The relationship between apps and people is far more complicated than most organizations realize. Much like Facebook’s “Social Graph” for people-to-people relationships, the SaaS Graph illustrates people-to-app relationships and the complexity they can introduce into the organization. Each SaaS Graph relationship could represent a potential point of security vulnerability or unnecessary efficiency. A new approach to SaaS management can minimize these risks and optimize once-cumbersome workflows. Let’s dive into how.
New data from Blissfully’s 2019 SaaS Trends report shows that the typical 200-500 person company uses 123 apps, which doesn’t sound too unmanageable. But, when you consider the SaaS Graph relationships, it gets much more complicated: the same sized company has an average of 2,700 SaaS Graph relationships. The number of relationships get deeper and more complex as the organization grows: companies with 500-1,000 employees have an astounding 5,671 app-to-people relationships!
The Dimensions of the SaaS Graph
The SaaS Graph spans five key dimensions, all of which represent new challenges to stakeholders across the organization. While SaaS has made it much easier for anyone to purchase and deploy new software across teams, these dimensions introduce new, potentially hidden problems and inefficiencies.
Role
Not all SaaS users look alike. The role of each user can get complicated, especially as new team members are onboarded and offboarded throughout the course of a year. Without a clear understanding of these roles, organizations could be wasting time on inefficient processes, wasting money, or worse, granting permissions to the wrong people (which could be a big security concern).
Potential roles within any app include:
- IT Admin: Think of this person as the one who holds the “keys to the kingdom.” Admins can add or remove users, or change permissions for anyone across the organization.
- Contract Owner: Usually the contract owner is the initial buyer or decision maker who selected the SaaS app.
- Billing Recipient: This person may sometimes be the same as the contract owner, but could be different (for example, billing recipients could be on a finance team).
- User: This role includes any team member using the software, and user types are defined by each individual app.
License
Usually teams have either free or paid licenses, which on the surface seems pretty clear-cut. However, paid licenses typically have different tiers, which companies need to track when employees join or leave. Issues also arise when team leaders purchase licenses for software that has redundancy across subscriptions in other teams or departments, or if there’s a good, free alternative.
Usage
The frequency of app usage can vary drastically across individuals and teams. Often, apps can go underused or unused for months without anyone in the organization knowing about it. These inefficiencies can add up to major wasted spend.
Data
From a security and compliance perspective, data is the most important dimension of the SaaS graph. Without the proper protections in place, sensitive data could be at risk. For example, each user’s connection presents a possible security vulnerability, in the absence of strong passwords and/or multi-factor authentication.
Typically, data within apps exists in three different states:
- Created: Users create data within their apps on a daily, if not hourly or by-the-minute basis. Often this data can be sensitive intellectual property or customer information.
- Generated: Many apps themselves generate their own data after analyzing inputs from users, or other information.
- Delegated: Some apps delegate permissions to other apps, and feed data between them. For example, a Salesforce account may have access to a Gmail or G Suite account.
Vendor Status
Without knowing vendor status, teams could be at risk of wasted spend, or potential security vulnerability (if accounts are left open to unauthorized users or unattended altogether).
A selected vendor might be in any of the following phases within an organization:
- Exploratory: A freemium app or free trial are the most typical exploratory phases. Sometimes these licenses automatically convert to paid after the trial expires, or convert to paid after a certain usage limit has been met.
- Unsanctioned: Often referred to as “Shadow IT,” these off-the-radar apps exist in nearly every organization, often as a result of a Team Lead or user choosing what works best for them.
- Sanctioned: These represent approved apps by IT or other stakeholders in an organization.
- Deprecated: These are often unused apps at an organization that have already been replaced or are no longer useful, but may never have been canceled.
Rapid Rate of Change
Managing The SaaS Graph: A Team Sport
Since there’s typically no longer a “command-and-control” approach of a centralized IT manager provisioning apps across the company, each dimension in the SaaS Graph needs to be periodically examined. There’s a new set of stakeholders in town, and they each need a seat at the table.
By taking a Collaborative IT approach, organizations can bring all of the key stakeholders into the process of SaaS management. Unlike in the command-and-control days, team leaders, finance, HR, operations, security and IT must all be involved in the process to ensure that each SaaS Graph relationship is valid and up-to-date.
While this approach may sound more complex, in reality, it’s a cultural shift that feels natural to most organizations, and is much simpler to maintain in the long run. Each group has a vested interest in sharing responsibility for SaaS apps: whether it’s to gain access to the right apps, balance the budget, or ensure security and compliance. Gathering these teams around a single system of record can ensure that everyone’s getting what they need out of technology in a fast-growing organization.