Taming Application Sprawl

Written by Mark Evilsizor
From his column Tech

We are living in an era of amazing capabilities for software applications. If you can imagine something you wish your phone or PC or website could do, most assuredly someone has created a tool to make it happen—from piano lessons to test-to-donate pathways to self-service scheduling of appointments with staff.

Applications such as these are licensed on a subscription basis, centrally hosted, and accessed via your browser (Chrome, Edge, Firefox, Safari), as opposed to downloaded and installed software. This is called “Software as a Service” (SaaS). Many SaaS offerings can be set up in 30 minutes or less and may have a free tier with limited functionality before upgrading to more feature rich paid levels. The upshot of this is that an organization may find itself with multiple subscriptions to the same or similar services. The greater problem is that such applications may make sensitive data more vulnerable than preferred. Let’s look at some good practices for taming the sprawl of applications and data.

As discussed in a previous article, one of the best first steps to making improvements is to assess the current state by taking an inventory. I recommend talking with each staff person and lead volunteer and making a list of any SaaS programs they are using to accomplish their goals. Find out who is administering the system, the cost, and what information is stored in it. You may also want to speak with someone in accounting to determine if there are multiple subscriptions for these services. You may discover services running on autopilot which are no longer being used.

It’s a good idea to immediately delete accounts of former staff and volunteers.

Once you have the list, look for redundancies and cost savings. If the children and teens departments each have their own paid subscription to SurveyMonkey, you can reduce costs and gain helpful features by upgrading to a single organizational account with team features.

Another value of reducing redundancies is to make life easier for those who interact with your organization. If your church is operating several text-to-donate systems, constituents may resist having multiple instances of credit card data on-file. Using a central account could simplify their experience and increase trust as well as engagement. Lastly, check to see if you are receiving non-profit pricing, which many SaaS companies offer.

One of the foundational principles of a strong security posture is that of least privilege. In essence, those who need access to your organization’s systems and services are given the least privileges needed to carry out responsibilities given to them. It's not a slight or sign of distrust, it's prudent management. If a person’s credentials are compromised, following this principle limits the scope of damage that can be done. Now that you have the SaaS list, do a further inventory by checking to see who has access to each system.

Some SaaS companies enable multiple user logins for an organization. In such cases you can readily see who has access and the level. It’s a good idea to immediately delete accounts of former staff and volunteers. The next step is to take time to better understand the privilege levels for the system. With this information you can engage in a friendly conversation with those who have access to reduce the levels to the least privilege needed.

Some SaaS vendors at your subscription tier may only provide single-user sign-in. For security purposes this is less desirable as it requires sharing a username and password among multiple people. With this type of system it is difficult to know who has access to data and the actions that each person has taken. The only way to revoke access to this type of SaaS system is to change the password and provide it to those who currently need access. If you are taking inventory for the first time in a few years and those who use it are not sure if the password has been changed recently (or ever), and are not sure who is using this service, I recommend changing it. You will quickly learn who is using the service and be able to track it.

To keep SaaS usage safe and effective you would do well to create written on- and off-boarding procedures for staff and key volunteers. A part of these procedures should be a list of all SaaS systems your organization uses. When someone joins, the list will help determine the systems to which they need access. When someone leaves, the list will show what access needs to be revoked. If you use a password keeper, it can be a good place to record which staff have been given access to particular systems. Among other things, this can help prevent former staff from being able to post updates to your organization’s website or Facebook presence.

Following these practices can improve effectiveness and reduce the cost of SaaS subscriptions your organization uses. They'll also help reduce the risk of damage to your organization’s reputation and help keep your constituent’s information secure.

Mark Evilsizor has worked in Information Technology for more than 20 years. He currently serves as head of IT for the Linda Hall Library in Kansas City, Mo. Opinions expressed are his own.