Companies are continuously faced with balancing SaaS applications’ advantages–productivity gains and lower costs–and significant compliance and security concerns.
There’s a growing consensus among MSPs that they need to help their clients achieve this balance by enforcing their SaaS ecosystem policies.
The end goal is to ensure secure and compliant access to only the web applications and resources required for each clients’ employees roles.
Most MSPs fail because defining organizational policy is ineffective unless it can be enforced across an entire organization.
A key aspect of enforcing SaaS applications’ policies is to ensure that you fully understand the existing SaaS processes and tools.
This gets more difficult as your client’s SaaS portfolio increases–you face a corresponding need to maintain and enforce policy across a broader array of resources and subscriptions.
As this happens, your policy enforcement processes’ scope needs to expand to ensure consistent policy adherence and fast violation detection.
See What Current Policy Exists
Your clients may have some informal policy in place. Gather information on what those policies are by starting with department heads. (Hint: It’s much easier to build on existing policies than bringing in brand new ones.)
Define Your New Policy
Once you’ve investigated what existing policy exists, you’ll want to decide how strict your new policy should be.
For example, some financial institutions only allow their employees to share files with their domain email addresses.
However, if you come out too severe, you may end up encouraging workers to make end runs around the policy, or worse, discouraging innovation.
If it’s too lax, you’ll maintain the status quo and further your clients’ loss of control over security, wasted budget, and transparency.
The policies depend on the type of data at hand, company type, and industry, so it’s hard to provide sweeping advice here.
A good framework is to start with the types of actions you absolutely need to avoid. If your client is a hospital, you absolutely need to avoid the sharing of protected health information. Working back from there should help solidify an early version of a policy.
Identify the Current Apps In Use
The industry has shifted from traditional homogeneous environments based on a single vendor to heterogeneous environments with various best-in-breed SaaS solutions.
That’s why a critical step in creating and enforcing a SaaS policy includes the ability to see all the applications in your clients’ network.
With Augmentt Discover, we automate that process for you using an advanced log file analysis framework. We then provide you with actionable data in the areas of finance, security, and productivity.
Get Your Clients’ Buy-In
Rules are easily broken, so you need to get your clients’ buy-in across the entire organization.
While IT is likely to be fully on board, the marketing and sales likely don’t much care what the Director of IT demands, and have their bad habits ingrained. So you need to ensure that you get their leaders to buy into the policy too.
Automate Policy Enforcement Where Possible
You may have a policy about onboarding and offboarding employees, but you know for sure that it’s being followed if you can automate it. That’s where automation comes in.
When provisioning is automated, employees get the tools they need as soon as they join the company. Companies also want to reduce possible security risks by deprovisioning users from all cloud apps when they leave the company.
SaaS scripting is all about enforcing policies efficiently and cost-effectively.
The Wrap on Enforcing SaaS Application Policies
It’s essential to ask around in your clients’ organization and see what foundation you have to build on. From there, you’ll want to make sure that the policy fits your business and that it’s not too strict or lenient. Finally, you’ll want to get the entire organization on board.