Wake up, IT, and get a grip on SaaS

End-runs around IT may be quick, but they’re not healthy for the company’s overall outlook

Posted taken from Paul Venezia | InfoWorld, MAY 13, 2013

From the mainframe days to the client-server model to VoIP phone systems to mobile devices and BYOD, IT has grown to accommodate the needs of the organization. As the workplace became more computerized, IT grew to encompass and manage those new frontiers. Year after year, IT saw nothing but increase in scope.  cloud_computing_blue

But today, with the percolation of SaaS vendors, IT is seeing business units heading outside of the IT organization for solutions, for better or for worse. For the very first time, IT is seeing its footprint reduced.

[ Also on InfoWorld: IT projects should start with IT people. | Get the latest practical data center advice and info in Matt Prigge’s Information Overload blog and InfoWorld’s Data Center newsletter. ]

On the face of it, this should make IT’s job easier. Rather than meeting with IT to define the hardware and software requirements to implement a new solution for a business unit, the business manager — or any employee — can drop a credit card number into a SaaS portal and start using a hosted service immediately. IT doesn’t even need to know this is happening.

Everyone would seem to be happier: The business unit gets what it thinks it needs quickly and without running through the IT gauntlet, and IT doesn’t have to build and support systems tasked with running that app. In an ideal world, this is ultimately good for everyone. However, reality has a way of ruining a seemingly good thing.

SaaS and security: An uneasy mix
For starters, there’s the ever-present danger of reliance on a SaaS app vendor that could suddenly shut its doors, causing the loss of untold hours of work and effort, not to mention data. Beyond that, there’s the reliance on the security practices of an unknown entity that is entrusted with sensitive corporate data on a whim.

As an example, it’s not merely possible but probable that a corporate user of a SaaS app will take their corporate email address as the login name. More than likely, they will also plug in their corporate password to access that service because users are notoriously loathe to come up with different passwords for many services. Those two pieces of information are now stored outside the company, and they could easily be used to gain access to internal corporate resources, whether that be email accounts, or VPN access. Fundamentally, IT can’t do anything about this.

This represents a direct shot to the bow of the IT ship. Where we’ve spent many years and many dollars shoring up our security, providing frameworks and resources to suit internal business needs, it’s never quite good enough or fast enough to compete with hosted solutions that can be pulled into the fray at the drop of a hat.

External vs. internal resources — what’s the difference?
Users generally do not understand the distinction between internal and external resources to begin with, because in many cases they’re functionally identical. Pulling up a browser to access an internal application and pulling up a browser to access an external application amount to exactly the same thing to a casual user. They do not see the distinction, and they frankly don’t care. All they know is that they have a need for a solution, and they believe they have found one that did not require IT’s involvement.

We all know there’s a good reason IT needs to be involved. There are underlying concerns in any application, SaaS or not, that need to be fleshed out, understood, and placed in relation to existing IT resources and policies in order to account for potential problems. There are bottlenecks and incompatibilities that will appear sooner rather than later. They might represent a relatively small bit of planning on the front end, but will require massive effort to remedy on the back end. However, that kind of thinking isn’t on the radar here.

In many organizations, this is partially IT’s fault. Unfortunately, in the minds of many business users, IT is the embodiment of “no.” Getting IT to implement new business apps and frameworks sometimes feels like pulling teeth, and it requires months of meetings, lots of raised eyebrows, and more roadblocks than seem possible. In some organizations, IT’s main goal appears to be to keep everything exactly as it is, change as little as possible, and grudgingly invest time and effort into new endeavors. Luckily, that’s not every IT department, but I’d wager that behind-the-scenes SaaS use is higher in organizations with that intransigent IT mind-set than in organizations with an evolved IT department that plans ahead and can rapidly deploy solutions that will become a functional cog in the machine.

Regardless of how it comes to pass, IT needs to deal with this broadside. While there are many advantages to SaaS, there are also many pitfalls. The space is too new and unstructured to deliver what IT really requires: a framework for codified and centralized authentication, authorization, management, and data pathing that can tie a SaaS app to an enterprise without exposing either to security or functional risks.

Given enough time, we might see such a beast, but in the meantime, it might be a good idea to inspect your edge for the presence of SaaS apps and begin an inquiry into their use. At the very least, we need to know who’s shooting at us before we can begin to respond.