Recent research shows that 75% of organisations are using software-as-a-service (SaaS) applications.
The use of SaaS is growing and looks set to surpass the use of on-premise licences. This raises two compliance challenges for IT managers. First, ensuring the use of services remains within the terms agreed with the SaaS provider; second, making sure the data associated with SaaS use is transmitted, used and stored in accordance to regulations.
With data security, some responsibility is outsourced with SaaS. Businesses need to know what SaaS applications are in use, what data they are using and how that data is handled. Of course, due diligence should ensure SaaS provider service levels are sufficient to meet regulatory requirements – but this can only be achieved with insight into how employees use SaaS.
For many firms, the problems SaaS brings are worth overcoming to enjoy its benefits:
- It dispenses with the need to own and manage server infrastructure;
- The platform security and software updates are managed by providers;
- The immediate access to more (or less) capacity;
- The ease of sharing applications with outside users;
- Potentially, lower cost of ownership.
Before SaaS, making sure that agreed usage of software was not exceeded meant counting the number of actual or concurrent users accessing server-based applications or keeping count of the deployment of applications on user devices. Software was paid for through buying licences which stipulated usage terms.
Read more on Saas compliance
Cloud access security brokers can help enterprises enforce security policies in the cloud
Organisations should evolve their SaaS selection criteria to focus on newer metrics.
One of the main areas of licence abuse was the intentional or accidental copying of software to more servers or user end points than were covered by the licence. This happened when new devices were procured and/or users joined or left an organisation. The answer was software asset management (SAM), enabled by products such as BMC’s Numara, Flexera, License Dashboard and Verafirm from the Business Software Alliance (BSA). Some are starting to adapt – for example the BSA says it is extending Verafirm support for the IS0 19770 SAM standard to cover SaaS.
Another approach is to work with specialist partners in licence management such as Trustmarque, which has adapted its asset management strategy to work with SaaS products such as Microsoft Office 365, helping customers plan the licence and financial transition from the on-premise to the SaaS model.
The problem of measuring SaaS usage
SaaS applications are generally paid for by subscription. Anyone with valid access credentials can gain access anywhere. Unauthorised use does not require an installation, often just shared, misplaced or stolen usernames and passwords. Use does not automatically stop when a user’s association with a given organisation ends, as those access credentials can easily leave with them. The problem is exacerbated by another big change in IT usage; the trend for users to use their own devices and multiple devices. This means the number of devices being used to access a given SaaS application may not even closely match the number of users any more (for example, Microsoft Office 365 allows for up to 5 devices per single user account).
It is in the interests of the SaaS providers to help control usage and maximise the collection of subscriptions. Salesforce has a package for monitoring subscription usage, providing a dashboard that will alert administrators based on various thresholds. Google provides controls for access to its applications at both account and document level – for example requiring strong authentication and enforcing bring-your-own-device (BYOD) policies.
However, there are two problems with these approaches. The first is that they only enable IT managers to manage what they know about; the problem is that many IT managers now recognise and accept that their users will subscribe to their own software services (“shadow IT”) and that they must accommodate this. Secondly, the growing use of SaaS – through formal and shadow adoption – means a supplier-by-supplier approach is impractical as there may be many tens or, at the extreme, hundreds of different subscriptions to manage per-user.
Understanding shadow IT
Alex Hilton, CEO of the Federation against Software Theft (Fast) summarises the problem: "SaaS has brought previously unseen flexibility to businesses’ IT estates, but we are now seeing the emergence of so-called shadow IT. This development in working practices can present huge challenges for organisations wishing to demonstrate that they are on the right side of the law when it comes to software licence compliance."
Some basics can be achieved by checking firewall logs to see frequently used SaaS applications, especially if next-generation firewalls are in place that operate at the application rather than network level. Generic communications with lines of business managers also have a role to play, but these ad hoc approaches do not get to the core of the problem.
As well as ensuring compliance in how licences are used and how data is handled, there is a need to check that subscriptions are cost-efficient across the whole organisation. Merging the needs of two departments into a single subscription agreement may lead to better volume discounts. The challenge is to know what products are in use, the extent of their usage and to check how this fits with a given organisation’s policies – especially with regard to data security.
This need has led to therise of cloud access security brokers (CASBs), which include Skyhigh Networks, CipherCloud, Elastica and Netskope. The capabilities of CASB products vary: In general terms they enable reporting about the SaaS applications that are in use and the enforcement of policy regarding their use. For example, some applications may be blocked outright, because they threaten the security of data; and usage rules may be applied to others such as enforced encryption. In some cases, a more granular approach is offered; for example, Skyhigh supports different encryption schemas for different data types, depending on compliance requirements. Elastica provides what it calls “business readiness rating” for SaaS applications.
The insight provided by CASBs also allows for subscription consolidation. However, there is a remaining overarching problem – how do you quickly and securely bar access to multiple authorised SaaS subscriptions when an employee leaves an organisation? That is the role of single sign-on.
There is nothing new about single sign-on (SSO) and a number of suppliers have emerged in the last decade. Recent research shows that around three-quarters of European enterprises now use some form of SSO. One aim is to help customers improve compliance by providing a single point of access for users to multiple cloud-based and on-premise resources.
SSO makes it possible to rapidly provide or take away a wide range of services in one easy step. Users are no longer given direct access to SaaS applications managed by an SSO. Applications that are subscribed to by users themselves (perhaps discovered using a CASB) can be brought within the remit of SSO. Such systems replicate the capability of some CASB products in enforcing policy about how SaaS applications are accessed and used. Audit reports can be generated, giving snapshots of who has access to what at a given time; and a de-provisioning report created showing all the access rights that have been taken away from a former user.
Many SSO products are themselves cloud-based. Some are purpose-built for the cloud, such as Intermedia’s AppID, Okta and OneLogin; or adapted for it, such as CA Single Sign-On SaaS, Symantec Access Manager, Dell Cloud Access Manager and Centrify. Others, such as Ping Identity, integrate products for both on-premise and cloud-based use (Ping Federate and PingOne).
CASB and SSO products may overlap in their policy and security functionality but, in reality, are sufficiently complimentary to stimulate opportunities for partnering. Skyhigh integrates with Ping Identity, Okta and some other SSO systems. OneLogin says it is working with Skyhigh and Netskope (which is use by Trustmarque). Elastica has teamed up with Centrify, Okta, CA and OneLogin among others.
Some of the SSO products take things to a whole different level. For example, Intermedia’s AppID can shape the way SaaS applications are used, providing fine-grained access controls to individual features and functions (buttons, menu options, links, tabs) in web pages, and redacting data and removing high-risk features (share, download, upload, save, export, file attach and so on) that would otherwise cause an application to fail a risk assessment. It can also attach screen shots to audit trails and make applications read-only, for example to limit the use of social media sites.
IT leaders must realise there is no single answer to the challenge of SaaS compliance. But there are a number of approaches that solve different aspects of the problem. Using these in conjunction with each other enables businesses to get the problem under control and enjoy the benefits of SaaS with more peace of mind when it comes to compliance.
Bob Tarzey is service director at analyst organisation Quocirca