Three years after the start of the COVID-19 Pandemic, many things…
Life is full of choices. We constantly gauge the cost of tradeoffs to evaluate if the benefits of our decisions will be worthwhile. That struggle even applies when choosing an IT governance solution. Not only do the features of differing tools need to be evaluated, but deciding between cloud-based governance and on-premises governance solutions throws in yet another set of factors to consider.
In this blog post, we will focus on the latter decision and go over the pros and cons of a multi-tenant cloud-based SaaS governance tool. Let’s start with the benefits.
Common Cloud Efficiencies
As with using cloud technologies to solve other IT challenges, the same kinds of efficiencies apply to governance tools.
The amount of setup needed depends on the tool chosen. Many cloud-based governance platforms do not require any onsite infrastructure. However, in some cases, minimal on-prem infrastructure might still be required. This infrastructure, typically a few virtual servers and associated networking, is needed as a gateway to allow secure communication between your IT resources and the cloud governance system. In either case, configuration is pretty simple and a majority of it can be done right in the UI. Ultimately, fewer IT experts need to be involved in the setup, greatly reducing the effort, coordination, and time needed to get up and running. This also makes go-live much less stressful.
Besides reducing costs related to all of the on-site infrastructure and resources needed for a monolithic solution, another financial benefit of cloud-based IT governance is the option to select between different suites or bundles of features. Some vendors provide the ability to purchase only a subset of features versus paying for an all-in-one product if you don’t need everything. Licensing costs can be a bit more straightforward as well. In many cases licensing follows the number of users managed in the system – very beneficial to smaller organizations.
With microservice architecture, you can significantly increase system performance and also gain the benefit of every feature or security enhancement as soon as it is available. Microservices architecture also provides the ability to automatically scale each service independently and elastically, in both directions. Built-in safety during upgrades is another great benefit – changes to individual microservices are contained, and only affect the functionality provided by that particular microservice. This limits the risk of unintentional effects on other parts of the system. There is no contest when you compare these features with the amount of coordinated effort needed to patch, update, and scale monolithic software. Additionally, these microservices are completely managed by the vendor, so these benefits are all provided without overhead to your organization.
The built-in security features are another major benefit of a cloud-based SaaS governance platform. Features such as having multiple layers of encryption, strong authentication, and the ability to seamlessly integrate with systems that offer federation using SAML are typically standard. On top of that, some SaaS governance tools are hosted on the Amazon Web Services (AWS) cloud platform. So, all of the additional security AWS provides with their services is yet another layer of protection.
The benefits listed above help companies of any size gain powerful governance capabilities without having to demolish the bottom line. In the recent past, governance tools were mostly feasible only for larger enterprises with a budget to afford a huge IT staff, expertise, and all the required infrastructure needed to implement an on-prem solution. Previously, small and medium-sized businesses (SMBs) could find themselves left out. However, cloud-based SaaS governance options have changed that. In fact, according to an analysis by Fortune Business Insights, there has been a recent rise of cloud-based IAM adoption in SMBs. More than ever before, organizations of any size can implement a governance solution that can handle compliance needs, and quickly reap the additional benefits that a governance solution offers.
Considering the Tradeoffs
Here come some of the tradeoffs to mull over in your final decision. This list will seem a bit longer than what was listed above for benefits, but don’t let that fool you. It is simply a list of things to consider, and some may not even apply to your situation.
It is always beneficial when a business can be flexible and change practices to match software capabilities, but experience shows that is only wishful thinking. With a cloud-based SaaS governance tool, it is obvious that we have to give up almost complete ability to customize the solution to accommodate every business requirement. However, if a requirement needs something more than what a normal configuration can offer, there still might be ways to make it happen – at the price of a tradeoff.
One of the tradeoffs might include the need to coordinate with the vendor to apply an allowed special cloud-level configuration that is assigned specifically to your tenant. This is usually not a problem unless the change has to be turned around promptly. Keep in mind that not all vendors will allow this type of extensibility.
