SaaS Subscription Management tools are designed to enable organisations to manage their full stack of SaaS Applications – everything from a free browser-based calendar tool to a CRM system such as Salesforce. This document outlines four key capabilities you should consider when choosing one of these tools. Additionally, this standard also covers how to engage a SaaS Management Managed Service (SMMS) provider.
This is an open standard, The ITAM Review welcomes feedback, suggestions, and amendments. The aim is to provide a robust, objective standard for the assessment of SaaS Management Tools & Service Providers. Please follow up via the comments or via email to firstname.lastname@example.org
Essential Tool Requirements for SaaS Subscription Management
The SaaS Optimisation lifecycle is similar to that for perpetually licensed software. We need to Discover what’s in use, create an Inventory, Normalise that inventory, and Optimise our estates.
The difference is largely in the techniques used – and also, critically, the time to realise value. Good foundational discovery and inventory enables optimisation activity at a pace impossible in perpetually licensed environments.
Let’s look at the tool requirements for each stage of the SaaS Subscription Optimisation Lifecycle.
Discovery can be a challenge in SaaS environments. There’s often nothing installed, and in 70% of deployments (by value) the budget is coming from Line of Business (LOB) departments, not central IT.1 Everyone is potentially an acquirer of SaaS services and recent research finds that half the SaaS estate has been acquired via employee expense accounts.1 As such, your usual processes for capturing new entitlements and adding them to your existing ITAM toolset won’t work here. The problem is exacerbated by the frictionless nature of SaaS, with 39% of a company’s SaaS stack changing annually.2 And with SaaS spending growing so rapidly (164% since 2016)3 it is vital that you know where that spend is happening.
Scale is also a factor – the same research finds that the average company is using 597 SaaS apps. Every one of those apps has the potential to be a security risk or to generate unplanned and unbudgeted costs. How do you go about onboarding a new employee with the right tools with so many to deploy?
To cope with this scale and the multiple entry routes into your environment, a SaaS Subscription Optimisation toolset needs to approach discovery from multiple angles. For example, one that relies on integrations to your expense and accounting systems won’t discover the multitude of free apps. And one that consumes data from your corporate single-sign-on application won’t find apps that don’t use it. You may also need to consider the use of corporate SaaS apps on unmanaged personal devices.
Questions for providers of Discovery tools:
- Which Discovery capabilities does your tool make use of (e.g. API, SSO, Expenses, Agent)
- Does the tool detect free SaaS apps?
- Which accounting and expense systems does it work with?
- Which Single Sign On (SSO) providers does it consume data from?
- Which SaaS applications does it directly interface with?
- Does it require an agent or similar technology to be deployed?
- Can it differentiate between personal and corporate usage of SaaS apps?
Discovery capabilities answer questions such as “What do we own” and “What are we using”. Building on that, Inventory gets you rich data about the things you’ve discovered. If Discovery is finding the treasure chest, then Inventory is finding out what’s inside. As with the Discovery process, SaaS Inventory is likely to require a multi-vector approach. For example, you may discover that 20 employees are expensing the conferencing app Zoom via an expense system integration. The purpose of inventory is to determine which of those employees is actively using the application, for how long, and perhaps even with whom.
Most SaaS Optimisation tools blur the lines between Discovery and Inventory. For example, if a tool has a Salesforce connector, that connector may simultaneously find the subscription and provide the rich metrics around usage data you require. However, it is still worthwhile to probe the differences with a prospective tool provider.
Questions for providers of Inventory Tools
- Request a full list of inventory data fields captured by the tool (e.g. user, email address, timestamps, application version/edition, location, device used)
- Confirm options for querying inventory data – static reports, dashboards, APIs, connectors to other IT Management systems such as a traditional ITAM toolset.
- Does the tool gather rich usage data? For example, first used, last used, length of time used, features & capabilities used.
- Integration options with multiple discovery tools. For example, can the system receive data from an expense system discovery and merge that with data from your Single Sign On provider?
- Can the tool be integrated with other IT Management applications such as a CMDB or an ITAM tool designed for managing on-premises deployments?
