SaaS Sprawl: Consequences & A Real-World Study

The Rise and Proliferation of SaaS

The shift towards SaaS (Software as a Service) originated in 1999 with the establishment of Salesforce.com by Marc Benioff. Following substantial growth, Salesforce became a publicly traded company in 2004, having reached $96 million in yearly sales.

Sixteen years later, in 2020, Salesforce’s revenues had climbed to $17.1 billion, leading to its inclusion in the Dow Jones Industrial Average. Today, SaaS is no longer considered a disruptive innovation; it’s a core element of IT infrastructure for organizations globally.

Understanding SaaS Sprawl

The widespread adoption of SaaS has naturally resulted in what is known as SaaS sprawl. An examination of Okta’s 2020 customer data showed that businesses with 2,000+ employees utilized an average of 175 SaaS applications.

A comparable study by Blissfully in 2019 revealed that companies employing over 1,000 people averaged 288 SaaS apps. Furthermore, Productiv’s 2021 SaaS Management survey found that two-thirds of participating companies used 100 or more SaaS applications.

These figures demonstrate that SaaS applications have become a significant and widespread part of the digital infrastructure of modern businesses.

The Complexity Beyond App Count

The numbers previously mentioned don't fully represent the extent of SaaS sprawl. Definitions of what constitutes a SaaS application can differ between organizations.

These definitions often encompass a diverse range of tools, including personal productivity software, core business applications, data services, collaboration platforms, and security solutions, as well as AI/ML modeling platforms.

The Multiplicative Effect of Users and Permissions

For each SaaS service, multiple user accounts are typically created. These user identities extend beyond full-time employees.

They also include temporary staff, external contractors, service providers, and even automated systems or devices. Access control policies are implemented to regulate user actions within specific IT resources.

Therefore, the number of SaaS applications used by an organization represents only a fraction of the overall administrative challenge created by the proliferation of user identities, accounts, and resource-specific permissions.

A Recent Study on SaaS Sprawl

This article presents the findings of a study conducted earlier this year to highlight the various facets of SaaS sprawl. The data for this study was supplied by Authomize, a cybersecurity firm.

Authomize utilizes artificial intelligence to map the connections between user identities, IT assets, and authorization policies throughout an enterprise. All data used in the study was anonymized to protect privacy.

Research Approach

An initial assessment of the consequences stemming from widespread SaaS application usage was conducted across more than twelve organizations. Ultimately, four were chosen to demonstrate the cascading impacts associated with SaaS implementation.

The organizations detailed within this analysis varied in scale, employing between 700 and 3,000 paid personnel – designated hereafter as PEs, encompassing both full-time and part-time staff on the company’s payroll.

These businesses are geographically located in the United States and Europe, and have been operational for between five and twenty-five years.

They have directly experienced the shift towards SaaS solutions. While not exclusively cloud-native entities, SaaS offerings are central to their core, day-to-day business functions.

The companies represent four separate industry sectors: oil and gas, educational technology, financial services, and enterprise software.

For the duration of this article, these four organizations will be collectively known as “the study companies.”

The Wider Implications of SaaS Proliferation

The term “SaaS sprawl” is often understood as simply the quantity of cloud-based Software-as-a-Service (SaaS) applications utilized within an organization. However, this definition fails to capture the full scope of the issue.

Expansion of Services

Across the companies examined in this study, the number of distinct SaaS services identified within their Identity Provider (IdP) databases varied considerably, ranging from 310 to 994. This figure surpasses previously reported SaaS counts and encompasses cloud-based solutions that may not always be categorized as core business applications. The research adopted a comprehensive definition of SaaS, excluding only Infrastructure-as-a-Service (IaaS) providers.

The ratio of unique SaaS services to the number of employees ranged from 1:1 in the smallest organization (700 personnel) to 1:3 in the largest (3,000 personnel). Notably, no direct correlation was found between these ratios and overall company size. A firm with 2,500 personnel exhibited a ratio of 1 service per 8 employees.

Proliferation of Identities

The number of unique identities recorded in the IdP databases of the studied companies ranged from 2,197 to 13,062, exceeding the total number of personnel employed by each organization. These identities encompass not only employees but also external contractors, vendors, managed service providers, partners, and automated processes like software bots and devices.

Again, no relationship was observed between company size and this metric. The ratio of IdP identities to employee headcount was consistently 3:1 in both the smallest and largest companies analyzed. The highest ratio – slightly above 6:1 – was recorded within the 800-personnel firm.

Growth of Accounts

An account grants users access to a SaaS service and the ability to perform specific tasks. It is common for users to have multiple accounts for a single service, each granting different levels of access and functionality. The total number of unique accounts maintained by the study companies ranged from 6,333 to 15,681.

Generally, the number of unique accounts was 10%-30% higher than the number of unique identities. The only exception was the largest company (3,000 personnel), where the number of unique accounts was 30% lower than the number of identities.

The term “service account” typically refers to accounts with elevated privileges reserved for SaaS administrators or superusers. IT departments aim to minimize these accounts to streamline operations and reduce security risks. Interestingly, both the largest and smallest companies in the study maintained approximately 840 specialized service accounts. This represented 13% of all accounts in the largest company, but a concerning 38% in the smallest.

