Software-as-a-Service (SaaS) apps have become essential tools for fostering productivity and efficiency in the workplace. However, adopting them without the proper oversight can lead to disorganization, cost inefficiencies, compliance issues, and security vulnerabilities. This practice is known as shadow IT, and it’s a growing concern among small and medium-sized enterprises.
SaaS discovery solutions address these challenges through various identification methods including:
- Browser extension
- Agents
- Single sign-on (SSO)
- Cloud access security broker (CASB)
- API connectors
- Email scanning
In this article, you’ll learn about each approach as well as their benefits and potential downsides. But first, let’s lay the groundwork and understand the basics of SaaS discovery.
What Is SaaS Discovery?
Shadow IT concerns 84% of SME IT professionals, and 29% of SMEs list it as one of their top three security concerns.
JumpCloud’s Q3 2024 SME IT Trends Report
With the rise of cloud-based tools and services, businesses often find themselves using numerous SaaS tools without any IT oversight. This can lead to SaaS sprawl, where applications are spread out across different departments, causing inefficiencies, security risks, compliance issues, and unnecessary costs.
SaaS discovery refers to the process of identifying and cataloging all the SaaS applications used within an organization. It helps address SaaS sprawl and shadow IT by forming a definitive list of all the SaaS tools in use.
The core objectives of SaaS discovery include:
- Inventorying applications
- Assessing usage patterns
- Evaluating security and compliance
- Optimizing costs and better resource allocation
- Improving operational efficiency
What Are the Benefits of SaaS Discovery?
Cutting Down on Unnecessary Costs
When companies invest in SaaS without central oversight, many tool features end up going unused or overlapping in functionality. This translates to wasted budget and operational inefficiencies.
SaaS discovery offers a comprehensive view of all software applications in use and helps IT teams analyze usage patterns. By identifying which tools are redundant and which are underused, businesses can eliminate unnecessary SaaS subscriptions and reallocate those funds to more impactful resources. Further, these detailed insights into software usage and expenditures can empower companies to negotiate better SaaS deals with vendors and avoid over-purchasing. The result is substantial cost savings and more efficient use of resources, ensuring that your organization only pays for what it truly needs.
Fortifying Security and Compliance
The use of unauthorized and poorly managed SaaS applications can lead to serious security breaches and compliance violations.
SaaS discovery helps IT teams ensure all SaaS applications meet industry standards, security policies, and regulatory requirements. By identifying unapproved or high-risk software, organizations can address potential vulnerabilities and maintain compliance. Overall, SaaS discovery reduces the risk of data breaches and helps build trust with stakeholders.
If you’re wondering what security risks SaaS tools can cause, also read Top SaaS Security Risks.
Empowering Employees with Standardized Tools
Employees require a large number of tools to do their work: Over a quarter (28%) require 11 or more tools to manage the worker lifecycle.
JumpCloud’s Q3 2024 SME IT Trends Report
SaaS discovery provides employees with a single source of truth for sanctioned SaaS applications. Offering employees a definitive and finite list of the applications available to them empowers them to spend less time navigating multiple tools and more time on their core tasks. This improves workflow efficiency, promotes better collaboration and communication across teams, and fosters a cohesive work environment where shared resources and information are easily accessible.
More importantly, the right SaaS discovery method respects employee privacy by focusing on software usage insights without compromising personal data.
6 Most-Used SaaS Discovery Methods
1. Browser Extension
Browser extensions for SaaS discovery are lightweight extensions installed on web browsers that capture real-time user interactions with SaaS domains. SaaS discovery plugins monitor all SaaS applications accessed via the browser, providing a complete view of web-based tools. They track usage metrics such as time spent, email address/user, last time accessed, and other insights.
- Compared to other SaaS discovery methods, discovery through a browser plugin provides simpler installation on user devices without the need for complex infrastructure changes or integration with external systems.
- Browser plugins can capture user data as users interact with SaaS apps, offering immediate visibility into current usage patterns and trends.
- The immediate, real-time visibility offered by extensions can help IT teams make proactive decisions during SaaS discovery. For example, they may offer guidance to employees or warn them about unauthorized app usage.
- Browser extensions offer a broad range of SaaS discovery. For example, they can extend to apps accessed with personal email addresses, which can still pose threats to the organization.
Drawbacks:
- Privacy concerns: It’s a best practice to clearly communicate your policies regarding data collection to address user privacy concerns effectively.
- Limitations: Browser extensions won’t catch tools signed up from incognito or mobile devices.
2. Cloud Access Security Broker Solutions
Cloud access security broker (CASB) solutions act as intermediaries between users and cloud services, providing centralized visibility and control over SaaS application usage. CASBs analyze network traffic to detect and identify SaaS apps being accessed by users. They track user activities to uncover shadow IT.
Drawbacks:
- Encrypted traffic: If traffic is encrypted and your CASB lacks decryption capabilities, it might fail to identify certain applications.
- VPNs: Users accessing SaaS apps via VPNs might bypass CASB detection.
- Remote/Hybrid work: CASBs may be limited in their ability to detect SaaS usage outside the corporate network. This means that CASBs may not be able to uncover all blind spots in remote and hybrid organizations.
- Complex setup: Setting up and configuring CASB solutions can be complex. Setup usually requires IT expertise and integration with existing infrastructure.
