Read on to learn:

• Overall productivity improvements your IT team gets from using a SaaS management platform
• How adding automation muscle becomes a true force multiplier in user lifecycle management
• How starting now pays off fast 

Take productivity to new heights

With an average of 130 SaaS apps, effective SaaS management is more important now than ever. 

Thanks to countless, never-ending user lifecycle tasks needed for protecting the ever-growing expanse of sensitive data, the effort for managing it all is accelerating.

With proper user lifecycle management and security controls in place, organizations can then:

• Maximize operational efficiency 
• Accelerate employee productivity 
• Scale IT impact

To achieve these benefits, organizations across all industries and sizes now rely on SaaS management platforms – capable of automation and purpose-built for IT, of course.

But just how much does this crucial technology benefit?

Let’s first consider two important data points:

1. 93% of BetterCloud customers say the primary business benefit of a SaaS management platform is improved operational productivity
2. By adopting a SaaS management platform, on average, customers experience a 49% increase in overall IT productivity

Such improvement results from getting the most out of a SaaS management platform. In fact, organizations that enjoy the highest levels of improved productivity automate routine tasks like user lifecycle management, as well as day-to-day operational tasks like app access requests or password/MFA resets to essentially create self-service portals for end users.

If your IT team faces these challenges, then, the sooner you adopt a SaaS management platform, the faster you benefit. 

To convince you, we’ll go into how a SaaS management platform impacts user lifecycle management, a key SaaS management task.

Improve productivity with automated user lifecycle management – while boosting security

Of course, boosting productivity means saving time, which then translates to saving money. 

Let’s look at how.

In BetterCloud research conducted in spring 2023, SaaS management platform users with a few hundred employees save about 1,700 hours – about 82% of a full-time team member – by automating user lifecycle management alone. 

Of course, it’s important to remember that time spent for onboarding and offboarding varies based on the actual numbers of employees added and removed from corporate resources. 

Thus, for a big company with thousands of employees, automating user lifecycle management will save that company many, many thousands of hours.

So now, time to examine the broader business case for a SaaS management platform.

Automating user lifecycle management delivers significant IT productivity gains

Let’s revisit the scenario of a company with approximately 300 employees. Specifically focusing on the offboarding process, let’s examine organizations that have already completed nearly all of it.

With 18% turnover, we assume that it takes 3 hours to offboard one employee, and over the course of a year, it requires 162 hours to complete the same, error-prone, boring tasks to offboard all departing users.

In conservative estimates of dollars and cents, an organization loses $10,000 worth of time in offboarding tasks that could be automated.

And that’s not all. 

In many cases, IT must onboard every replacement for departed users. And that’s another $10,000 of valuable time lost to the same old, error-prone manual tasks. 

Now, we’re up to a conservative estimate of $20,000 in time spent on onboarding and offboarding tasks that could be automated.

So, if your company struggles to provide Day 1 onboarding, find the right IT skills, or wants to provide a better IT employee experience, then automating using a SaaS management platform will provide big productivity gains. 

How, then, does the business case change when adding other benefits?

SaaS license reclamation and security strengthens the business case

As part of performing the actual lifecycle management tasks, IT must reclaim and redeploy all SaaS licenses. After all, an asset is only productive when it’s in use. 

In addition,  in order to ensure maximum security, IT must perfectly perform all manual steps. However, nothing, except automation, guarantees a mistake-free offboarding.

SaaS license waste is too high.

By failing to completely offboard a former user, SaaS license waste is bound to occur. 

Unused, unproductive licenses are an enormous cost, and we’ll illustrate it with an example.

If you pay $40 per month of 162 dormant licenses, then in just two months, you’re losing nearly $13,000. Over the course of a year, left untouched, those license fees mount, needlessly costing you almost $80,000.

Once again, unproductive SaaS licenses highlight the need for a SaaS management platform.

Security risk reduction makes the business case a slam dunk. 

One more cost heightens the need for a SaaS management platform now – security. 

After all, despite the best intentions, manual offboarding is a haphazard process and mistakes are easily made. And when they happen, former users can retain access to your apps and data, introducing enormous risk until the mistake is uncovered and corrected. 

Too many times, manual offboarding mistakes don’t surface until there’s a breach, and breaches are very, very expensive.

Using the 2019 Verizon Data Breach Investigation Report data, the average cost per breach per employee is $3,553. 

To be conservative, let’s estimate that it’s only $353 in per employee breach costs. A single breach from erroneous manual offboarding will cost that company of 300 employees more than $100,000.  

If we take that initial Verizon estimate of $3,553 into consideration, then a single breach could cost more than a million dollars. 

Thus, for risk reduction alone, your company needs a SaaS management platform now.

But for user lifecycle management alone, total up the potential:

• IT productivity boost
• Elimination of unproductive SaaS licenses
• Risk reduction

You can’t help but conclude that the costs of delaying automating with a SaaS management platform are simply too high and impede productivity.

You Need a SaaS Management Platform Now, Not Later

The costs of inaction are steep, particularly considering that a SaaS management platform is quickly operational. In fact, about 90% of customers are operational in less than 6 weeks. 

In addition, more than half of SaaS management platform users start seeing value in less than one month. 

The secret behind the speedy deployment and time-to-value is BetterCloud. 

BetterCloud’s easy-use, no-code workflow engine offers IT teams a quick way to start automating processes. To get your workflows off and running, there’s also: 

• An award-winning professional services team 
• Free on-demand training videos
• Live training and workshops

For initial deployment, a dedicated team of implementation specialists provide hands-on, tailored services and best practices from hundreds of successful engagements.

Operating without a SaaS management platform has a high cost, and with BetterCloud’s quick deployment and time-to-value, waiting doesn’t make sense. 

You need, and should, implement a SaaS management platform. Now. Request a demo.

As SMPs have grown in functionality and extensibility, so too has the power of the automated workflows you can orchestrate. IT leaders can now leverage an SMP to create zero-touch automation that removes every manual touchpoint in an IT process.

Each manual task you automate makes a positive impact on your IT department—and the company as a whole. IT workers no longer have to spend their time on tedious, repetitive work with thousands of open tabs. Employees get fast access to the tools they need to do their jobs. Your IT environment becomes more secure, and sensitive data is proactively kept safe.

In this article, we’ll answer the following questions to help you learn everything you need to know about zero-touch automation.

• What is zero-touch automation?
• How do I resolve help desk tickets with zero-touch automation?
• How do I improve data security with zero-touch automation?
• How do I use zero-touch automation to protect my IT environment?

What is zero-touch automation?

Zero-touch automation is the process of orchestrating automated workflows with a SaaS management platform like BetterCloud in order to replace all manual IT touchpoints.

Once in place, a zero-touch workflow can execute hours of IT work in just minutes, error-free.  

To get started with zero-touch automation, you need two key pieces in place: a fully featured SaaS management platform and an automation-first strategy. Without an SMP that does everything Gartner says it should, you won’t have the operational power within the platform to build end-to-end zero-touch workflows. An automation-first mindset helps you visualize which IT processes could and should be automated. 

You can learn how to create and implement an automation-first strategy in your IT department with our Strategic CIO Manifesto.

There are many processes that can benefit from zero-touch automation, depending on what tasks are costing your IT department the most time and resources. In this article, we will review three use cases:

1. Self-resolving tickets that automatically provision app access
2. Automatically detecting and unsharing files that contain sensitive data 
3. Automatically revoking access to unauthorized third-party apps

Other common use cases for zero-touch (or near zero-touch) automation include onboarding, offboarding, and mid-lifecycle changes. Check out the resources below to learn more about how to save time and money by automating user lifecycle management.

How do I resolve help desk tickets with zero-touch automation?