A second consideration is the skill set needed to perform the customization. If the system allows extensibility from dedicated triggers or plugin points to something like AWS Lambda, this might be too complicated for a typical administrator. Specialized staff or consulting may be necessary to put these types of changes in place.
One last thing to mention for this category is that the provided APIs can be somewhat limited in capability. Don’t expect APIs to be made available for everything the software can do.
On multi-tenant SaaS platforms, there are often limitations put in place on individual tenants to keep processing from getting too large and potentially causing conflicts. Be sure to review and understand if there are thresholds, such as the number of resources allowed per identity, the number of roles and entitlements allowed systemwide, etc. Larger companies can potentially reach these limitations. Just know what they are beforehand, whether or not they are elastic, and if there might be financial considerations to changing the limits.
Automatic Updates and Processing
Remember the benefit I described where updates get automatically pushed out? Sometimes that can have very minor consequences. Occasional UI changes might be applied where an entire admin form might change, or other items move from one location to another. In other rare cases, previously existing functionality can even be removed. These changes can confuse administrators and/or end-users – especially if they require documented steps to do their work. As I mentioned, most of these changes are minor but be aware that changes do occur.
Giving up some control over scheduled system processes is another area that can have impacts. There are usually a few system processes that the vendor will maintain and control, so planning around these processes may be required. For example, with Sailpoint’s SaaS platform, IdentityNow, the documentation mentions special considerations about the effects on accuracy of access items when generating a certification campaign during the Data Refresh process. As with everything else, just knowing when these processes are scheduled is probably enough to avoid any problems that could happen.
I have also found when working with cloud-based SaaS governance products that there is a need to rely on support for a few things that don’t require assistance when using an on-prem solution. The first was already mentioned above – requiring support approval and implementation when applying special configuration at the cloud level. The only drawback here is it takes a bit more time to get the changes in place on somebody else’s schedule. Secondly, troubleshooting issues can be a bit more challenging without access and visibility to the cloud logs. Once in a while there is a reliance on the support team to troubleshoot issues on the cloud side, even if the issue is caused by something that is user-configurable. Finally, not having direct access to a database to be able to see the data and how things work can add difficulty. This leads to the next category.
Because there is no direct database access, reporting and pulling information from the system takes on a new challenge. Most cloud-based SaaS governance tools will offer some basic built-in reporting and search features. However, these options are typically limited to very common use cases. Provided APIs can be used to perform a deeper search if there is a need for something more specific. Hopefully a combination of using the provided options will be enough. In any case, expect the search capabilities to be proprietary and not a common standard like SQL. It may require an admin who might need some time to get accustomed.
Migration of Configuration Between Environments
While still worth noting, this last topic is not as big of an issue any longer since most of today’s tools offer some mechanism to migrate configuration from one cloud environment to another. It wasn’t too long ago that rebuilding objects manually was the standard practice to get something into another environment. Today, APIs and sometimes simple programs can be used to easily move objects as needed. As mentioned, there are a couple things to note. Admins that do this work will need to have knowledge of how to use the APIs, including some basic understanding of JSON or XML. In some instances, having the ability to run and modify small programs (Ruby, PowerShell, etc.) will be necessary as well. Also, keeping track of parameters that need to change between environments (hostnames, ports, etc.) is still important.
Cloud technology has really changed the game for IT governance. Cloud-based governance solutions truly allow you to spend more time using the software and not having to worry about applying upgrades and performing maintenance tasks. Having built-in security features and auto-scaling capabilities take it to another level of convenience. While not every solution is perfect or frustration free, most inconveniences probably have a workaround. Knowing what these shortcomings affect and how they might impact your specific implementation can go a long way to help make the right choice.
Zirous Can Help
Which IT governance solution is right for your business? The answer depends on several factors unique to your company, including the size of your organization, the type of applications you use, and your security requirements.
If you are unsure which solution is right for you, contact Zirous! Our governance experts would be happy to help you navigate all the challenges and find the best solution that fits your needs. Let us know how we can help.