SAP Logo LeanIX is now part of SAP
Solved

How Do SaaS Discovery Integrations Unlock Your Digital Ecosystem?

  • 23 October 2023
  • 11 replies
  • 165 views

Userlevel 3
Badge +1

Welcome to our blog, where we dive deep into the world of Software as a Service (SaaS) discovery integrations. In today's digital age, managing and understanding the software applications used within your organization is crucial. Our platform offers multiple ways to achieve this, providing you with a bird's-eye view of your digital ecosystem. Let's explore how discover integration with our platform works and how it can benefit your organization.

SaaS, or Software as a Service, is a web-based delivery method that offers on-demand, ready-to-use services to customers without the need to install software on individual systems or on-premise servers. SaaS allows authorized users to access applications from anywhere on any authorized device. Here are some key attributes that help us identify if a service is SaaS:

  • Availability Online: SaaS services are available online and ready to use.
  • Subscription-Based: They can be subscription-based, free, or pay-as-you-go.
  • Dedicated Login: SaaS services have dedicated logins.
  • Multi-Device Access: They can be accessed from multiple devices.
  • Centrally Hosted Data: The data is centrally hosted.
  • No Dedicated Infrastructure: SaaS services do not require dedicated infrastructure.
  • What We Don't Consider as SaaS: IaaS and PaaS

It's important to note that Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) are not considered SaaS. IaaS is used for outsourcing data centers and computing resources, while PaaS provides a framework for in-house developers. These services are not added to the SaaS catalog.

Our SaaS catalog serves as the single source of truth for identifying what is a SaaS service and what is not. It is used for all automated processes and matches records against our machine learning algorithms. The catalog is continually updated by our researchers and currently contains nearly 11,000+ entries with high data quality. Each entry includes details such as Name, Description, Provider, Webpage URL, Product Category, Pricing Type, Pricing URL, Hosting Description, Hosting URL, SSO Provider, SSO URL, SSO Status, Hosting Type, Domain, Terms of Service URL, and Privacy Policy URL.

 

Let's dive into how our discovery integrations work:

To check the discover Integration in our products, you must navigate to the settings. In SMP, you can find it in the list, but in EAM, you must locate SaaS discovery to investigate possible Discover integrations. You can find all the documents for OOTB integrations there. After credentials and other required information are provided, our platform establishes a connection with the data source. We access the data available at the data source. It’s important to note that we only save data that is considered relevant for SaaS. Relevant data is used to match and generate the data presented in our platform.

All integrations are developed under the principle of least privilege, meaning we only require the minimal permissions needed to execute the discovery tasks. This approach ensures the security of your data.

Different System Integration Methods

Now, let's explore how different systems work with discover integrations:

  • Service Discovery via SSO & CASB: We pull data from Single Sign-On (SSO) systems (e.g., Okta or AzureAD) and Cloud Access Security Broker (CASB) systems (e.g., Netskope). For SSO systems, we retrieve a list of all configured services and access login events to discover user accounts associated with services. For CASB systems, we access access logs and look for login events to discover services and user data. Our machine-learning algorithm predicts matches with a confidence score, and if the score is higher than 0.9, we automatically add the service to the SMP workspace. Services below the threshold are reviewed manually.
  • Service Discovery via Expense Management: Expenses are pulled from the data source, and each expense item is checked manually, with the support of matchmaking scripts. Based on the expense description, we determine if it is SaaS-related and add it to the SMP workspace. Non-SaaS-related expenses are disregarded.
  • Service Discovery via Financial Systems: In financial systems, we initially pull data of suppliers/vendors. Our machine-learning algorithm then uses this data to detect SaaS with a confidence score. If the score is higher than 0.9, we add the services to the SMP workspace. Additionally, for all added SaaS suppliers/vendors, we can pull cost data (e.g., invoices) and automatically populate service spend.
  • Service Discovery via Human Resources Information System (HRIS): HRIS serves as a source of truth for HR data (employees & departments) and is not used to discover SaaS services.
  • Service Discovery via Credit Cards: To discover services via credit card charges, we pull a list of all available charges. The descriptions of the charges are then used to detect SaaS using our machine learning algorithm with a confidence score. If the score is higher than 0.9, we add the services to the SMP workspace.
  • Service Discovery via Contract Management Systems: Contract data is pulled and reviewed manually, with script support. All SaaS-related contracts are manually added to the SMP workspace.