The purpose of normalisation is to bring together discovery and inventory data from multiple sources. For example, you might gather usage data from a SaaS provider’s portal, find a contract for that SaaS provider from your expenses or accounting system, and gather a user list from an HR or User Account Management system. The output from normalisation is certainty or confidence about the usage of SaaS applications in your estate.
Questions regarding Normalisation capabilities
- Does the tool categorise applications according to metrics such as application type (e.g. web-conferencing, file-sharing)?
- Does the tool categorise applications according to who is using them (e.g. Marketing, Sales, Engineering)?
- Does the tool identify product owners automatically? Product owners will be the lead contact in your organisation for the tool.
- Does the tool provide insight into Discovery & Inventory data quality? For example, by highlighting which inventory and discovery data methods have contributed to an application catalogue entry. This is particularly important for large estates in the upcoming Optimisation lifecycle stage.
- Does the tool have the ability to provide insight into “known unknowns”? For example, if you have discovered an estate-wide commitment to Office 365 but have only inventoried usage by one department does it highlight that discrepancy?
Optimisation is the desired outcome of investing in a SaaS Subscription Management tool.
This section has key questions for tool providers split between the three primary optimisation use cases – Cost Management, Risk Management, & Automation – along with a section on common requirements.
This section covers requirements/questions common to all optimisation use cases. So far, this standard has focused on capabilities relating to identifying what’s in use in an estate. In order to begin to optimise, we need to combine our new-found knowledge of what we’re using (through discovery, inventory, and normalisation) with entitlement (what we own).
In comparison to perpetual licensing, this is an area where SaaS works slightly differently and blurs the lines. For example, many SaaS Subscription Management tools include entitlement information as part of their Discovery and Inventory capabilities. Top-tier SaaS apps such as Office 365 & Salesforce contain this information in their management portals.
However, we still need a means of adding entitlement information and other data to our tool, in order to carry out optimisations. With that in mind, here are some key questions on common optimisation requirements.
- Does the tool enable manual input of entitlement data?
- Which data fields relating to entitlement does the tool support?
- Does the tool provide automatic entitlement import for the SaaS apps you want to manage?
- Does the tool enable batch import of entitlement information – for example from other tools or your own records such as procurement or finance applications?
- Does the tool enable import of user records from systems such as HR or User Account Management?
- Does the tool retain audit records for the manipulation of imported data?
- Does the tool enable import and management of an organisational structure?
- Does the tool enable import of accounting information such as cost centres & expense codes?
Cost Management Questions & Requirements
Cost Management may be the primary driver for SaaS Subscription Management. On average, tool vendors estimate around 35% of SaaS spending is wasted, so effective capabilities in this area will enable rapid ROI on your subscription management tool.
- Does the tool enable allocation of SaaS expenditure to departments, users, and other organisational structures?
- Does the tool support multi-currency entitlement recording?
- Does the tool provide a renewals calendar, with configurable alerts?
- Does the tool identify unused subscriptions based on the appropriate metric for the subscription? For example, identify users who haven’t used the application for 90 days.
- Does the tool identify fine-grained usage of the application? For example, creation and editing of a Word document, rather than having just opened Word to read a document.
- Does the tool make recommendations for re-allocation of subscriptions in response to onboarding requests for new users?
- Are optimisation insights actionable? For example, one-click de-provisioning of unused subscriptions.
- Does the tool support user profiling? For example, identifying common app usage per role profile, and highlighting non-standard usage for investigation.
- Does the tool identify duplicate capabilities per subscriber? For example, highlight users with paid subscriptions for Zoom, GoToMeeting, and WebEx.
- Does the tool provide the ability to survey users regarding app suitability? For example, ask users whether they would recommend the application and generate a Net Promoter Score (NPS).
- Does the tool provide forecasting and budgeting capabilities? For example, monthly, annual, multi-annual forecasts.
Risk Management Questions & Requirements
Risk Management capabilities are emergent differentiators for SaaS Subscription Management tool vendors. As the regulatory landscape shifts and puts a greater compliance burden on organisations, Risk Management increases in importance. SaaS is particularly susceptible to risk in comparison to on-premises software because nothing is installed, the application runs on the service provider’s computing resources, and private customer data is similarly placed in cloud storage.