For both IT staff and the employees they support, dealing with tickets can be a huge source of frustration. The SaaS explosion in recent years is filling up ticket queues with requests to create new accounts. As requests pile up, employees must wait for access to the tools they need to be productive. IT team members can easily end up spending all of their time as ticket-takers, without any time to focus on strategic work.

With an SMP like BetterCloud, you can orchestrate a zero-touch workflow that resolves these requests automatically—no IT involvement needed. The illustration below shows the six-step process for automatically fulfilling a SaaS access request.

1. The employee opens a ticket in an ITSM like Jira or ServiceNow, requesting access to a SaaS application.
2. BetterCloud immediately receives the ticket data and kicks off a workflow.
3. The workflow sends a pre-configured email to the employee’s manager.
4. The manager opens the email, clicks a button to approve the request, and the workflow continues.
5. Once approval is granted, the workflow provisions the new account.
6. The workflow then sends a pre-configured email (or Slack message, or both) with the login instructions to the user, and closes the ticket.

For just one application, it is easy to see how this zero-touch workflow can save IT a ton of time. Employees working remotely in different time zones can get much faster access to the apps they need—without waiting for IT to start their day. The more apps you can create these self-service portals for, the more time you save for IT, and the more productive employees across your company can be.

How do I improve data security with zero-touch automation?

There are lots of security solutions out there that provide IT with a long list of alerts and notifications when potentially risky activity occurs in their environment. But in order to remediate anything, IT team members must step in and get involved. 

With an SMP like BetterCloud, you can remediate some threats automatically. Zero-touch automations that take actions based on security alerts allow your SaaS environment to “self-heal.” You no longer have to wait for an IT staff member to review each alert, decide if action is needed, and then remediate manually. 

In the illustration below, we show one of the ways you can use zero-touch automation to create a self-healing security workflow.

In the example above, we see the following happen:

1. An employee creates a share file, such as a Google Doc, and adds in sensitive information.
2. The employee then shares the file with someone outside of the company.
3. A BetterCloud alert is triggered, which sets off a remediation workflow.
4. The workflow immediately unshares the file.
5. The workflow also sends the user an email that lets them know that their actions violated company policy. This way they learn about the security risks of sharing sensitive data with those outside the company.

These types of zero-touch remediation workflows can be customized for different types of PII and proprietary information. The workflow above could also be modified to include an approval step before unsharing the file. This way, your IT team could check in with the user or their manager to make sure the document isn’t violating policy before taking any actions that might hamper productivity.

How do I use zero-touch automation to protect my IT environment?

In a perfect world, employees only ever use approved IT apps, on approved devices, through a VPN. The reality of today’s modern workplace is far more chaotic and susceptible to human error. The actions of well-meaning but negligent employees remain one of IT’s biggest security concerns.

In an effort to boost productivity, many well-meaning employees use their work credentials to grant OAuth access to unsanctioned apps. While some apps may be harmless, many more are not. By logging into apps that haven’t been reviewed by IT, negligent employees can put your company at risk of data theft, phishing, and more. 

An alert-based, zero-touch workflow can address this risk. The illustration below shows you can automatically remediate shadow IT usage with an SMP like BetterCloud.

1. An employee uses their work credentials grant OAuth access to a risky third-party app.
2. A BetterCloud alert is triggered, which notifies IT.
3. The alert also kicks off an automated workflow.
4. The workflow immediately revokes access to the app, logging the employee out.
5. The workflow also emails the user to let them know their actions violated company policy, so they learn about the security risks of logging into shadow IT.

The alert-based workflows shown above are just two of many ways you can automate zero-touch remediation in your IT environment. Other workflows can notify IT when super admin accounts are created or remove a departing employee’s app access immediately. Purpose-built to address the risks of SaaS sprawl, an SMP can be a powerful tool to help improve IT’s overall security posture. 

Reduce risk and work smarter with zero-touch automation

The three examples above are just the tip of the iceberg when it comes to what an SMP can automate for IT. This is why an SMP’s ROI often improves over time, even after delivering value within a few months. 

With an automation-first strategy and a fully featured SMP, IT leaders can deliver big results with zero-touch automation. They can:

• Pivot IT teams from reactive ticket-takers to strategic business partners, collaborating with other departments to optimize their use of SaaS.
• Keep IT environments safe from the actions of well-meaning, but negligent employees.
• Deliver a frictionless experience for remote employees, ensuring timely access to apps no matter what time zone they are in.

To learn more about how BetterCloud can help you transform your IT department with zero-touch automation, schedule a demo.

Following any merger and acquisition, IT usually ends up with a laundry list of tasks that can include:

• Establishing a full picture of all IT environments that are being integrated.
• Selecting which apps in the tech stack to keep, and which to phase out.
• Locating and protecting sensitive and proprietary data.
• Identifying other potential security gaps, including shadow IT.
• Internally onboarding and offboarding employees to and from different systems (such as from Google Workspace to Microsoft 365 or vice versa).

With a SaaS management platform (SMP) like BetterCloud, you get a powerful tool for tackling these challenges. Let’s take a closer look at an SMP with a centralized grid view, bulk administration, and IT automation capabilities can make post-merger integrations far more manageable.

1. Gain a complete view of all the SaaS apps across two or more merging IT environments

Gaining full visibility into all the SaaS apps in use can be a challenge with just one tech stack. When two environments merge, this quickly becomes twice as hard. With an SMP like BetterCloud, you can use SSO and OAuth discovery to gain a unified view of everything: all the SaaS in use (including shadow IT), users, groups, files, channels, settings, and other data. This gives you a full understanding of the breadth of what exists in your new post-M&A environment.

With this centralized view, you can quickly spot any potential redundancies. For example, if one company used Asana for project management and another used Trello, you can recommend migrating everyone to one tool. This not only saves costs, but also enhances collaboration across new teams and removes silos.

With best in breed SaaS, it’s very possible that both companies have some of the same apps in use—like Slack, for example. With a SaaS management platform, you can manage multiple instances of SaaS applications from one location. This gives IT teams the flexibility to control each of the merging company’s tech stacks until they eventually deprecate one side. Below, we’ll also take a look at how automated workflows can also help migrate users from one instance to the other in minutes.

“I can go into my BetterCloud portal and see all of our users through every application.”

Ryan Donnon, Director of IT, First Round Capital

2. Automate user lifecycle changes, such as onboarding employees to a new system

M&A activities often include numerous mid-lifecycle changes for employees at the company being integrated. This is where automating user lifecycle management with workflows can save IT a lot of time—and boost productivity as well.

Let’s say a smaller company using Google Workspace is acquired by a larger one primarily using Microsoft 365. Manually creating all those new profiles and then deleting existing Google Workspace licenses would take IT a really long time. Entering all that data manually might also result in typos or other errors, causing IT to go back and make even more changes. Worse, the productivity of the employees at the company being acquired would be impacted as they wait for access to new systems and tools.

With an SMP, your IT team can quickly build an automated workflow that creates new users in Microsoft 365 based on information in their Google Workspace profiles. When the workflow is run, a complete set of new profiles would be created in just minutes. Then, they could create a second automated workflow that offboards those users from Google, and then deletes the licenses to save on cost.

3. Keep super admins to a minimum, even with a growing IT team

Integrating multiple IT teams can easily lead to mismatched access rights and too many super admins. There are two features in an SMP like BetterCloud that can help you address this: granular admin roles and alert-based workflows.

An SMP can perform administrative functions in the apps it integrates with, removing the need to log into every app individually. New accounts can be made for incoming IT team members inside of the SMP, with customized access based on their job. The new staff can then use the SMP to administer apps directly, instead of creating additional super admin accounts in the apps themselves.

You can also leverage alerts and automation to enforce least privilege access policies with merging teams. The first step is to set up an alert that notifies you when more super admin accounts are created for an app than your policy allows. You can then create an alert-based workflow to automatically delete or disable new accounts before they can be used.