Multiple Ways to Discover SaaS

We offer multiple methods for discovering SaaS:

  • Discover Integrations: Explore the discover integrations available in our Enterprise Architecture Management (EAM) product. If you can't find the one you're looking for, don't worry; we have alternatives.
  • Custom Integration: Need something tailor-made? Set up custom integrations to fetch data using Python scripts and data frames. This allows you to upload data into our database, where our machine learning will add it to your workspace automatically.
  • File-Based Discovery: If you prefer working with spreadsheets, you can set up an Excel file and let our machine learning algorithm do the rest.

If you ever encounter issues or have questions, don't hesitate to reach out to our support team. We're here to help you uncover and manage your organization's digital ecosystem effectively.

Check here for the best practices for SaaS Discovery.

icon

Best answer by Mostakim Mullick 3 November 2023, 10:01

View original

11 replies

Userlevel 4
Badge +1

Thank you @Mostakim Mullick for this article. I am considering implementing SaaS Discovery in EAM but having difficultly finding information to gain support to integrate with systems that hold SaaS application data. You wrote:

Service Discovery via SSO & CASBWe pull data from Single Sign-On (SSO) systems (e.g., Okta or AzureAD) and Cloud Access Security Broker (CASB) systems (e.g., Netskope). For SSO systems, we retrieve a list of all configured services and access login events to discover user accounts associated with services. For CASB systems, we access access logs and look for login events to discover services and user data.

 

The Discover Integration states, “It is very important to connect as many of Integrations as possible as they ensure that a successful discovery process takes place and that all of the Shadow IT is detected.

I am considering integrating with Microsoft Defender for Cloud Apps (now in Early Access) and Microsoft Azure Active Directory

From the doco:

How would you describe, in laymans terms, the value of each integration and the additional value when both integrations are established? 

Userlevel 3
Badge +1

@Stephen Gates, I'm glad that you took the time to read this blog and that you're curious to learn more about our SaaS Discovery process.

To provide further insight into how it works, let me briefly explain the process. Our approach involves extracting a comprehensive list of all configured services from Entra ID (Azure AD). Then, we use Azure AD login event data to associate user accounts with specific services, determining which users have logged into particular applications. This careful analysis of access logs allows LeanIX to identify potential SaaS applications. Predictions are made using a confidence score, and services with scores above 0.9 on a scale of 0 to 1 are automatically included in the SaaS List. Services that fall below this threshold undergo manual review by our responsible team, where they are either accepted or rejected. It's important to note that our machine learning models continuously learn from the activities of our diverse customer base, influencing the decision to include or exclude services.

Another scenario that may arise is the discovery of multiple services from a single integration or the matching of both integrations under the same service. For example, if services discovered are named "Microsoft Teams Prod," "Microsoft Team Test," and "Teams SS0," all of them will be matched with "Microsoft Teams" and considered as one service. This helps eliminate any confusion among customers regarding whether the same service discovered by a single integration or multiple integrations results in multiple services. In reality, it's just one service. Please take a moment to review the attached screenshot from the "Service Discovery" tab on our SaaS management platform to get a better understanding.

Service Discovery SMP

So by this mechanism, all the service will be discovered and you can keep track of what is being discovered and matched to which service. Sometimes there can be discrepancies because machine learning models learn primarily from customer behavior when it comes to matching. So, we recommend reviewing the matches as well.

Furthermore, for customers who do not have access to SMP (SaaS Management Platform), they won't be able to see this directly. However, they can create a support ticket, and we will assist them. I'm pleased to inform you that we are actively working on an advanced matching feature in EAM (Enterprise Architecture Management) that will allow customers to manually match SaaS applications directly from their EAM workspace, similar to the functionality in SMP. We anticipate that this enhancement will be available in the near future, further streamlining the process.