The following questions will define the risk management capabilities of your SaaS Subscription Optimisation toolset.
- Does the tool enable blacklisting/whitelisting of SaaS applications? Are those lists configurable by department, deployment location, user role, or profile?
- Does the tool report on the compliance certification status of a SaaS application? For example, SOC2 compliance4.
- Does the tool profile users, highlighting common applications by role, and identify potentially unusual application activity?
- Does the tool identify potentially harmful application permissions? For example, a travel scheduling application that has been granted full read/write access to a corporate email account.
- Does the tool track vendor data breaches and other reportable security incidents?
- Does the tool enable rapid security incident response? For example, enabling central notification to users to prevent use of a compromised application.
- Does the tool report on the overall security standing of a SaaS application? For example, reporting on whether the application supports two-factor authentication
- Does the tool produce a report of SaaS application rights retained by users who have left the organisation?
- Does the tool provide an authorisation record/audit trail for deployment/removal of SaaS applications?
Automation Questions & Requirements
For a large SaaS estate, Automation is an enabler for both Cost Control and Risk Management. For example, integration with HR systems can be used to automatically provision and de-provision SaaS accounts for new hires and leavers respectively. Failing to de-provision leavers is a significant source of risk, with research indicating 89% of ex-employees retain access to SaaS apps one month after leaving.5
- Does the tool enable creation of standard profiles for certain employee types? For example, a list of applications required by a Customer Service representative.
- Does the tool provide employee self-service for provisioning apps? For example, integrating with SaaS vendor portals to automatically allocate accounts.
- Does the tool automate the removal of SaaS subscriptions from ex-employees?
- Where direct automation isn’t possible does the tool integrate with HR and/or User Account Management systems to provide a checklist for addition/removal of SaaS applications?
- Does the tool detect unused applications and automatically remove those subscriptions?
Questions for Managed Service Providers
What if you don’t have a dedicated ITAM team, or consumption management team, or the necessary skills in house to manage your SaaS spend? This is where engaging a SaaS Management Managed Service (SMMS) can help. Some tool vendors already offer such services as part of their offering, and there are also pure managed-service offerings available too.
Questions for SMMS providers are broadly similar to those above. From a technical perspective their service needs to be able to integrate with your systems of record to Discover, Inventory, Normalise, and Optimise your SaaS spending. From a service engagement perspective these additional questions are pertinent.
- What is your pricing model?
- Do you also sell SaaS subscriptions?
- Are you a partner of X (where X is the vendor of most importance to your company). The aim of this question is to uncover any potential conflict of interest – for example, is a Salesforce Partner best-placed to optimise your Salesforce estate?
- Where is my company data stored and processed?
- Do you assign a dedicated point of contact to us?
- What is the expected time to value of an engagement?
- What experience do the consultants assigned to us have in managing our key products?
- In the event of service termination, what happens to my company’s data?
- Do you use my company’s data for purposes other than optimising my estate?
- 2019 SaaS Benchmarks. https://discover.zylo.com/saas-benchmarks-2019. Accessed August 16, 2019.
- Witt A. Frictionless SaaS – Trends for 2019. ITAM Rev. March 2019. https://www.itassetmanagement.net/2019/03/13/frictionless-saas-trends-for-2019/. Accessed August 15, 2019. From http://www.blissfully.com
- The State of Business’ SaaS Spend 2019 | Cleanshelf. Cleanshelf | The System of Record for Your Cloud Apps. https://www.cleanshelf.com/resources/2019/08/13/the-state-of-business-saas-spend-2019/. Accessed August 16, 2019.
- SSAE 16. In: Wikipedia. ; 2019. https://en.wikipedia.org/w/index.php?title=SSAE_16&oldid=898377216. Accessed August 19, 2019.
- The ex-employee menace: 89% retain access to Salesforce, QuickBooks & other sensitive corporate apps. https://www.intermedia.net/press-release/the-ex-employee-menace-89-retain-access-to-salesforce-quickbooks-other-sensitive-corporate-apps. Accessed August 20, 2019.