- Expensive costs: CASB solutions come with significant costs, including licensing fees, implementation expenses, and ongoing maintenance.
- Dependency: Effectiveness may depend on the APIs provided by SaaS vendors. Visibility may be limited if APIs do not offer comprehensive data access.
3. API Connectors
API connectors integrate with SaaS application APIs to retrieve usage data and manage access controls centrally. They provide detailed insights into application usage, user behavior, and data access patterns.
One significant advantage is the ability to identify applications interconnected with other SaaS platforms. SaaS apps excel in leveraging APIs for seamless integration. API connectors play a crucial role in uncovering these app-to-app connections, helping IT teams identify potential security vulnerabilities, monitor data flow, and prevent unauthorized access or data breaches.
Drawbacks:
- Unlisted apps: SaaS apps without available APIs, or those not integrated into the connector system, remain undiscovered.
- Limited API access: If a SaaS app does not offer comprehensive APIs or restricts access, API connectors might not capture all necessary data.
- Dependency: API connectors heavily rely on the availability, reliability, and functionality of SaaS vendors’ APIs. Changes or downtime in API availability can impact data collection and analysis.
- Resource-intensive: Requires development resources to build, maintain, and update API connectors as SaaS apps change.
- Limited visibility: Depending on the API capabilities, certain aspects of SaaS usage may not be fully captured, which can limit visibility into usage scenarios.
4. Agents
Agents are software components installed on endpoint devices to monitor and report on SaaS application usage directly from the user’s device. They collect data on application usage, user behavior, and device interactions.
Drawbacks:
- Device-specific: Agents are limited to the devices they are installed on, so they can miss SaaS usage on unmanaged or personal devices.
- Resource-intensive: Agents consume system resources such as CPU, memory, and network bandwidth, potentially affecting device performance.
- Installation and management: Having agents on a diverse array of endpoint environments (like desktops, laptops, mobile devices) can be complex and resource-intensive.
- User resistance: Users may perceive agents to be intrusive or affecting device performance, impacting their willingness to comply with monitoring efforts.
5. Single Sign-On (SSO)
SSO solutions streamline authentication and access management for multiple SaaS applications by allowing users to log in with a single set of credentials. These solutions enforce consistent authentication policies across all integrated SaaS apps. This simplifies user access and provides centralized visibility and control user access to SaaS apps.
SSO tools generate logs of all authentication events, providing a clear record of which SaaS apps are accessed by users.
Drawbacks:
- Non-SSO apps: SaaS apps that do not support SSO or are not integrated into the SSO system will not be captured, leaving blindspots.
- Inconsistent SSO adoption: Users might bypass SSO for certain applications, especially if the user experience is cumbersome.
- Limited behavior insights: SSO logs provide access data but might not offer detailed insights into how applications are being used beyond login events.
6. Email Scanning
Email scanning involves analyzing email communications and metadata to detect and identify SaaS apps being used within an organization. This method analyzes email headers, domain names, and content to discover Saas tools that employees interact with via email.
- Domain analysis: For example, emails sent to or received from “@saasvendor.com” can indicate the use of a SaaS tool.
- Attachment and link inspection: Analyzing email attachments and embedded links can reveal interactions with SaaS apps, such as document sharing services or project management tools.
- Subscription and notification emails: Monitoring for subscription confirmations, account creation emails, and notifications can help identify new SaaS sign-ups.
Drawbacks:
- Privacy concerns: Scanning email content raises significant privacy issues, requiring strict policies and user consent to avoid violating privacy regulations and employee trust.
- Limited visibility: This method only captures Saas apps that generate email communication. Apps that do not send emails or whose communications are not captured in the scan will be missed.
- Limitations in scope: This method cannot track sign-ups or usage in critical tools via personal email addresses.
SaaS Discovery and Management with JumpCloud
JumpCloud leverages its browser extension JumpCloud Go™ to identify users’ SaaS logins, ensuring optimal balance between comprehensive discovery and user privacy.
How it works:
- Simple and remote setup: JumpCloud Go supports remote deployment, allowing IT admins to roll out the extension to all users, regardless of their location. This is particularly beneficial for organizations with a remote or distributed workforce.
- Privacy-first: The discovery process respects and protects employee privacy. It never saves or analyzes the user’s browser history.
- Fast and accurate insights: The extension delivers fast and accurate insights into SaaS app usage in real time, providing immediate visibility, detailed analytics, and quick identification of shadow IT.
- Super user-friendly: JumpCloud Go allows admins the option to suggest authorized alternatives to unapproved SaaS applications to keep workflows moving smoothly.
- Warn or block unauthorized access: Admins can configure the tool to either display a warning to employees or block access altogether when they visit an unauthorized SaaS domain.
- Spring-clean SaaS licenses: JumpCloud Go tracks all your SaaS subscription info in one place to identify overlapping and underutilized tools and reduce overall SaaS spending.
JumpCloud makes sure that IT teams have full visibility and control over which SaaS tools employees are signing up for as well as usage insights and trends. You can find answers to your SaaS-related questions like:
- Are employees using unauthorized AI tools like ChatGPT (which can put your sensitive data at risk)?
- Is your content team using a different project management tool than the rest of the organization?
- Is your sales team adopting an unauthorized CRM software, potentially risking data security?
Your data may be sprawled across unknown SaaS territory. Let’s uncover the full picture together.