4. Locate and protect sensitive and proprietary data in file-sharing apps

There are very few companies now that don’t leverage file-sharing apps of some kind. When you merge IT environments, you want to make sure you aren’t introducing the risk of a data breach. With content scanning and automated security workflows, you can quickly uncover any potential risks, and, if needed, remediate them instantly.

Before you bring new data into an existing IT environment, your IT team can use an SMP like BetterCloud to perform a one-time content scan of whatever file-sharing apps were in use. You can search for PII, credit card numbers, proprietary information, or any other sensitive data. In a single view, you can see the file name, the file owners, and what app the data resides in. Once you’ve located all the potentially risky files, you can take bulk actions to unshare or even delete them to keep your existing environment protected.

After you’ve completed the one-time scan, you can set up the same scans to be performed in an ongoing way in your new, blended environment. File-sharing apps make it very easy for employees to improperly share sensitive or proprietary data. You can set up alerts to notify you when sensitive data is improperly shared, and even create workflows to unshare or delete the file automatically.

Across your post-M&A environment, an SMP can centralize management of all SaaS applications, users, groups, and files. By giving you visibility into your applications, a SaaS management platform surfaces critical insights that let you make informed decisions about the new environment—such as what apps to keep, and which to retire.

For internally migrating employees to and from apps, a no-code workflow builder gives IT teams a powerful way to save time, reduce errors, and get employees collaborating faster. Even something as complex as moving employees from Microsoft 365 to Google Workspace—or vice versa—can be achieved in just a few minutes and a couple of clicks.

To learn more about BetterCloud can help with your M&A activities, schedule a demo today.

SaaS usage has exploded since the beginning of 2020, but with all the collaborative benefits software-as-a-service (SaaS) and cloud services present, new challenges abound. IT professionals must adapt to threats like unsanctioned apps, data loss, and insider threats. 

In today’s cloud-first, work-from-anywhere environment, employees are increasingly likely to access sensitive materials outside company headquarters—which means that SaaS data security is one of the top priorities for IT teams of all sizes. While this is a daunting challenge, a zero-touch IT mindset can ensure SaaS security while also freeing up IT to become a strategic part of the business. 

I know what you’re thinking. What is zero-touch IT? As we recently wrote, a zero-touch approach aims to remove every manual touchpoint to orchestrate entire IT processes. SaaS enables seamless collaboration between users, both within and outside the organization, and this modern IT approach assures granular access can be secured without sacrificing productivity or security.

This guide contains an exhaustive overview of some of the best SaaS security best practices, and how a zero-touch IT mindset can enable them.

The Unique Challenges of SaaS Security

The four biggest security challenges created by SaaS are:

• File security
• Insider threats
• Gaining visibility into your SaaS environment
• Enforcing least privilege access policies

Let’s explore each in further detail.

1. File security

Before we dig into the long-term benefits of automated IT, the foundations of SaaS security bear repeating.

SaaS is here to stay. We’re all working in the cloud, and that means our sensitive data is everywhere. Credit card numbers, passwords, intellectual property, confidential customer data…the list goes on and on. 

SaaS apps are empowering to users because they make it easy to share files with collaborators within the company, and more worrying, outside your organization. Users can configure file-sharing permissions on their own. Unsurprisingly, this can lead to unwanted issues like compliance violations and data breaches. A user might share a file publicly because it makes collaboration easier, not realizing that the file may now be indexed by Google in real-time, and therefore available to the public. Keeping track of these sensitive file exchanges is not easy, at least not with traditional IT security methods. 

No one wants to send out press releases about data breaches that happened under their watch. Huge SaaS vendors like Microsoft, HubSpot, and Okta have all been victimized by SaaS cyber attacks in 2022. All this goes to show how important it is to be aware of what choices your users are making within apps. This necessitates automated alerts to risky configurations and automated remedies.

2. The risk of insider threats to your SaaS security

According to BetterCloud’s 2021 State of SaaSOps study, an overwhelming 72% of IT professionals believe that well-meaning, yet negligent employees pose the biggest data loss threats. In contrast, far fewer people feel the biggest threat is from malicious employees (20%) or hackers (8%). Maybe it’s allowing an outside contractor onto the company Slack account. Maybe it’s sharing something via Dropbox over an unsecured network. Employees should be schooled in SaaS security best practices – that much is clear – but it’s at the IT level where these measures need to take root.

3. Gaining visibility into your SaaS environment

Once you take a peek under the hood of your company’s SaaS engine, there’s a good chance you’ll be shocked by what you find. When the pandemic hit during the first quarter of 2020, companies quickly amassed SaaS apps for remote work, thinking they’d only need them for a few weeks. As we all know, that “few weeks” evolved into a lasting reality, and those SaaS applications – even the forgotten ones! – are most likely still there, and perhaps compromised over time. More than half (55%) of respondents in BetterCloud’s 2021 State of SaaSOps study said their biggest challenge was a lack of visibility into user activity and data.

Since these unsanctioned apps can’t be seen by IT teams, it’s virtually impossible to secure and manage them properly. This can make them quite risky. Proper SaaSOps process and solutions can keep track of how these apps are being used, their permissions, and their data read/write authorizations.

4. The challenge of enforcing least privilege access policies

The more access an admin has within your infrastructure, the more they put you at risk if their account becomes compromised. Hence, the importance of least privilege access, or in layman’s terms, granting users the minimum permissions needed to perform their roles. 

It sounds simple, but the terms for certain admin roles and distribution lists often vary from app to app, making least privilege access difficult to discern. Some apps simply don’t allow a great deal of variation from admin to admin. However, better SaaS management platforms (SMPs) allow IT teams to be much more exact with the access they grant. Using BetterCloud as an SMP, a typical customer in 2021 was able to implement a least privilege access model that reduced the number of users with super admin access from 15 to 3.

Why do all these SaaS security challenges exist?

It has a lot to do with that paradigm shift that occurred in early 2020. The old IT model employed the so-called “castle and moat” approach – the “moat” protecting company infrastructure from outside unknowns. But with the advent of SaaS, that moat disappeared, since employees had the ability to easily share sensitive data outside the company, often over unsecured networks such as home Wi-Fi. Today, effective IT can’t just control the perimeter; its watchful eye must permeate all apps and interactions within the public cloud.

Related: A Zero Trust security model can help protect your SaaS environment. 

To learn more, download our whitepaper: A Guide to Effective SaaS Management Using a Zero Trust Security Model

Now, let’s examine some other kinds of SaaSOps tools and best practices for SaaS security. 

Understanding the types of SaaS security software options available to you:

1. Identity and access management (IAM)

As the expectations of a good IT department shifted post-2020, Identity and Access Management (IAM) emerged as a strong option for automating security in cloud-based work settings. IAM allows IT to control user access to sensitive information within a company on a fully automated basis. The automation factor is a key difference from manual, mistake-prone legacy options; IAM is more secure and allows admins to fine-tune those all-important privilege settings on who gets access to what.

With IAM, companies can use authentication methods such as:

• Unique passwords: lengthy passwords that include randomized letters, symbols, and numbers
• Pre-shared key: passwords shared among users with access to the same materials (not as secure as individual, unique passwords)
• Behavioral identification: artificial intelligence that analyzes a user’s human idiosyncrasies, such as typing and mouse-use habits
• Biometrics: fingerprints, faces, voices, etc. are used to authenticate users (given the highly personal nature of this data, an implementation should be considered very carefully)

2. What is a CASB?

CASBs (short for cloud access security brokers) are another SaaS security software option. According to Gartner, CASBs are on-premises, or cloud-based security policy enforcement points. They stand between cloud service consumers and cloud service providers to combine and add enterprise security policies as cloud-based resources are accessed.

