Are SaaS Applications Creating Shadow IT?

Jeff Scheetz, CIO, City of Avondale, Arizona

Jeff Scheetz, CIO, City of Avondale, Arizona

Software as a Service (SaaS) is more than just the latest buzzword. Instead, it is a trend in the software industry that has almost become the norm for delivering software applications. Software as a Service has much to offer. However, while it can save an organization money, speed the implementation time, and relieve the organization of routine security patches, there are concerns that organizations must be aware of if the information technology team is not involved.

Sales tactics

Software application vendors are reaching out to our departments in what seems like a daily activity. Many of these products are priced “right,” providing the advantage of quick implementation followed by the business rationale the department has been looking for. I have been on countless sales calls to review a SaaS product with a department, and part of the sales pitch highlights, “It is so easy, you don’t even have to involve your IT department.” Unfortunately, this is a true statement.

Why the IT oversight?

This is where we as IT need to partner with the other departments in the organization to help them with these choices and make sure they understand why IT needs to be involved. In many cases, the benefits and value of SaaS applications do outweigh the option of using an on-premise solution.

First, IT needs to help the business address a couple of essential areas to minimize risk. For example, IT must be involved in the contracting process to ensure that the business unit understandsthe pricing and creates an exit strategy. In addition, the business typically doesn’t understand identity management and application security, another essential component for IT to address.

Application Security and Compliance

Application Security and Identity Management is an area of expertise that IT provides to the organization. The CIO and IT department must get the message out about why this is necessary with SaaS applications.

"In many cases, the benefits and value of SaaS applications do outweigh the option of using an on-premise solution."

Since each SaaS product has a built-in identity management interface, it is meant to be simple enough to be managed by the end-user. Leaving IT out of this critical component can leave the organization vulnerable by leaving accounts unsecured.Additionally, aconsiderable risk to an organization is by inviting external users to use the application and files or data stored outside the enterprise structure.

The department administrators of these systems may not understand the compliance or regulatory requirements the organization must follow. IT has traditionally been a knowledgeable source for identity management. However, many of these applications are now open and intended for the end-user to manage.

Exit Strategy

The IT department has a long-term vision for the organization and can assist with an exit strategy from a given SaaS vendor or product.This exit strategy must be built into the contract at purchase time, not when canceling the software. I believe this strategy must include how to retrieve the data from the application, the desired format, timelines to receive the data, and any expected costs. Additional points to consider will be costs on the IT side to warehouse the data, create reports, and compliance needs. Once again, the IT department can help the organization outline the costs and procedures.

Conclusion

Cost, time, and scalability are just a few benefits of utilizing SaaS applications. Many organizations prefer SaaS applications to those hosted on-premise because of these features alone. SaaS applications are an excellent option if the IT team is involved to ensure the complete package is secured, data is accessible, and there is an exit strategy. Without IT involvement in the selection, procurement, and implementation, the risk of shadow IT exists. We cannot let this essential process become a risk to the enterprise.