Expansion of Policy Assignments

Assets are IT resources – such as application components, data structures, or document files – that users can access, modify, or share. Users interact with assets through their accounts. Policies define a user’s access rights to specific assets and the actions they can perform once access is granted. The number of policy assignments governing asset usage within the study companies ranged from 38,746 to 1,676,774.

It’s important to note that policy assignments represent unique connections between policies, user accounts, and IT assets, rather than the total number of unique policies maintained.

The highest number of policy assignments was observed within the 2,500-personnel software company, while the lowest was found within the 700-personnel edtech company. However, no clear correlation with company size was apparent. The 800-personnel financial services firm managed 744,849 identity and asset-specific policy assignments, nearly 20 times the number managed by the slightly smaller 700-personnel edtech firm.

the consequences of saas sprawl: a real-world study

Figure 1 demonstrates the potential for misinterpretation when discussing SaaS sprawl. The increase in SaaS services observed by users and frequently discussed by industry analysts represents only a small portion of the administrative challenges created by widespread SaaS adoption. Scaling SaaS solutions often leads to administrative burdens, user experience issues, unexpected costs, and security vulnerabilities that can take companies by surprise.

Addressing Security Concerns in SaaS Deployment

While the number of organizations analyzed in this research is limited, preventing broad generalizations regarding optimal practices for large-scale SaaS service implementation, certain overarching trends concerning administrative burdens and security risks can be identified. These are based on a consideration of the sprawl metrics previously discussed.

Figure 2 illustrates the four sprawl indexes – services, identities, accounts, and policy assignments – each standardized by the number of Paid Employees (PEs) within the participating organizations. A clear correlation between sprawl characteristics and organizational size isn't immediately visible.

Sprawl Variations Among Companies

However, it's evident that some companies have demonstrated greater success in managing sprawl compared to others. Company C exhibits the largest footprint in the figure, signifying the most extensive collection of services, identities, accounts, and policies relative to its employee base.

Conversely, Company A has effectively contained sprawl, despite being over three times larger than Company C. The differences in sprawl management are notable.

Furthermore, Company D shows considerably more restrained account creation and policy distribution than Company B, even though D’s workforce is three times larger. This suggests that more robust provisioning processes may be in place within larger enterprises – a point deserving further investigation.

Using Sprawl Metrics for Evaluation

Other organizations could utilize this type of visualization to assess their own performance in mitigating the administrative and security implications of SaaS expansion. Establishing target ratios for future sprawl reduction could also be informed by this summary data.

The sprawl metrics presented in Figure 2 were normalized to PE headcount to account for company size, assuming larger organizations naturally have more services, identities, accounts, and policies. However, these overall ratios can be deceptive.

For instance, the ratio of unique SaaS accounts to PEs ranges from 2.1 to 8.4 in Figure 2. In practice, many employees within these companies have access to a significantly higher number of accounts than these figures indicate.

Distribution of Policies and Accounts

A disproportionate number of policies are often assigned to a select group of individuals. Within Company C, 70% of all assigned policies are held by only 25% of its PEs. The distribution of accounts and policies across an organization’s workforce directly reflects the thoroughness and consistency of its provisioning procedures.

Regular reviews of these distributions are crucial for maintaining security and control. Understanding these patterns is essential for effective management.

It’s important to remember that this study focused solely on SaaS services. The challenges outlined here would be amplified if Infrastructure as a Service (IaaS) services, accounts, and policies were included in the analysis.

Understanding the Consequences and Potential Solutions

Organizations within the IT sector have invested significant resources in automating the process of provisioning Software-as-a-Service (SaaS) applications. This includes empowering business teams with delegated responsibilities and, in certain cases, offering end users self-service provisioning options.

The primary goal of these efforts has been to reduce disruptions to business operations and minimize inconvenience for users. However, these actions inadvertently contribute to the proliferation of unused or redundant SaaS instances.

This research examined the widespread issue of SaaS sprawl across entire portfolios of services utilized by businesses. Focused investigations could also be conducted, concentrating specifically on services, accounts, and policies that manage intellectual property (IP) or personally identifiable information (PII).

Controlling the expansion of SaaS-related risks involving proprietary data or sensitive information may be more critical than simply limiting the overall growth of accounts and policies within a single organization.

Certain users may control a disproportionately large number of services, accounts, and policies. Alternatively, they might have access to a greater share of resources handling IP or PII. Enhanced security protocols should be implemented for these individuals’ login procedures.

Individuals with substantial access to IT resources should undergo rigorous authentication upon their initial login. Furthermore, they should be prompted for step-up or continuous authentication throughout prolonged work sessions.

Security awareness training should be tailored to educate those with extensive authorization policies about the risks associated with the potential misuse of their credentials.

Vendors offering tools for managing SaaS account and policy assignments to user identities possess valuable insights into the sprawl experienced by their clientele. Some sprawl may be deliberate, some unavoidable, and some entirely unnoticed.

These vendors should create metrics enabling customers to monitor sprawl over time. Crucially, they should also offer the ability to benchmark sprawl profiles against comparable companies within the same industry and geographic location.