CASBs are employed in a wide range of cloud computing services, including PaaS, IaaS, and of course, SaaS, where they’re used for data security, asset encryption, inline blocking of shared assets, and network security.

3. What role does a CASB play in SaaS security?

It’s useful to compare CASBs to SMPs since they both enforce SaaS security in different ways. The role of CASBs extends well beyond SaaS, and unlike SaaS-focused SMPs, their response to a security threat tends to be less nuanced. Admins using CASBs can set triggers (such as when a new user appears on the network), but lacking the granularity of SMPs, CASBs are prone to over-enforcing these triggers and bringing workflow to a halt. SMPs, however, offer smarter, workflow-friendly solutions without sacrificing security measures.

The need for a flexible SaaS security solution

Every company is different, so it’s up to IT and security teams to implement a SaaS security program that makes sense for the company’s day-to-day needs. What triggers should your security platforms be on alert for? What actions will those triggers activate, and how will relevant team members be notified? Zero-touch IT and automation have facilitated all this immensely, but it’s up to IT to use those tools to build a security threat game plan. Additionally, data encryption and two-factor authentication (e.g., entering your password and then receiving an additional access code via your mobile device) are increasingly common methods to protect data. And all employees should be trained in the basics of data encryption and data security, such as how to recognize a phishing email.

Regardless of where you’re at, adopting zero-touch IT will optimize reaching the goals we’ve outlined in this guide. Start by keeping track of what issues are most frequently leading to tickets – these are the issues you’ll want to prioritize automating once you’ve got the hang of things. In the meantime, tools like BetterCloud Manage – with no advanced scripting or programming required – can make tasks like employee onboarding/offboarding zero-touch right away for IT and security teams. From there, you can move to automate additional SaaS priorities, which we’ll reiterate below.

Best practices: SaaS security checklist

Maintain a secure infrastructure:

• Establish your organization’s culture and risk tolerance
• Implement IAM/IDaaS to facilitate access and authentication to all SaaS apps and minimize friction for end users
• Ensure your data is always encrypted
• Implement two-factor identification (2FA)
• Train users on SaaS security, including identifying phishing attacks and the importance of 2FA
• Create an incident response plan
• Implement SaaS management in conjunction with traditional security services
• Build dynamic Data Loss Prevention (DLP) policies to protect sensitive data from being lost, misused, or accessed by unauthorized users
• Build customizable workflows so responses are in accordance with your security policies and guidelines

Proactively secure data by monitoring for:

• Exposure of sensitive information such as PII, PHI, passwords, and encryption keys (either publicly or externally shared)
• Corporate emails that are automatically forwarded to a personal email account (e.g., Gmail, Yahoo)
• Users who should no longer have access to specific files, folders, calendars, etc. (e.g., consultants, interns, or employees who’ve switched teams)
• Suspicious activity related to data theft, like unusually large file downloads within a short time period
• Sensitive files being shared with a competitor
• Email forwarding from specific users to email addresses outside your domain
• Specific file types being publicly or externally shared (e.g., spreadsheets and PDFs are more likely to contain sensitive information)
• Sensitive folder paths, like accounting or finance, being publicly or externally shared
• Choices users are making in apps, such as making public cloud databases

Gain visibility and control:

• Enforce least privilege with granular access control
• Remain aware of all apps running on the corporate network, sanctioned or unsanctioned, and eliminate blind spots
• Identify tools that authenticate using your domain
• Audit permissions that employees grant to unauthorized SaaS
• Compare permissions to your established data governance that defines who within an organization has authority and control over data assets and how those data assets may be used
• Secure user interactions inside of SaaS apps
• Continuously monitor for policy violations and remediate them if any are detected

A few final thoughts

SaaS data security is a tricky challenge for even the most experienced IT professionals – just look at how much has changed in the past two years! But by using the SaaS security best practices in this guide, coupled with an SMP/zero-touch IT approach, you can secure your organization for years to come. Now is the time to transform your technology team from ticket-takers to strategic leaders of your business! 

Automating as many of the routine tasks associated with SaaS management is a great way to save time, reduce errors, and transform your help desk’s day to day work. In this article, we’ll highlight the top processes every IT department can and should be automating. 

A quick note before we dive in. While the market for automation tools is filled with choices, you want to make sure to use a solution that is purpose-built for IT. A fully featured SaaS management platform (SMP) with an easy to use, no-code builder gives the power of automation to anyone on your IT team. This is essential because automated workflows should be regularly reviewed and updated over time, as businesses grow and tech stacks evolve.

The SMP you choose for IT automation should include a deep library of actions to include in your workflows. The more things you are able to automate, the more strategic your IT team can be with their time. You also want to make sure the IT automation solution you choose includes flat fee pricing, so your costs don’t increase the more you automate.

#1: Resolving help desk tickets

Getting to a zero ticket queue is every IT leader’s dream. However, without automated workflows, you would need an incredibly well-staffed IT department to get there. 

By combining the power of SMP with an ITSM like Jira or ServiceNow, you can create self-service portals for employees to request app access. These portals are powered by automated workflows that instantly receive the ticket data, request approval from the manager, automatically grant access to the app, and notify the user. 

The best part is that IT doesn’t have to do anything to fulfill this request—the entire process is 100% automated. Workflows like these can reduce the number of tickets that IT must handle manually by 50% or more.

#2: Zero-touch offboarding

Offboarding an employee is easily one of the most time-consuming tasks IT departments must handle. Without automation, it can take hours or even days.  When offboarding takes too long, the risks of a disgruntled employee causing harm increase significantly. 

Automation also makes sure steps aren’t missed in long, complex offboarding processes. With over 100 SaaS apps in the average IT landscape, it’s easy to miss reclaiming a license, and wind up paying for app access you aren’t using. When resource access isn’t transferred quickly, employees can lose access to critical shared files, hampering productivity.

SaaS management platforms are powerhouses for automating long offboarding processes. The graphic below shows how, with just the submission of an IT ticket, an offboarding workflow can be instantly kicked off. Within minutes, access is revoked across numerous apps, devices are locked, resource ownership is transferred, email is forwarded, and much more. 

To discover the 14 steps every offboarding process should include, and a step-by-step guide for automating the process into a workflow, check out our Ultimate Checklist for Employee Offboarding.

#3. File sharing remediation

The greatest threats to IT security don’t always come from malicious outside actors. File-sharing apps have made it easier than ever for a well-intentioned employee to cause a data leak or breach. It takes just minutes for someone to add sensitive or proprietary information into a document and share it with the wrong person, or worse, publicly for the world to find.

This alert-based security workflow reduces IT’s threat landscape with the power of automation. As soon as BetterCloud detects that a file has been created that contains sensitive information and has been improperly shared, a workflow will immediately kick off. In the example below, the file is immediately unshared and the user is notified that their actions violated security policy.

These alert-based security workflows help you create a “self-healing” IT environment. A SaaS management platform allows IT and security team members to create and enforce security policies automatically—reducing alert fatigue, educating users, and improving your company’s overall security posture.

#4. Revoking OAuth access

Another way your well-meaning colleagues can become insider threats is by granting OAuth access to unsanctioned apps. It’s very simple for an employee to decide to use a new app, click the “Create Account with Google” button, and just like that, it now has broad access to modify, delete, and read company data. 

Shadow IT—using apps not approved by IT—is notoriously difficult to detect. An SMP gives you not only the visibility you need to see what apps have access to your environment, but also the ability to automatically take action.

In the workflow illustrated below, BetterCloud automatically detects when an employee uses their work credentials to grant OAuth access to a risky app and triggers an alert. The alert instantly kicks off a workflow, notifying IT and revoking the user’s access to the app. Finally, it sends an email to the user letting them know about their potentially risky behavior.

Similar to the file security workflow we discussed earlier, this type of workflow remediates a potential threat with input from IT. Emails and notifications in each of these workflows can be completely customized to let IT, managers, and the employees know about the policy violation and the risk their actions pose.

#5. Instant Slack and Zoom war rooms

Not every useful workflow is triggered automatically. On-demand workflows can complete a series of tasks with just a click of a button. To respond quickly when a security incident occurs, IT can immediately create a virtual war room in Slack and Zoom.

These war rooms can instantly notify a wide range of people—and give them a designated, virtual place to meet—the minute the incident occurs. A single workflow can even create different rooms for response types, including:

• A business incident response channel to discuss logistics only—i.e., what’s happening, when it’s happening
• A technical incident response channel to discuss the technical aspects only—i.e., how to mitigate the security incident

The workflow can also automatically create a Zoom call so that leadership can discuss remediation right away.

Conclusion

These five workflows are just the tip of the iceberg for what IT can automate in a SaaS management platform. Strategic BetterCloud customers often create 20 or more workflows that automate everything from onboarding to file security. Because BetterCloud ingests SaaS data to enable more powerful actions, anyone in your IT and security team can use its no-code builder to create and manage workflows.

With each workflow you create, your IT team becomes more strategic, the employees you support have a better experience, and your IT environment becomes more secure. To see BetterCloud workflows in action, schedule a demo today.

But it’s also no secret that remote work is a lot more convenient for employees. Remote-first work environments can also be a huge competitive advantage for your business. To nobody’s surprise, organizations around the world have put a lot of thought into how to secure a growing SaaS stack in an increasingly asynchronous work environment—all while enabling remote workers to be successful in their jobs from wherever they’re located.

In our latest webinar, BetterCloud’s former Chief Business Strategy Officer Shreyas Sadalgi talked shop on the unique challenges of securing SaaS apps with a couple of experts, including:

• Andras Cser, Vice President and Principal Analyst, Security and Risk Management at Forrester Research 
• Harsha Nagaraju, Director of Product & Solutions Marketing, Security at VMware

Here are some of the key takeaways from their conversation. If you want to watch the conversation in full, click this link to check it out. 

What issues are most vexing in SaaS? 

On what feels like a daily basis, we see reports of data breaches at some of the most respected companies on the planet. While data protection was difficult enough when we were all commuting to the office, Cser and Nagaraju say the challenges have been exacerbated by the uptick in remote work.

“Most of these challenges probably were not big problems when everyone was in headquarters,” Nagaraju adds. “Now, employees are infinitely more likely to be sharing company files over Slack on coffee shop Wi-Fi, or at a friend’s house. ‘Everywhere organizations’ are becoming the new normal.”

Many of the challenges Nagaraju outlined have been discussed ad nauseum—and for good reason. What’s striking to us, however, is how much more difficult it is to determine how much you can trust a device that’s requesting access to your environment. The number of potential vectors has grown exponentially as remote work explodes—and it’s clear that data protection will continue to be a top priority for IT teams everywhere.

Who’s especially likely to put your company at risk? 

Cser stresses that people he calls movers – veteran employees who have moved within the company for a long time – are especially likely to become liabilities to bad actors because they’ve accrued access to a lot of different corners of your infrastructure (which they may no longer need in their current roles). “We’ve seen some instances where this was used as a springboard for hackers or internal threat actors,” Cser says. 

In response, Sadalgi recommended ranking your most important admins so it’s easier to identify the select few who get certain kinds of access. All this is good practice for IT departments regarding SaaS, but how do you pull it off in real-time?

This brings us back to the challenge that necessitated webinars like this roundtable conversation with Sadalgi, Cser, and Nagaraju. How the heck can you apply some of the best practices they recommended? Spoiler alert: This is where we talk about the critical role your SaaS management platform (SMPs) plays in securing your SaaS environment.

“[BetterCloud] recognized this as a company early on, when SaaS became a thing ten years ago,” Sadalgi says. “[We recognized] that IT would require new tools to maximize the business value.” Lately, the pace has accelerated to where manual SaaS data protection is all but obsolete, with automation the only game in town.

How can you stay on top of all these SaaS apps? 

Many IT teams have struggled to answer this question over the last few years. This is just one of several reasons why we’re excited to announce BetterCloud’s newest collaboration with VMWare. 

VMware SaaS App Management Powered by BetterCloud is the most up-to-date control station for what’s keeping IT up at night. It’s out now, available as a VMware product add-on to Workspace ONE and Horizon. If you’re looking for a way to wrangle your apps into one place, this has you covered. 

In addition to announcing this new partnership, Sadalgi wrapped up the session by taking questions from the audience. Here are just a few snippets from the Q&A portion of the webinar:

• The evolution of SaaS exposed the gaps in SaaS management. “Misconfigurations and gaps happened because there’s no telemetry that was made available until now,” Sadalgi added. “And that’s something that has happened because the SaaS industry and every SaaS application has matured and exposed those APIs in the first place.” 
• A complementary approach to SaaS security. Sadalgi says that the obvious solution to the most common gaps in SaaS management is a complementary approach driven by a SaaS management platform like BetterCloud. “Once you actually get inside the SaaS application, misconfigurations and gaps happen because there’s no telemetry that was made available until now,” he continued. “SaaS operations platforms like BetterCloud are best suited to solve that challenge [through zero-touch IT automation].”

Want to see how BetterCloud can help you get control of your SaaS environment before it controls you? Schedule a demo.

IT teams at companies with large SaaS stacks can spend hours of time on manual, repetitive tasks, such as adding and removing user accounts. Numerous security risks, from data breaches to shadow IT, have been added to IT’s threat landscape. Fully onboarding new hires can take days or even weeks, giving them a slow, frustrating start with their new role. SaaS app access requests from remote employees are burying help desks in mountains of tickets.

SaaS operations management (SOM) is a framework for giving IT the strategies and tools needed to tackle these challenges. In this article, we’ll take a close look at everything IT needs to know about SOM, including:

• What is SaaS operations management? 
• How does a SaaSOps management strategy benefit IT teams?
• What does SaaS operations management software do?
• What are some SaaS operations management use cases?

With new SaaS apps being added to IT environments every day, teams can easily get overwhelmed with repetitive work, including access requests, threat remediation, and more. With a SaaS operations management strategy—along with a skilled SaaSOps team and a fully featured SaaS management platform—IT can not only overcome these challenges, but transform their work from reactive ticket-takers to strategic business partners. 

To learn more about how CIOs can transform their IT strategy with a SaaS operations management framework, check out our ebook, The Strategic CIO: How to Evolve IT from a Reactive Cost Center to a Strategic Partner. 

What is SaaS operations management? 

To keep SaaS applications running effectively in their environment, IT teams end up with numerous operational admin and security tasks. SaaS operations management is a strategy for automating these repetitive, mundane tasks in order to effectively manage a large SaaS stack. 

There are two parts to SOM: 

1. Defining acceptable use policies for SaaS apps.
2. Using SaaS operations management software, such as a SaaS management platform, to execute and automate those policies.

IT teams can use a SOM strategy to create, enforce, and optimize everyday usage policies for mission critical SaaS applications.

How does a SOM strategy benefit IT teams?

When an IT team implements a SaaS operations management strategy with a SaaS management platform (SMP), they improve the way their own department and the company as a whole works. Let’s take a look at three of the biggest benefits.

Improved Efficiency

At the core of a SOM strategy is automation. By using an SMP to automate the operational processes of SaaS management, hours can be saved each time the process is completed. 

For example, take the long, complex processes of employee onboarding and offboarding. By automating these processes with an SMP, IT teams in companies like Superfly have gotten back up to 85% of the time they were previously spending on user lifecycle management.

Better Employee Experience

By using a SOM strategy to optimize the use of SaaS, IT teams can improve employee collaboration while saving on cost. With an SMP, IT teams can discover all the apps in use in their IT environment, including unsanctioned apps (also known as shadow IT.) Then, IT can strategically consolidate usage or add new apps to improve productivity and employee experience.

At the core of a SOM strategy is automation, which enables IT teams to spend less time on repetitive SaaS administration tasks. App access request tickets can be fully automated using a zero-touch workflow created in an SMP. With less time spent resolving tickets and managing SaaS apps, IT teams can spend more time on strategic work. When IT teams don’t have to spend 90% or more of their time dealing with tickets and SaaS administration, they have the ability to develop new skills, grow their careers, and take on more meaningful projects.

Centralized Data Protection

The more SaaS you have in your IT environment, the greater your security risks are. Well-meaning employees using the most popular file sharing apps, like Google Drive and Dropbox, are just one click away from causing a major data breach. They also have a tendency to use shadow IT, granting apps OAuth access to your environment with IT ever being aware. Without centralized, granular app access control, far too many accounts with super admin privileges are created—increasing the risk of unauthorized access or accidental misconfiguration. 

With a SaaS operations management strategy, you can define and enforce a number of important security and compliance policies. IT teams can create workflows in an SMP to automatically revoke access to shadow IT, or unshare files that contain sensitive or proprietary data. This way, you can quickly and proactively address the security threats introduced by SaaS sprawl with automated threat remediation.

How does SaaS operations management software help?

To get all the benefits of a SaaS operations management strategy, you need the right tool. SaaS operations management software, also known as a SaaS management platform, should have a full range of features and capabilities that enable IT teams to discover, manage, and secure their SaaS stack.

A SaaS operations management platform should provide a single, powerful location for no-code automation, threat remediation, intelligent alerting, and actionable insights. If an IT team fully leverages all the capabilities of a SOM platform, they can realize major time and cost savings, decrease their threat landscape, and ensure a great employee experience.

The marketplace for SaaS operations management tools can seem daunting and complex, if your team is looking for the right solution. However, Gartner has clearly defined all the capabilities a fully featured solution should have. If you want to deep dive into all the ways SaaS operations management software can help, this comprehensive SaaS management platform buying checklist has everything IT needs to know to buy the right tool for your environment.

What are some SaaS operations management use cases?

A SaaS operations management strategy can be applied to many IT operational processes to save time, decrease security risks, and improve the employee experience. Let’s look at a few of the most common use cases that deliver some of the highest return on investment (ROI).

Employee Onboarding and Offboarding

Automating employee onboarding and offboarding processes with SaaS operations management platform delivers many benefits to both IT and the entire organization. New hires can get the access they need to be productive right away with automated onboarding workflows. 

As soon as an employee departs, you can revoke access to apps in minutes, keeping your environment safe from potentially destructive or risky actions. For security and compliance, a SaaS operations management platform can easily provide a record of enforcing your offboarding policies with non-expiring logs. 

File Security

File sharing apps are designed to be very easy to use. In minutes, an employee can add sensitive information to a Google Doc and share it with an external contact. With a SaaS operations management platform, you can easily locate sensitive data, no matter where in your IT environment it lives. You can also set up automated remediation workflows that unshare files and notify IT and managers.

Access Control

Implementing least privilege access and other access control policies is another important use case for SaaS operations management. Using a SaaS operations management platform, you can create and enforce policies around how many super admin accounts are allowed for each app. Anyone in your IT department can use the platform itself to manage apps, reducing the need for more than one super admin account per app. Automated workflows can also be created to automatically revoke access if someone tries to create too many super admin accounts.

Conclusion

Success in a modern IT environment—filled with SaaS apps and remote workers— requires a specialized approach and the right tools. A SaaS operations management strategy, along with a SOM platform (or SMP), gives IT the ability to create and enforce policies for administering SaaS. Once in place, these strategies and platform capabilities improve the day-to-day work for IT and other departments, by saving time, boosting productivity, and keeping data secure.

To learn more about how BetterCloud can deliver improved efficiency, data protection, and a better employee experience, schedule a demo.

A disgruntled employee can cause major damage if their access isn’t completely revoked immediately after they are terminated.

What can happen when employees aren’t offboarded fast enough

Five months after he was terminated, a former Cisco employee accessed a critical AWS-hosted system. While inside, he deleted 456 virtual machines, shutting down more than 16,000 WebEx Teams accounts for nearly two weeks. The shutdown cost Cisco roughly $1.4 million in employee time for remediation and over $1 million in customer refunds.

A credit union fired a part-time employee, and two days later she remotely accessed a file server. She deleted more than 20,000 files and almost 3,500 directories—a whopping 21.3 gigabytes of data that included mortgage applications and anti-ransomware software. The credit union has since spent approximately $10,000 in remediation.

“Her petty revenge not only created a huge security risk for the bank, but customers also depending on paperwork and approvals to pay for their homes were left scrambling,” stated FBI Assistant Director-in-Charge Michael J. Driscoll.  “An insider threat can wreak just as much havoc, if not more, than an external criminal.”

An HR manager was fired from a professional services company in Manhattan. Just hours after she was escorted off the premises, she logged into a company system remotely and deleted over 17,000 job applications and resumes—all of the data in the system. Her employer had to spend over $100,000 to investigate, respond publicly, and rebuild its system. The company will never recover all the data it lost.

No one ever wants anything like this to happen at their company, let alone be the IT person responsible for offboarding and revoking access. The good news: You can prevent these types of incidents by automating your employee offboarding process.

With automated employee offboarding, you can revoke access to apps, devices, and shared resources in minutes. To avoid any type of delay, you can even start the process instantly by completing a form or submitting a ticket. That way, no time is spent waiting for IT to start the offboarding process when access needs to be revoked fast.

In this article, we’ll discuss everything you need to know to start automating your offboarding process. We’ll answer the following questions for you:

• What tool should I use to automate the offboarding process?
• How do I build an automated workflow for offboarding employees?
• How do I create a zero-touch workflow to offboard a departing employee as quickly as possible?

What tool should I use to automate my offboarding process?

There are more tools in the market every day that claim to offer “easy-to-use” automation functionality. Because the benefits of automating HR processes are so numerous, more and more providers are seeking to offer those capabilities.

From iPaaS to IDaaS with automation add-ons, wading through the options for automation can seem like a daunting prospect. However, if you want to make sure anyone on your IT team is able to create and manage workflows with minimal ramp time, a SaaS management platform (SMP) is an optimal choice. 

An SMP like BetterCloud ingests and analyzes metadata from all the apps it is connected to. BetterCloud can then use this operational intelligence to make workflows simpler and easier to manage—even for long, complex processes like offboarding an employee. 

Once an automated workflow is created to offboard an employee, it is critical to keep it up to date. You don’t want to leave any departing employees access to any company app or shared resource, even if it was recently rolled out. 

An overly complex automation tool can introduce costly delays if updating an offboarding workflow takes a long time or requires specialized, outside help. Choosing an SMP like BetterCloud ensures that anyone on your IT team can update critical workflows with a minimum of effort. When a workflow can be updated in minutes, you can be sure departing employees won’t retain access to newly-adopted apps, systems, and resources.

How do I build an automated workflow for offboarding employees?

Now that we’ve discussed what tool to use, the next step is to take a closer look at your current offboarding process to get it ready for automation. We recommend spending some time to answer the following questions: 

1. Where are all the possible places that users might store data? You might assume that most employees rely on Google Drive, but you might also discover that they’re keeping documents in applications such as Dropbox, Office 365, or even Zoom for recordings. 
2. What is your source of truth? Is it an HRIS or an IdP like Okta, OneLogin, or Azure AD? Knowing your source of truth will enable you to create a consistent and repeatable trigger to start your offboarding process. 
3. How do HR and the manager want to handle things like delegation, auto-replies, and email forwarding? Do managers need to be granted email access to their departing employees? Documents? What other gaps need to be considered? 
4. What’s the time period for deprovisioning licenses? Do you want to keep email access for 30 days? What are the retention requirements?

Once you have these answers, you are ready to start creating your offboarding workflow in BetterCloud. Our eBook, “Death by 1,000 Tabs: How IT Can Optimize the Offboarding Process in a SaaS Management Platform,” includes a deep dive into the anatomy of a complete offboarding workflow. To get a closer look at how to build an offboarding workflow in BetterCloud, complete with screenshots and step-by-step instructions, download the eBook.

To take a closer look at how an IT team at a company that uses a lot of SaaS automates offboarding, watch episode six of the SaaSOps show: “Supercharged Offboarding with BetterCloud and an IDP.” In this video, three IT team members, including an automation engineer, discuss how they approach offboarding, and demonstrate how they’ve built their offboarding workflow in BetterCloud.

With an SMP like BetterCloud, you save even more time by building your offboarding workflow with a pre-built workflow template. With BetterCloud’s offboarding template, you can simply modify the workflow to meet your needs—while making sure you are following current best practices. This way, you won’t have to create your workflow from scratch, especially if your IT environment uses a lot of “best in breed” SaaS, such as Google Workspace, Slack, and Zoom.

How do I create a zero-touch workflow to offboard a departing employee as quickly as possible?

As the “nightmare scenarios” we discussed above have shown, you can’t waste any time when offboarding employees. With so much sensitive company data at their fingertips, you want to revoke access as soon as possible after an employee’s departure.

With BetterCloud, you can set up your workflow to “kick off” from a ticket or form submission, removing the need for any manual work by IT. This way, someone in HR, or even the departing employee’s manager, can simply fill out a form or complete a ticket to immediately begin the offboarding process. Watch the video below to learn how to set this up with Jira and BetterCloud.

For additional details on how to optimize offboarding and other workflows, check out our recent ebook, “Cheat Your Way to IT Success with Zero Touch Automation.” In it, you will find everything you need to create offboarding workflows that can be started quickly and easily—and outside of IT.

It is true that automating your offboarding process can be a huge time-saver for your IT department—especially if they are currently performing all the steps manually. Automated offboarding also prevents an unhappy departing employee from destroying data, stealing customer lists, or causing other costly problems. This makes a fully featured SMP a critical tool for both IT and security teams.

To learn more about how an SMP can not only save time through automation, but also keep files secure and your IT environment safe, check out a wealth of security-related resources in our content library.

If you want to see how BetterCloud can keep former employees from accessing sensitive company data with automated offboarding, schedule a demo.

Why makes these file sharing SaaS apps so risky? SaaS vendors boost their bottom line by maximizing usage and engagement. To do that, they make creating sharing files as easy and simple as possible. 

With many SaaS applications, it is very easy to create a document, add in sensitive or proprietary data, and share it—all in just a few seconds. However, the minute the wrong information is shared with the wrong person, you have a data breach on your hands.

With SaaS apps and security policies working at cross purposes, what can security teams do? Without the right tool, your options are not great. You could tell everyone to stop using Google Docs and other file sharing apps. Besides grinding productivity to a halt, you’d probably become the most hated member of your company. Or, you could do nothing, cross your fingers, and hope that no employee ever makes a file sharing mistake.

With a SaaS management platform (SMP), you get a much better third option: automated SaaS file security. In this blog we’ll discuss why and how you should use an SMP to uncover improperly shared files, locate sensitive data, and use workflows to automatically fix file sharing actions that violate your security policies.

In this article, you will learn:

• Why you need a SaaS management platform to locate shared files and sensitive data
• How to automate SaaS file security with alert-based workflows
• How to use zero-touch automation to monitor and protect sensitive SaaS data

The best part of using an SMP to automate file security is its flexibility. Using alert-based workflows, you can adjust the actions you take and the order you take them in, based on the level of risk. But before you can set an SMP to take any automated actions, you first need to locate the file security risks in your SaaS environment.

Why you need a SaaS management platform to locate shared files and sensitive data

Before you set up security automation workflows, you first need to know where sensitive and proprietary data is located in your SaaS environment. File sharing SaaS apps, including Google Workspace or Office 365, do not have the capability to do this natively, especially across all users in your environment. This is why an SMP is an essential tool for data protection.

When you first set up a SaaS management platform, you should perform a series of one-time content scans to get a snapshot of your current SaaS environment. You can view the results in a single grid view that shows the name of the file, who created the file, and more. If you use Google Workspace, you can even run a file oversharing report in an SMP like BetterCloud to uncover risky trends in your SaaS environment.

The results of these scans never fail to surprise new BetterCloud customers. The sheer volume of files being created every day by employees can be massive. Over 67 million shared files are currently being monitored on the BetterCloud platform today. 

Of those files, many contain sensitive or proprietary data. For example, over 250,000 files have been uncovered by BetterCloud customers that have the word “password” in the title. The risk of a data breach grows with every new employee that joins your company.

To take a closer look at the risk posed by today’s typical set of “best in breed” SaaS applications, check out the video below. You will also learn how the capabilities of an SMP allow you implement a number of security controls that don’t impact productivity.

How to automate SaaS file security with alert-based workflows

The great thing about the way an SMP approaches security is its flexibility. You don’t want to implement security controls that are so restrictive it keeps users from being productive. However, you want a solution that does more than just send your security teams endless alerts and notifications—and the only remediation available is to take action manually.

With alert-based security automation, you can strike the right balance of data protection and productivity. Let’s say a new employee creates a file of credit card numbers he uses for different vendors for procurement. Then, he takes that file and shares it with his personal email address so he can have access when is working at home. Or worse, he simply shares the file directly with a vendor.

With BetterCloud, you can set up an alert that notifies IT whenever a file contains a sequence of digits similar to a credit card number. Depending on your security policy, you can create a workflow that automatically takes action as soon as the file is detected. These actions can include:

• Sending an email to the user letting them know their actions are risky
• Alerting IT via Slack
• Sending an email to the user’s manager
• Unsharing the file
• Waiting a certain amount of time between actions, from 30 minutes to 30 days

One way to set this up would be to have a workflow immediately unshare the file and notify the user. This would be a good approach if the data is potentially very sensitive, such as credit card numbers or social security numbers.

If the data found pose a lower risk, you could instead have the security automation workflow simply notify IT, the user, and their manager. Then, a manager or member of the IT team could follow up to learn more about the situation before further actions were taken.

How to use zero-touch automation to monitor and protect sensitive SaaS data

The best part about these workflows is that they don’t require IT or security teams to do anything manually—unless you choose for an IT follow-up to be part of the remediation process. 

Once you have completed your one-time scans and audits, you can “set and forget” go-forward policies that continuously monitor and scan your SaaS environment. When a scan detects a file or data security issue, you can create security automation workflows that unshare the file, email the file’s creator, and more. 

This way, your SaaS environment becomes “self-healing” over time. Users learn to take less risky actions, files get unshared without any IT involvement, and your SaaS security posture improves.

To take a “peek under the hood” to see how to use BetterCloud to uncover and automatically remediate file security issues in your environment, we invite you to check out the video below.

Unlike security point solutions like CASBs, a SaaS management platform gives you the flexibility to secure your SaaS environment without impacting productivity. You also gain the ability to add security automation to your data protection toolkit, enabling security teams to save time and take action without any IT involvement. 

To further improve your security posture, an SMP’s security automation features can be used to enforce a least privileged access model. You can set up real-time alerts to notify you when too many admin accounts have been added to any given SaaS app. 

If you really want to keep the number of admins of a particular SaaS app to a minimum, you can even create a workflow that automatically stops new accounts from being created. Automated security workflows are a flexible, intelligent way for IT teams to enforce security controls and policies. 

To learn more about how an SMP can automate file security, least privileged access, and more, schedule a demo today.

What is SaaS management?

SaaS management is automating and centralizing management tasks across a company’s entire portfolio of software-as-a-service (SaaS) applications. The first step of SaaS management is understanding and controlling identity and access to SaaS. The next step in SaaS management is streamlining the processes across a company’s entire SaaS portfolio for:

• user lifecycle management (ULM)
• spend optimization
• application configuration
• visibility and auditability

When these SaaS management practices are implemented well, IT departments can benefit in many ways. They get hours of time back, produce fewer errors, shorten their ticket queues, and keep their fellow employees productive.

To put these best practices for SaaS management into action, IT administrators often turn to a SaaS management platform (SMP) like BetterCloud.

What is a SaaS management platform?

According to Gartner, a SaaS management platform (SMP) is a standalone tool that can discover, manage, and secure multiple SaaS applications from a central admin dashboard. A fully featured SMP should help IT admins with all of the following:

• optimize SaaS app usage to boost collaboration and productivity
• automate day-to-day SaaS management tasks
• gain visibility into all apps in use, including shadow IT
• protect the files and sensitive data in their environment

A SaaS management platform is an all-in-one tool that helps IT implement the three core practices of SaaS operations (SaaSOps):

1. SaaS management (as discussed above)
2. SaaS discovery
3. SaaS security

We discussed SaaS management in detail earlier, so we’ll take a quick look at the last two items.

What is SaaS discovery?

SaaS discovery provides full visibility into what SaaS applications are running within your environment. An SMP should be able to show you both sanctioned apps (the ones approved and vetted by IT), and unsanctioned apps (shadow IT being used by employees without approval). 

SaaS discovery allows IT admins to optimize SaaS application usage and SaaS spend in their environment. They can consolidate SaaS licenses if multiple apps are performing the same function. App consolidation cuts SaaS costs and increases collaboration as more employees use the same apps. If an unsanctioned app is being heavily used, IT can step in to sanction it and make sure it is properly licensed and secured.

Check out the two resources below to learn more about SaaS discovery.

What is SaaS security?

SaaS security is the process of understanding where sensitive and proprietary data is located in your SaaS portfolio, and actively working to mitigate security risks. An SMP should be able to secure your SaaS apps by responding to security incidents immediately with automated alerts and remediation. 

Another important part of SaaS security is creating and enforcing security policies to fulfill compliance regulations. SMPs help IT admins prove compliance with the ability to implement IT security policies and document them with non-expiring audit logs. Finally, an SMP should give you the granular access controls you need to implement least privilege access models.

We invite you to check out the two resources below to learn more about SaaS security.

How Do I Get Started with SaaS Management?

Step 1: Gain full visibility into your entire SaaS portfolio

With companies now using an average of 110 SaaS apps, gaining a complete picture of a company’s SaaS environment is a critical need. More than half of IT professionals surveyed say the #1 challenge in their SaaS environments to solve is a lack of visibility into all user activity and data. 

SaaS management platforms like BetterCloud are designed to give IT full visibility into all the SaaS applications in use. From a single, centralized dashboard, you can:

• See every app in your environment
• Identify who is using each app
• Uncover which apps have been granted OAuth access
• Gain visibility into shadow IT—unsanctioned apps that employees are logging into with their work credentials that aren’t approved or vetted by IT

IT admins should use these insights to make strategic, informed decisions on what apps to use. With the data from your SMP, you can optimize your SaaS usage by:

• Uncovering potentially redundant apps 
• Consolidating SaaS usage to save on license costs
• Identifying functionality gaps in your SaaS portfolio
  

In our 2021 State of SaaSOps report, 69% of IT professionals were concerned about unsanctioned apps creating security risks. This is why it is important that an SMP be able to mitigate security risks and protect sensitive data. To improve data security, we recommend using an SMP to:

• Set up real-time alerts to notify you when employees log in to risky apps
• Automatically log employees out of risky apps

Step 2: Automate everyday SaaS management tasks, especially user lifecycle management

User lifecycle management (ULM) is the practice of onboarding, offboarding, and managing user accounts on a day-to-day basis. This includes managing mid-lifecycle changes (e.g., an employee changing roles), resetting passwords, updating profile information, and so on. If managing these processes sounds like a lot of tedious, manual work, it is! 

In a recent survey, we found that offboarding one user takes an average of 7 hours of staff time. A whopping 82% of respondents said they spend at least 20% of their work week (i.e., an entire day) working on repetitive tasks.

To make IT’s job far less tedious and time-consuming, we recommend using an SMP to automate as much as they can. To get automation up and running as fast as possible, it is important that your SMP includes a no-code workflow builder. No-code builders should make it easy enough that anyone in your IT team can update and manage automated workflows. 

We recommend the following steps to get started with automation:

1. Start with the library of pre-built templates to make sure you’re following best practices for the process you want to automate
2. Customize each workflow to meet the specific needs of your company
3. Regularly update your workflows when new apps are added to your portfolio

When you have mastered the basics of workflow management, you can move towards a zero-touch IT model. Here are just two of the many ways you can save even more time with your SMP through automation.

1. Leverage custom triggers to create workflows that can start in another business unit, such as HR. (For example, when someone is given a start date in an HRIS, it automatically kicks off an onboarding workflow in your SMP.)
2. Create self-service IT portals where users can request SaaS app access through a form or ticket, and a workflow kicks off that automatically adds them.

Step 3: Mitigate data security risks and protect sensitive data

Let’s just be honest for a moment. The use of SaaS, especially across 100 or more apps, has been amazing for productivity and collaboration, and awful for data security.

In 2021, SaaS file security violations have spiked 134%, and the number of files containing PII has grown 1944% year over year. 

Over half (55%) of IT professionals say the biggest security concern is not knowing where sensitive data exists. It’s not just the apps themselves that are the biggest threats—72% of IT pros feel that the well-meaning but negligent user poses the greatest risk for data loss.

To mitigate these data security risks (and sleep better at night) we recommend using an SMP to:

1. Automate file security: An SMP can be set up to immediately notify you when a document has been shared publicly, or with a user outside your organization. That alert can also kick off a workflow that automatically unshares the file and notifies IT and the user.
   
2. Implement and automate a least privilege access model: Implementing least privilege is a best practice for any organization. If any users have been granted super admin access, and the number of users exceeds your threshold, an SMP can automatically revoke those excessive privileges. Additionally, an SMP should provide the granularity of permissioning most SaaS applications do not offer natively.
   
3. Locate and protect sensitive data: When you first get started, you should use your SMP to perform a one-time search of all files in your SaaS portfolio that contain sensitive data. You can then take action to protect those files if needed by unsharing them or reaching out to the file’s creator. After the initial scan, you can automate “go-forward” policies that alert you immediately when sensitive data is exposed, and even take action to properly secure the file.
   
4. Create and enforce IT security policies: An SMP should provide the tools you need to create and enforce your IT security policies, such as timely offboarding and sensitive data protection. With lifetime log retention, your SMP can help you prove you followed your policies, as well as investigate past incidents.

With the astronomical rise of SaaS adoption in recent years, SaaS management is becoming an increasingly important area for IT. The pace of work is too fast, and the stakes are too high, to keep manually managing SaaS tools. To tackle these new challenges, IT must turn to centralizing and automating their SaaS operations. With a fully featured SaaS management solution, IT can finally manage their SaaS portfolio more effectively—and regain control over their SaaS environment.

To learn more about how BetterCloud can help you discover, manage, and secure your SaaS environment, request a demo.