- When it comes to handling software as a service (SaaS), "governance, as dull as that topic may be, is the only solution" for mitigating risk and application overlap, said Jay Heiser, VP analyst at Gartner, while speaking at the Gartner Symposium in Orlando, Florida last week.
- To avoid SaaS applications running amok, Heiser said they should be attended to and cared for by a responsible party. Every department has its specific applications so "every puppy dog must have an owner," he said. Individual departments can own SaaS apps, like HR, finance and sales, but not without IT's expertise.
- As the move to the cloud hastens, uncontrolled SaaS applications threaten agility. There may come a point where an application is unable to perform an unknown future function, said Heiser. Agility is the biggest negative impact of SaaS because line of business users may not be able to add future value.
Because SaaS applications are easy to acquire, line of business employees are purchasing and running them without oversight. Governance from IT provides a holistic approach to SaaS and ensures growth that is strategic, measurable and monitored.
"The line of business often has an immature concept of what an application is," said Heiser. Contrary to what line of business employees believe, applications are not a "static thing" that exist outside of IT's help.
Heiser has a stern view of SaaS vendors. He said they have a "core competency in avoiding [CIOs], which is where cost overruns" and threatens security and IT controls. Compliance and regulation are also at risk when the IT department is unaware of apps running in their networks.
When SaaS is not treated "like a puppy dog" and trained appropriately, it can get unruly and expose a company to a wide range of implications. SaaS users can share any data on the web, cost is unknown, there is no calculation of availability risk and sometimes there are no APIs to help build scripts or integrations, according to Heiser.
By divvying up applications by owners in individual departments, IT can have a better understanding of where risk is. IT also needs to perform formal risk assessments for SaaS applications to understand what data is being used and where it is stored.
The most challenging part of controlling SaaS applications is maintaining an inventory. The first step is to look for "unsanctioned" applications, said Heiser. Once approved applications are accounted for, IT periodically checks in with the app's "owner" to confirm compliance with formal policies.
It's not the job of IT to always say "no" to new tools that could boost productivity. It is, however, IT's job to police non-technical employees and create boundaries.