minute limit of the free option and who’s using Zoom on multiple devices. That data can be compared to spending and licensing records Zluri retrieves by automatically scanning expense forms.

CoreView s.r.l., an Italian SaaS management firm that specializes in Microsoft’s Office 365 platform, has “a number of ways to discover what SaaS is being used ranging from going through financial records to browser plug-ins to sorting through emails looking for invoices,” said Chief Evangelist Doug Hazelman. “There is no systematic way of discovering what’s being used. The only way to do that is by finding those traces.”

Catapult Sports looked at a variety of options before settling on Zluri. The product’s built-in connections to more than 200 services via APIs was appealing, Wood said. “Almost every [application] we used already had an API so it was simple to connect and get a wealth of information for financial, compliance and licensing purposes.” The vendor further offered to write up to a dozen custom APIs for any applications it didn’t already support.

A fresh approach

Once businesses discover how many unsanctioned apps are used, they usually look to put a framework in place that governs usage but doesn’t restrict it. “SaaS is not an IT issue; it’s an organizational issue,” said Beamy’s Jacquemin.

Catapult Sports has overhauled its approach to SaaS provisioning and management. “We have a whole process that includes contract management, security and compliance,” Wood said. “For any new software, people have to fill out a firm that I approve. We then point them to an approved software list and ask them to find something that fits the bill.”

One popular approach is to set up an in-house app store that provides at least a couple of approved options for major software categories and centralizes billing under the IT organization. That has worked at Catapult Sports. “Nine times in 10 we have a tool for them,” Wood said.

Cost-saving estimates vary, but most vendors say they can lop at least 20% off an organization’s SaaS spending. “Typically, we see a 5% to 10% savings out of the gate by removing unused or duplicative software and we can see up to 30% savings overall,” said Zylo’s Christopher. In addition, “a lot of our customers who were growing SaaS 20% year-over-year can bring it down to 10%.”

Gartner cites other, less tangible benefits, including better cost visibility, streamlined onboarding procedures and better security through integration with cloud access security brokers.

The value proposition of SaaS management tools is likely to change as more organizations get a handle on usage and formalize their spending and provisioning practices. Vendors will improve their products’ integration with cloud security suites and integrate more tightly with financial applications such as enterprise resource planning. Enterprises, which have been slow to come on board, are likely to lead the next assertive growth, Gartner reported.

Ultimately, the problem may become less common as organizations adjust their practices. So do SaaS management platforms have a long-term future? “I think so,” said Productiv’s Chandarana. “Employee experience is going to matter more and more. People want to work where they can be the best they can and everything is software these days.”

Photo: Daoudi Aissa/Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU