The software-as-a-service model of application delivery has become so commonplace that for many organizations it’s no longer a question of whether to deploy SaaS but rather to what extent it should dominate the corporate software landscape.
The potential benefits of SaaS are well known: cost savings, greater agility, easier scalability, and so on. “The ease and speed of deployment, and the innovative features included with SaaS, help businesses accelerate their digital transformations,” says Frank Della Rosa, research director for SaaS and cloud software at IDC.
But using cloud-based applications also comes with its share of challenges, particularly with the sharp rise in remote working in response to the COVID-19 pandemic, and IT teams need to address these issues before things get out of control.
Here are three of the biggest challenges organizations face with moving to and maintaining a SaaS environment, and expert advice on how to overcome the hurdles.
The proliferation of SaaS applications
SaaS applications continue to proliferate within organizations, which is making it more important to have strong governance and cost controls.
In its 2020 Businesses @ Work report, Okta reported that its customers deploy an average of 88 apps, a 6% increase from 2019 and a 21% increase from 2017. And 10% of its customers have 200 or more apps in operation, according to Okta, which provides identity management platforms for small, midsize and enterprise organizations.
“SaaS has democratized the application-buying decision by enabling line-of-business leads, and increasingly end users, to purchase software to get the job done,” Della Rosa says. “While this increases speed and agility, it creates governance and compliance challenges for IT.”
SaaS sprawl is expanding, and IDC’s research shows that many IT executives do not feel confident that they know how many applications are in use across the business. In some cases, there are likely hundreds of undiscovered applications, Della Rosa says.
IT teams need to explore automated tools that can help them identify applications in use and better manage security and compliance risks, Della Rosa says. The leading vendors in this area, according to IDC, include VMware, Cisco, AWS, Microsoft Azure, Google Cloud, and Microfocus.
To address the challenge of ubiquitous SaaS, companies also “need to take a risk-based or triage mentality” to determine which applications are more crucial to the success of the business and have IT deploy those, says Kyle Davis, vice president and analyst at Gartner.
“IT will not be able to support the number of applications an organization is going to adopt in the form of SaaS,” Davis says. “Typically companies start with a handful of SaaS applications, and then that becomes a couple dozen, then a couple hundred, and then thousands for larger organizations. That’s not how organizations have adopted software historically.”
In the days of mainly on-premises IT infrastructures, organizations generally had a few big platforms to run the business and built around them, Davis says.
“When you’ve got hundreds or thousands of SaaS-based applications, IT can’t scale to have domain expertise across all of them,” Davis says. “You have to categorize these based on how much of a risk it is to the business if they were not deployed and maintained by IT.”
With that said, it’s likely there will always be some “shadow IT,” where business users adopt SaaS when they need it, without IT’s knowledge or blessing. But even in those cases, users will eventually rely on IT for support, Davis says, at which time IT can assess if the business unit or IT should maintain the SaaS application moving forward or replace it with something else.
“IT needs to manage somewhere in middle,” Davis says, rather than being tyrannical about controlling software or giving up control entirely. SaaS applications need to be looked at in terms of the risk they can bring to the organization.
Security, privacy, and compliance
Addressing the data security, privacy, and regulatory compliance issues associated with using applications in the cloud is another big challenge. And it’s been made even more difficult by the dramatic increase in remote workers because of the coronavirus pandemic and resulting work-from-home mandates.
“The large number of SaaS applications in use leaves many companies vulnerable to data leaks and cyberattacks,” IDC’s Della Rosa says. SaaS management tools can help IT implement policies and procedures that address the need for execution speed with the mandate to enforce data privacy and compliance, he says. The major vendors in SaaS management include Blissfully, Zylo, G2 Track, and Better Cloud, he says.
The emerging area of SaaS operations management (SaaSOps), offered by most SaaS management vendors, helps businesses make SaaS activity a priority while recommending new applications, transforming the role of IT from enforcer to enabler, Della Rosa says.
“IT can monitor for suspicious activity and protect against inappropriate data sharing,” Della Rosa says. “Files can be scanned routinely for sensitive data leaks. Automated policies can be established for specific regulatory compliance laws.”
It’s imperative that organizations train their employees to fully understand their accountability and the importance of their role in the engagement and ongoing use of SaaS, says Robert Walden, CIO at Epsilon, a provider of marketing services and technology.
“Employees are — or should be — the first line of defense when it comes to ensuring SaaS solutions are being properly utilized,” Walden says. “Negligence cannot be an excuse.”
To that end, organizations must ensure they’re providing the appropriate policies, training, and ongoing communications to inform employees of their responsibilities and the repercussions for not complying, Walden says. “It is also crucial that organizations have implemented governance processes, tools, and controls” to reduce security risk and protect data, he says.
Security needs to be top of mind when evaluating SaaS offerings, Gartner’s Davis says. To that end, companies should develop a set of criteria that vendors must meet from a cybersecurity standpoint.
“A big thing to consider is ‘can you trust the SaaS provider to do as well, if not better, than what you did on-premises?’” Davis says. “You need to understand how the vendor publishes and discloses breaches, how they handle physical security, and how they protect your data in transit and at rest.”
A lot of SaaS vendors offer their services via the major cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, so they are leveraging the security capabilities of those platforms, Davis says. But companies still need to make sure the SaaS products they’re using are compliant with data protection regulations and that they are implementing the right access controls.
Integrating cloud-based software
A third major challenge is integrating various cloud-based applications that need to work together, in order to perform a task or support a business process.
Organizations are likely to encounter constraints when trying to integrate cloud-based applications with each other and with applications housed in on-premises servers, Davis says.
Introducing new SaaS offerings or shifting from an on-premises to a SaaS application often requires redefining or rebuilding existing business processes, Davis says. In addition, the move to SaaS often forces unanticipated integration with other SaaS and on-premises software.
The more strategic a SaaS service is for an organization, the greater the likelihood that it will require integration with other applications, Davis says. Email provides a good example. Many applications and systems might use email for notifications, so companies need to be prepared for what happens to these interdependencies when the email application is moved to a SaaS model.
A modern SaaS capability is a platform that organizations build upon, Gartner says, not an isolated tool. As such, it needs a detailed set of application programming interfaces (APIs) that enable users to integrate it into processes and workflows.
Leading SaaS providers are addressing the need for integration by making the most common integration scenarios as easy as possible to deliver, Gartner notes. But for the typical enterprise, this will still be inadequate to provide completely integrated user experiences and business processes.
Because of this, organizations need to carefully assess the integration capabilities and interfaces of SaaS offerings, and in some cases will need to create customized solutions to the problem based on their specific needs.
There has been a rapid proliferation of SaaS platforms that help ease the burden of integration and customization, Della Rosa says, with services such as a common data model, standard tools, and robust public APIs. “This is increasingly important in a new generation of SaaS that features the move away from monolithic enterprise applications to cloud-native architecture consisting of composable and containerized microservices,” he says.