I hope this clarifies the SaaS Discovery process for you. If you're considering integrating the mentioned Key enterprise system, please go ahead with it. Feel free to reach out if you have any questions or feedback.

Userlevel 4
Badge +1

Thanks Mostakim,

So to summarise there is value in integrating to both Microsoft Defender for Cloud Apps, and Microsoft Azure Active Directory.

If I integrate with AAD:

  • SaaS Applications integrated with AAD for SSO will be returned to LeanIX EAM for matching.
  • If accepted, the Application fact sheet will be complemented with data from the SaaS Catalog, and the SSO Provider and SSO Status will be added.

If I integrate with Defender:

  • SaaS Applications that are discovered by analysing network traffic will be returned to LeanIX EAM for matching. This is a better way to detect “Shadow IT”. The results returned may not be as accurate as AAD integration as someone may just be trialing a free SaaS app.
  • If the discovered SaaS app is accepted, the Application fact sheet will be complemented with data from the SaaS Catalog.

The roadmap items for SMP Q4 2023 look great. Looking forward to trying them out. 🚀

Userlevel 3
Badge +1

Yes, Thanks @Stephen Gates for the great summary. 💪🏻

Userlevel 4
Badge +1

How do SaaS apps get added to the SaaS Catalog?

Our SaaS catalog serves as the single source of truth for identifying what is a SaaS service and what is not. It is used for all automated processes and matches records against our machine learning algorithms. The catalog is continually updated by our researchers and currently contains nearly 11,000+ entries with high data quality. Each entry includes details such as Name, Description, Provider, Webpage URL, Product Category, Pricing Type, Pricing URL, Hosting Description, Hosting URL, SSO Provider, SSO URL, SSO Status, Hosting Type, Domain, Terms of Service URL, and Privacy Policy URL.

 

Are SaaS apps only added to the SaaS Catalog when they are discovered through a Discovery Integration?

How do LeanIX researchers determine the Product Category? Is it from the Discovery Integration via the Attestation process developers go through when registering their app with Microsoft Defender for Cloud Apps (or similar)? (Also asked here).

I have Apps linked to the SaaS Catalog the have multiple Product Categories. Is that because:

  • Developers can specify more than one,
  • Developers specified different categories during registration with different systems 
  • Different systems use different Product Category schemes?

 

Userlevel 3
Badge +1

@Stephen Gates We analyze the data we receive from Discover Integrations and then gather the items that haven't been identified as SaaS, nor have we categorized them as non-SaaS in the past. This collection is then forwarded to a research team, which conducts further investigation to either include these items in our SaaS catalog or categorize them as non-SaaS/rejected entries.

Regarding the categorization of SaaS, it's not overly complex. We rely on G2 as a source to categorize SaaS in our catalog. However, some categories may not align perfectly with G2's classifications because a single SaaS product might offer multiple features, making it eligible for different categories. We are actively working to enhance this process by selecting the most relevant features for categorizing SaaS or directly integrating information from G2 to improve accuracy.

Userlevel 3
Badge +1

Another question I received on chat from @Khuong: “Does the AAD Integration within EAM SaaS Discovery only require Application.Read.All permission without pulling out any user details, while the process described for SMP requires AuditLog.Read.All and Directory.Read.All in addition to Application.Read.All permissions to associate user accounts with specific services and determine which users have logged into particular applications? I'd like a clearer understanding of the difference between AAD Integration within EAM SaaS Discovery and SMP.”
 

In EAM, we've been primarily focused on SaaS discovery until now. That's why we use the Application.Read.All scope, which allows us to read and discover all SaaS applications. However, in SMP , we have a wider range of discovery options, including SaaS Discovery, Department Discovery, People Discovery, and User Account Discovery (you can see the attached image for reference).


To discover information beyond SaaS in SMP, we need to grant additional scopes. You can find a comprehensive list of which scope is needed for discovering which source in the "Discover Capabilities" section here (link to the SMP Entra ID documentation).

