Letting the line of business get a SaaS application is like giving your kids a puppy for Christmas.
Hopefully, the new pet will provide a maturing experience, in which your youngsters learn how to care for and manage something that requires constant and specific attention. But all too often, the kids fail to clean up after the new dog, and sometimes it ends up stuck in a cage all day, instead of doing what a puppy needs to do to mature into a useful and happy canine adult.
When it comes to externally provisioned applications, IT increasingly needs to be the dog trainer. We can help departments figure out just what breed of dog they need, ensuring that the temperament and intelligence will be appropriate, and the level of hair shedding will be anticipated. IT can provide business units with Obedience School, teaching the happy new SaaS owner how to properly work with their new family member, while ensuring that the puppy is properly configured.
Sometimes the corporate department ends up with a pit bull of an application. This breed of dog is reportedly quite sweet and loyal to the owners, but if an untrained and undisciplined one is accused of biting one of the neighbors, and an auditor or regulatory agency shows up to find out if this new cloud is safe, how likely are they to conclude that the acquisition was a prudent business decision?
The ongoing concern about cloud ‘security’ is distracting from what is ultimately the more significant concern “how are you going to ensure that your employees make appropriate, safe and secure use of applications that you are not running in house?” The biggest ‘security’ problem isn’t that SaaS vendors are being hacked, its that your users are putting sensitive data into SaaS without recognizing that they need to control access and usage. Its time for the cloud risk community to evolve beyond superficial concepts of ‘cloud security’ and start strategizing ‘cloud governance’ approaches. SaaS using organizations that are concerned about SaaS ‘security’ should be developing policies on SaaS ownership and responsibility.
Public cloud computing is here to stay, and our research indicates double digit growth for the next few years. Its time for the enterprise IT department to evolve beyond a yes/no response to questions about SaaS usage (and especially beyond the don’t ask/don’t tell cop out). IT professionals need to help the rest of the organization make productive use of cloud computing, and ensure that all SaaS is properly house trained. A virtual enterprise of complementary and integrated external applications won’t just fall into place. It needs to be explicitly planned and controlled.
The new Gartner research Developing Your SaaS Governance Framework provides a complete outline for a lifecycle approach to the care and feeding, and when the time comes, ‘decommissioning’ of the SaaS animal. Its time to become strategic about SaaS.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.