For a number of years now, software development and devops teams have been “shifting left.” The concept is simple. Give software developers more responsibility and control over all of the things required to run software beyond writing the code. And so platform operations teams provided ways for application developers to easily manage security, infrastructure and scaling, network connectivity, application delivery, and all the other aspects previously handled by specialized teams.
Developers that are so empowered could move faster, deploy more frequently, and build better products. Moving critical tasks earlier in the development lifecycle, aka shifting left, has optimized developer efficiency and reduced development costs, all while improving code quality and security.
What’s good for software developers can be good for software users too. Call it self-service, or call it DIY IT. The bottom line is, shifting the admin of critical SaaS applications closer to the team leaders and people who must use them improves performance along many fronts by moving decision making closer to those who are actually doing the work.
Shifting left for SaaS will also directly improve organizational security by removing barriers to productivity. In research published in the Harvard Business Review, a study found that 67% of the 330 survey participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of one out of every 20 job tasks. When users were asked why they violated the policy, the top three responses were “to better accomplish tasks for my job,” “to get something I needed,” and “to help others get their work done.”
Empowering users could improve security, productivity, and satisfaction among workers. So how can we think about shifting SaaS products and responsibilities left? There are a number of useful paths to follow.
Shifting admin duties left
For many companies, SaaS applications provide the core of their operations. According to BetterCloud research, “Companies estimate that 70% of the business apps they use today are SaaS-based. By 2025, they expect 85% of the business apps they use will be SaaS-based.” This rapid adoption has led to the emergence of a new term, SaaS Ops, to describe operational requirements driven by a mainly SaaS technology footprint.
One of the chief benefits of SaaS applications is that they are easy to deploy and use, without requiring much installation or maintenance overhead. However, they still require administrative tasks, such as adding or inviting new users, changing user roles and privileges, creating custom roles, and resetting passwords. These tasks can be time-consuming and tedious for IT admins, who must deal with multiple SaaS applications and platforms. Moreover, these tasks often introduce delays and errors in the user experience, especially if the admins are unfamiliar with the specific SaaS application or its configuration.
For users, too, waiting for IT to reset a password, change privileges, or upgrade an account can reduce productivity and satisfaction. By shifting these admin duties left, we can enable end users to perform these tasks themselves using self-service portals or APIs. Users can also customize their roles and privileges according to their needs and preferences without compromising security or compliance. In instances where some sort of admin is required to manage user behaviors, then IT teams and SaaS apps can shift the admin role left to someone on the user team.
All told, shifting SaaS administration left reduces the workload and stress on IT admins, who can focus on more strategic and complex tasks. The result? Happier IT, happier users, and a more productive team all around.
Shift user security left
When well-designed, SaaS applications offer stronger security and reliability than on-prem options, thanks to their cloud-based architecture, uniform encryption, and distributed nature. However, SaaS suffers some security risks, such as data breaches, unauthorized access, phishing attacks, or identity theft. These risks can be mitigated by implementing security policies such as IP blacklists, forced 2FA (two-factor authentication) in the right contexts, and security step-ups (additional verification for sensitive actions).
By shifting control of these user security policies left, we can give team-level admins and end users more control and flexibility over how they secure their SaaS accounts and data. They can choose the most suitable and convenient authentication method for their team without compromising security or compliance. They can also adjust their security settings according to their context and risk level, such as setting up service-level 2FA or designating regional IP blacklists depending on the use case.
In some cases, users can better determine when to apply forced 2FA or security step-ups, with default settings put in place by the security team. By empowering users and local team admins to own security, you also encourage them to learn more about it and understand how it works. This is beneficial for overall security hygiene over the long term.
Shift developer-facing services hard left
Increasingly, SaaS users are actually developers who consume the SaaS as a “dial tone” for key components of their applications. (Communications as a service via API provider Twilio is almost a literal example of this.) While SaaS APIs have always offered some of the elements that developers require, the best ones expose high degrees of customization to developers, effectively shifting admin and control of consumption to the left. Table stakes are API tokens and webhooks, but more modern SaaS platforms also include the ability to create custom roles, offer the flexibility to integrate one or more enterprise SSO standards or directory integrations, and provide a multi-tenant hierarchy for developers building multi-tenant applications.
Creating a strong set of management capabilities around machine-to-machine connections and tokens—the fastest-growing segment of app connectivity and API interactions—also enables developers to set up their SaaS tools to behave exactly as desired to deliver the best combination of functionality and cost. Software is eating the world, and developers are eating SaaS. Feeding them the right diet of SaaS self-service is a critical ingredient in their success.
Shifting left for user productivity, developer velocity
There are some risks to shifting SaaS control left. Whenever security is handed over to folks who are not necessarily security experts, education is required. An additional danger is fragmentation, where policies and standards become inconsistent and unenforceable. Fortunately, SaaS presents a canvas where guardrails are generally already in place, and SaaS ops or platform ops teams can work together with their constituents to find a happy medium between agility and convenience and central compliance.
The shift left model has transformed software development by involving developers more closely in security, devops, and networking processes. By applying the same principles to SaaS users, we can empower them with more control over their experience and greater agency in their interactions with software applications. For developers using SaaS, giving them more DIY and composability translates into faster iterations and faster new feature development. Shift left has already taken over the world of application development. It’s now time to shift SaaS left so regular users and developers building with SaaS tools can reap similar rewards.
Aviad Mizrachi is CTO and co-founder at Frontegg.
—
New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.