For EAM, there are separate documents that explain how to connect integrations. This approach is taken to keep things clear for customers, as using fewer scopes simplifies the process. You can refer to the EAM Entra ID document here.

It's the same for other integrations as well. For example, Concur can be used to discover SaaS-related financial information and also for SaaS discovery. So in EAM, it can be used just to discover SaaS, and in SMP, it can be used to discover both.

Userlevel 4
Badge +1

Thanks @Mostakim Mullick 🏆

Is it a requirement that an application is discovered by at least 10 customers using a SaaS Discovery Integration before it is added to the SaaS Catalog to satisfy the extra anonymisation precautions?

Q: If I opt in, will my workspace's data be visible to other customers?
A: No, other customers will never have access to your workspace's individual data. Data that is derived from your workspace data will be processed in statistical models, however. We take extra precautions to ensure any aggregation or processing happens on at least 10 different customer accounts, so a deduction to a specific workspace is not possible.

 

Userlevel 3
Badge +1

Thanks @Mostakim Mullick 🏆

Is it a requirement that an application is discovered by at least 10 customers using a SaaS Discovery Integration before it is added to the SaaS Catalog to satisfy the extra anonymisation precautions?

Q: If I opt in, will my workspace's data be visible to other customers?
A: No, other customers will never have access to your workspace's individual data. Data that is derived from your workspace data will be processed in statistical models, however. We take extra precautions to ensure any aggregation or processing happens on at least 10 different customer accounts, so a deduction to a specific workspace is not possible.

 

@Stephen Gates Actually, there are no specific requirements for adding SaaS to our catalog. Our goal is to include as many SaaS options from the market as possible. This can be achieved through two main methods:

  1. Regular Search: Our dedicated team conducts ongoing searches to identify and add new SaaS offerings to our catalog.

  2. Customer reports missing SaaS: Customers also have the option to report any missing services through the SMP. When a customer reports a missing service, our team reviews the request. If it qualifies as a SaaS, we proceed to add it to our SaaS catalog. We make sure to categorize it appropriately for easy navigation.

    We're always striving to enhance our SaaS catalog.

Userlevel 4
Badge +1

Thanks again @Mostakim Mullick,

I’ve suggested on the Product Roadmap that the “Report missing data” feature be extended to LeanIX EAM.

For those users of LeanIX EAM and SaaS Discovery but not yet LeanIX SMP, is there a manual way to suggest entries for the SaaS Catalog? You stated above,

The catalog is continually updated by our researchers and currently contains nearly 11,000+ entries with high data quality. Each entry includes details such as Name, Description, Provider, Webpage URL, Product Category, Pricing Type, Pricing URL, Hosting Description, Hosting URL, SSO Provider, SSO URL, SSO Status, Hosting Type, Domain, Terms of Service URL, and Privacy Policy URL.

 

Is there a preferred way customers could suggest values for these fields to the research team (e.g. using a provided .CSV format and perhaps a link to the G2 entry)?

Userlevel 3
Badge +1

Thanks again @Mostakim Mullick,

I’ve suggested on the Product Roadmap that the “Report missing data” feature be extended to LeanIX EAM.

For those users of LeanIX EAM and SaaS Discovery but not yet LeanIX SMP, is there a manual way to suggest entries for the SaaS Catalog? You stated above,

The catalog is continually updated by our researchers and currently contains nearly 11,000+ entries with high data quality. Each entry includes details such as Name, Description, Provider, Webpage URL, Product Category, Pricing Type, Pricing URL, Hosting Description, Hosting URL, SSO Provider, SSO URL, SSO Status, Hosting Type, Domain, Terms of Service URL, and Privacy Policy URL.

 

Is there a preferred way customers could suggest values for these fields to the research team (e.g. using a provided .CSV format and perhaps a link to the G2 entry)?

@Stephen Gates Currently, there isn't a way to create a request for a missing service in EAM. This feature is only available in SMP. Thank you for submitting a feature request.

When reporting a missing service, customers will need to provide the name of the service and a valid website link of that SaaS (as shown in the screenshot). Our team will then conduct the necessary research based on this information.

Reply