The Advantages of Shifting Admin Duties Left:

SaaS applications have undoubtedly transformed how organizations operate, offering unparalleled ease of deployment and reduced maintenance requirements. However, the burden of administrative tasks, such as user management, can strain IT admins and lead to user experience issues. To tackle this challenge, many companies have started shifting admin duties left, empowering end users with more control over their SaaS experience through self-service portals or APIs.

To underscore the significance of this shift, data from leading SaaS providers like Microsoft and Salesforce can provide valuable insights. Microsoft, in its 2020 Digital Defense Report, highlighted that phishing attacks remained one of the top cybersecurity threats, with more than 13 million phishing emails blocked each day by their security solutions. This data demonstrates the importance of empowering end users to manage their security settings, as phishing attacks often exploit human vulnerabilities.

In line with the growing trend of SaaS adoption, BetterCloud’s research indicated that 70% of business applications were SaaS-based. Notably, this number is projected to climb to 85% by 2025. As organizations continue to transition to SaaS, the burden on IT admins for managing user accounts will likely increase. Hence, shifting admin duties left becomes even more critical to alleviate this pressure and optimize efficiency.

The benefits of this shift extend beyond reducing the workload for IT admins. Empowering end users to take charge of their roles and privileges fosters a sense of ownership and accountability. According to a survey by Gartner, companies that implemented a self-service password reset solution reported a 99% reduction in password-related calls to the help desk. This reduction not only enhances user satisfaction but also allows IT teams to focus on more strategic initiatives.

Moreover, the impact of shifting admin duties left can be seen in the realm of cybersecurity. The BetterCloud study reported that 67% of participants admitted to not fully adhering to cybersecurity policies at least once, often citing the need to perform job tasks more effectively. By providing users with the ability to manage their security settings, organizations can foster a stronger security culture and reduce instances of non-compliance.

The Benefits of Shifting User Security Left:

While SaaS applications offer inherent security benefits due to their cloud-based architecture and uniform encryption, they still face security risks like data breaches and unauthorized access. By shifting control of user security policies left, team-level admins and end users gain more flexibility in securing their SaaS accounts and data.

When implementing security policies such as IP blacklists and two-factor authentication (2FA), shifting control left means empowering users to have more influence over these security settings. Instead of rigidly applying one-size-fits-all security measures from a centralized IT team, users are given the flexibility to customize security settings based on their specific needs and risk levels. This user-driven approach considers the context in which users operate, allowing them to make informed decisions that align with their work requirements and risk tolerance.

IP blacklists, for instance, are a security measure that blocks specific IP addresses or ranges from accessing a system or application. When shifted left, users can determine which IPs are allowed or blocked based on their knowledge of legitimate sources and potential threats they encounter in their daily tasks. For example, a developer working remotely may need to add their home IP address to the whitelist to access sensitive development environments securely. This level of control ensures that legitimate access is maintained without unnecessary barriers.

Similarly, two-factor authentication (2FA) adds an extra layer of security by requiring users to provide a second form of verification, typically a code sent to their mobile device, in addition to their password. Shifting control of 2FA left allows users to decide when and where to enable this additional security measure. For instance, they may choose to enable 2FA for accessing sensitive data or performing critical operations, but disable it for routine tasks to streamline their workflow. This user-driven approach strikes a balance between security and usability, as users can tailor their security settings to align with the specific demands of their roles.

Shifting Developer-Facing Services Hard Left:

SaaS users are increasingly developers who consume SaaS as a core component of their applications. APIs (Application Programming Interfaces) play a crucial role in the modern SaaS landscape, enabling seamless integration and customization for developers. They act as bridges that allow different software systems to communicate and interact with each other, facilitating the exchange of data and functionalities.

Developers rely heavily on APIs to access the capabilities and data of various SaaS applications from their own software applications. By leveraging APIs, developers can embed specific SaaS functionalities directly into their applications, creating a more unified and integrated user experience. This integration empowers developers to build robust applications with extended functionalities, without having to reinvent the wheel for each new feature.

One prominent example of the significance of APIs in the SaaS ecosystem is the rise of API-first platforms. These platforms prioritize building APIs before developing the user interface, ensuring that developers have maximum flexibility and control over the SaaS tools they use. Twilio, a communications API provider, is a prime example of this approach, where developers can use their APIs to add communication features like SMS, voice calls, and video chat to their applications easily.

Modern SaaS platforms offer features like custom roles, enterprise SSO standards integration, and multi-tenant hierarchies, allowing developers to have greater control and flexibility over their SaaS interactions. Emphasizing machine-to-machine connections and tokens can further enhance the developer experience, resulting in faster iterations and new feature development.

Potential Risks and Mitigations:

In the context of shifting SaaS control left, one of the primary concerns is that users and admins may lack the necessary security expertise to make well-informed decisions. This could lead to misconfigurations, weak security practices, and increased vulnerability to cyber threats.

To address this issue, companies can invest in comprehensive security training programs for users and admins. For example, companies like Microsoft have implemented extensive security training initiatives to educate their users and administrators on best practices for safeguarding data and systems. In 2020, Microsoft reported that they conducted over 18,000 security awareness training sessions, reaching more than 22 million employees and customers worldwide.

Policy Fragmentation: As control is shifted left, there is a risk of policy fragmentation, where different teams or users may adopt conflicting security policies or standards. Inconsistent policies can create gaps in security and hinder the ability to enforce organization-wide compliance.

To mitigate policy fragmentation, companies can establish cross-functional collaboration between SaaS ops and platform ops teams. By aligning security policies and standards across teams, companies can ensure a unified approach to security. For example, Google Cloud offers a centralized security platform called Cloud Security Command Center, which provides a single pane of glass for managing security policies across different services and projects, helping to prevent policy inconsistencies.

Security Incident Statistics: To further highlight the importance of addressing the risks associated with shifting SaaS control left, it is crucial to consider real-world security incident data. Several technology companies have shared statistics related to data breaches and cybersecurity incidents to emphasize the need for robust security practices.

As an example, in its annual report on cybersecurity trends, IBM Security X-Force reported that the average time to identify and contain a data breach in 2020 was 280 days, with an average cost of $3.86 million per incident. These statistics underscore the significance of having a well-trained workforce equipped to handle security incidents promptly and effectively.

User Empowerment Impact: An essential aspect of shifting SaaS control left is assessing the impact of user empowerment on security and productivity. Companies can analyze user behavior and the adoption of self-service portals or APIs to measure the success of this approach.

Salesforce, a leading SaaS provider, revealed in its 2020 “State of IT” report that 82% of IT teams believed that giving employees the freedom to customize their SaaS applications would lead to better overall performance. Additionally, 76% of employees using Salesforce applications reported that the platform improved their productivity.

Summary:

Shifting left for SaaS represents a transformative approach that extends the benefits of enhanced productivity, security, and satisfaction to both developers and end users. By empowering users to take ownership of administrative tasks and security decisions, organizations can create a more efficient and secure SaaS environment. Furthermore, empowering developers with enhanced control and customization capabilities will drive faster innovation and bolster the success of SaaS applications in the ever-evolving world of software development. Embracing the shift left philosophy for SaaS holds the promise of unlocking new potentials for organizations and their workforce.