The consequences of SaaS sprawl: A real-world study

The SaaS revolution began in 1999 when Marc Benioff founded Salesforce.com. Salesforce went public in 2004 after achieving $96 million in annual sales. Sixteen years later, it was added to the Dow Jones Industrial Average after reporting revenues of $17.1 billion in fiscal 2020. SaaS is no longer a revolutionary concept. It’s been embraced as a foundational IT building block within companies of all sizes, industries and geographies.

SaaS sprawl is a natural consequence of the SaaS revolution. An analysis of Okta’s 2020 customer database revealed that companies employing 2,000 or more individuals maintained an inventory of 175 SaaS apps on average. A similar survey conducted by Blissfully in 2019 indicated that firms employing more than 1,000 individuals used 288 SaaS apps on average. And finally, two-thirds of the companies included in Productiv’s 2021 SaaS Management survey employed 100 or more SaaS apps.

By any measure, SaaS apps have become a conspicuous and pervasive component of every company’s digital landscape.

The numbers quoted above fail to convey the true sprawl created by widespread SaaS adoption. SaaS definitions vary from one company to the next and may include a combination of personal productivity tools, business applications, data services, collaboration tools, security services, AI/ML modeling platforms, etc.

Users with the greatest exposure to IT resources should be subjected to the strongest authentication procedures upon initial login and additionally be required to respond to step-up or continuous authentication requests during extended work sessions.

Multiple user accounts are established for each SaaS service. User identities are not limited to full-time employees but will inevitably include a wide variety of temporary employees, external contractors and service providers, and even robots or devices. Authorization policies are instituted to control the actions that users can perform within their accounts on specific IT assets. Consequently, the number of SaaS apps employed within an enterprise is just the tip of a bigger administrative iceberg created by the multiplicative sprawl of user identities, accounts and asset-specific policies.

This article reports the results of a study performed earlier this year to illustrate the multiple dimensions of SaaS sprawl. The data employed in this study was provided by Authomize, a security company that employs AI technology to profile relationships between user identities, IT assets and authorization policies across an enterprise. All of the data employed in this study was provided and handled on an anonymized basis.

Methodology

The implications of SaaS sprawl were initially evaluated in over a dozen enterprises. Four were ultimately selected to illustrate the knock-on effects of SaaS adoption. The companies discussed in this article ranged in size from 700 to 3,000 paid employees (subsequently referred to as PEs, which includes both full-time and part-time employees on a company’s payroll).

These companies are based in the U.S. and Europe and were founded five to 25 years ago. They’ve experienced the SaaS revolution firsthand. Although they may not be purely cloud native firms, SaaS services play a dominant role in supporting their daily business operations. These companies operate in four distinctively different industries: oil and gas, edtech, financial services and enterprise software. Throughout the remainder of this article these four firms will be referred to as “the study companies.”

The knock-on effects of SaaS sprawl

SaaS sprawl is commonly conceived to be a reference to the number of cloud-based SaaS services being employed by an enterprise. In reality, it is a much broader phenomenon.

Service sprawl

The number of unique SaaS services being accessed by the identity provider (IdP) databases within the study companies ranged from 310 to 994. This is significantly higher than the SaaS counts reported in the studies cited above and likely includes cloud-based services that would not be strictly classified as business applications. This study was based on the broadest possible definition of SaaS services, excluding only IaaS vendors.

The ratio of unique SaaS services to employees ranged from 1:1 in the smallest (700 PE) company to 1:3 in the largest (3,000 PE) company. However, these ratios were not correlated with company size. The 2,500 PE firm included in this study had a 1:8 ratio of services to employees.

Leave a Reply