4Matt Technology

SaaS Inventory and Discovery

Good old software discovery

Discovering and inventorying all the software installed in a company's on-premises environment is a chore in itself. But at least we know how and where to look, and the methods are more or less clear in most cases. There are desktops and servers, the easy part. Then there are mobile devices that make our task a little more complicated, but the concept is still easy to understand – it's all about discovering installed software and integrating multiple data sources. So imagine SaaS discovery and inventory management, how to do it?

But life would be boring without challenges, and to make up for that, we have BYOD (“Bring-Your-Own-Device” or for others “Bring-Your-Own-Disater”), which is now exacerbated by the increased use of related software to COVID in Home Office.

If there is software on my home computer that I use to do my job, it, in most cases, must be licensed to the company I work for, and the use license must allow for commercial use.

So how about installing the company's software inventory agent on my own device? That won't happen, sorry. This is an example of when tools aren't enough, and software usage and BYOD policies come to play, and let's expect all employees to strictly adhere to them. And how do you monitor this?

Still, it's mostly just a read on installed software. It's there as a binary image or running in RAM. It's there on servers, desktops, laptops, tablets and phones.

Discovery of SaaS subscriptions?

SaaS rarely comes with its own licensing model. And when that happens, the app's presence on the devices doesn't necessarily mean there's a corresponding subscription.

In SaaS discovery and inventory, we're looking for what a former colleague of mine used to call “cash drains”. Where does our money go to? What subscriptions are we paying for? Who are the users?

There are two ways to reach our goal. One of them is through the analysis of the online activity employees, such as their access. The other is through discovering all SaaS-related payments  (ie subscriptions). If you want to see the big picture, both play their critical roles, and neither should be overlooked.

Monitoring of online activities

The inventory tools should at least be able to track all online activity before filtering it out just to classify it and relating it to the SaaS, which is performed in the next step. We need a way to see everything our users visit online. Discovery scope is not limited to HTTP(S). There may be SaaS applications that also use SSH, SFTP and other protocols.

Early attempts at SaaS discovery and inventory used to focus on devices only through browser plugins. Two well-known tool vendors offered solutions that used a Chrome browser plugin as the core. The limitations are so obvious, I don't know if I have to explain them, but here goes. Firstly, you would have to restrict all your users to just Chrome, across all platforms, which is probably Windows and OSX, and maybe Linux(s). This would require revoking a ton of user rights so that they are not able to install or run other browsers, remove or disable Chrome plugins, use Incognito mode, etc.

There are also apps that connect directly to SaaS services. These also cannot be monitored by a Chrome plugin, or simple SaaS discovery and inventory tools.

Device-based monitoring of clients such as desktops and laptops should not be completely removed from the agenda, let alone Software Asset Management projects SAM. It is a valuable piece of the entire puzzle. So what can we do? Monitoring should be done transparently to the user and independently of the browsers or applications in use, preferably at the protocol level. It would be in the form of a local proxy, or some IP listening - I'll leave that to the techs. One thing to remember, the issue of revoking administrative rights still stands today. A user with elevated privileges can disable virtually anything on their device.

Going back inside the organization, there are other devices where tracking is virtually impossible: Smart devices and thin clients. With thin clients, whether they connect to a remote desktop solution within the company or in the cloud, or say, in the Microsoft Azure, activity monitoring can be performed locally by agents installed on the remote desktop solution, using good software asset management practices.

Smart devices are harder to track, and I personally don't know of any solution that can monitor all online activity on an iOS or Android device.”

It doesn't mean they don't exist. It just means I need to do my homework. And if such a solution is found, it will obviously be restricted to devices managed by the organization. Can you force your users to install tracking on their personal devices used for work? Probably. That depends. How do you define “use for work”, and where does it start and end?

Inside the company, we could drop all of that, and instead implement a Chinese-style proxy wall that spying on all traffic. But we will have to deal with encrypted connections somehow. HTTPS always hides URLs (ie calls from SaaS apps). In most cases, it even hides server names. The latter is changing with the extension HTTPS SNI  being deployed everywhere, but it cannot be guaranteed that all SaaS providers will require and therefore enable the SNI. An injection form can be used man-in-the-middle  on the proxy, although legal implications of this must be considered, as well as that SaaS providers can detect it and alert the user, or even disable access to servers altogether.

As I was typing this article, a friend of mine intervened with “you can monitor activity through the admin consoles or SaaS APIs”. And I had to remind you that before monitoring who and  like someone uses a SaaS subscription, you need to know the what  to monitor. We're still talking about the stage of discovery, remember?

With the entire workforce now being forced to work from home, albeit temporarily, most SaaS connections take place outside the enterprise perimeter, without any control.

So how do we detect this? Implementation can be daunting, but the idea itself is simple…

Follow The Money

If there is a SaaS subscription, someone will have to pay for it, and that someone is you, that is, your organization. I assume that if you're thinking about SaaS discovery and management, it was driven by a demand to optimize expenses.

The problem with SaaS is that it's not an IT service, at least not in the traditional way. Individuals, departments and outsourced companies do not necessarily have to go to the IT department to get it. SaaS, in this respect, has surpassed all the YOU “traditional” in volume; it became shadow IT or shadow IT itself.

But the money is still taken from the same pocket: from the organization.

The hurdle to be overcome here is the quality of expense tracking. Consider tightening control over expense reports and outsourced (outsourced) accounts. SaaS can be intentionally or unintentionally hidden behind generic words like “Cloud expense”, “IT expense”, even travel expense (I've seen it myself), incorporated in the general services bill, etc.

Without standardizing policy-based expense reporting, this type of tracking would be impossible to automate. But that doesn't mean you can't do it. When there is a will, there is a way. If cost optimization is one of the executives' goals, use their power to help you solve it.

How to select a tool discovery and SaaS inventory

When selecting a tool, or rather SaaS discovery and inventory tools, I would advise not to look for a silver bullet solution. Think of all SaaS discovery as a puzzle, and tools and policies as its pieces.

If the existing tool can only do Chrome plugin-based monitoring, there's no reason not to use it. If there's a salesperson knocking on your door with a smart device tracking solution, they may have brought another piece of the puzzle. Now all you need to do is integrate them.

But even before that, please step back and think about…


Think about why you are doing this in the first place. What are your goals, metrics, goals? Who are your best allies in the organization? Who is an executive that is most interested? I bet someone will be responsible for optimizing the overall budget.

And if you haven't started your SaaS management software journey yet, and if you somehow value my advice, I suggest starting with the answer to just one question: "How much does SaaS represent in the organization's expenses?"

Tag: saas software, enterprise management, network inventory, user experience, management solution, it assets, corporate strategy, fixed assets, measurement units, management software, customer service, active directory, erp online, chain of supplies, technical support, remote support, databases, cost center, file transfer, lifetime, resource center, social responsibility, bar code, saas-based, device tracking, mobile devices



Related Posts