There’s no denying the impact SaaS services have had on businesses. It’s no surprise that 70% of software used by companies today are SaaS applications. For many modern-day startups, that number is 100%.

But, even with all their upsides, the rapid adoption of new apps without a proper SaaS management strategy can lead to increased security risks, compliance gaps, and unnecessary costs.

SaaS Discovery is the first and most crucial step in SaaS management. Why? You can’t take any decisive action without a complete inventory of all the SaaS apps linked to your business. How else will you know the marketing department has started using a tool to collect the email of website visitors? They don't know anything about GDPR or the other regulations that require user consent.

Follow along as we explore:

• The key benefits of SaaS discovery

• 6 different ways to discover SaaS apps and the challenges of each method

• How to leverage automation for effective SaaS discovery

Why SaaS discovery is important

Every business unit has something to gain from having complete visibility into your SaaS environment. Overall, it helps strengthen the business’s security posture, simplify compliance, save on costs, and improve business efficiency. More specifically, SaaS discovery will help you:

• Discover shadow IT. You can’t protect what you can’t see. SaaS discovery helps you detect all apps, including those unsanctioned by IT, reducing security risks and compliance violations.

• Prevent SaaS sprawl. SaaS purchasing is no longer controlled by IT. This decentralized procurement approach leads to tools with overlapping functionalities, causing inefficiencies and wasted spending.

• Reduce the risk of missed offboarding. When you don’t know which apps a user is using, you can’t completely offboard them. They might retain access to sensitive company data long after they leave the company.

• Improve workflow planning for IT managers. With complete visibility into the SaaS landscape, IT teams can effectively plan workflows, integrations, and app management strategies that promote efficiency and productivity.

6 SaaS discovery methods you can use: Step-by-step guide

Here are six ways you can start identifying the SaaS apps linked to your business domain. You’ll see that each method has its limitations, so you will have to combine multiple ways to get complete visibility.

1. Survey Employees

This is the simplest and most direct approach—just ask your employees which apps they’re using. You can send out a survey or request a list of tools employees rely on for their daily tasks.

Pros

• Easy to implement

• Helps uncover tools that employees acquired without IT knowledge

Limitations

• Employees may forget or overlook certain apps

• Some may withhold information, especially if they’re using unsanctioned tools

• Not all employees are aware of what constitutes a SaaS app, leading to incomplete results

This SaaS discovery method is a great starting point, but you’ll still need to implement additional methods to get a complete and accurate picture.

2. Audit OAuth logs in Google Workspace

Auditing OAuth logs in Google Workspace will help you discover all apps accessed using the “Sign in with Google” option. You’d be surprised how often this happens.

Steps:

1. Sign in to the Google Admin Console.

2. Navigate to Security > Access and data control > API controls.

3. Under App Access Control, review the third-party apps that have OAuth access to your domain.

4. Check app permissions to determine if these apps have access to sensitive data.

Pros

• Offers a straightforward way to discover apps without employee involvement

Cons

• Can’t discover apps if employees didn’t use the “Sign in with Google” option

• Sifting through the log is cumbersome, requiring extensive cleanup, manual vendor-name matching, and ongoing monitoring

As with the previous option, relying on this method alone will not give you complete SaaS app visibility.

3. Scan Email Activity for App Invitations

This is the holy grail when it comes to SaaS discovery in the modern IT environment. Whenever a user registers for a new SaaS tool, they’re typically sent a confirmation or notification email. By scanning email activity, you can identify these account creation notifications and uncover SaaS apps linked to your business domain.

However, with this method, you’ll need a third-party tool. We’ll explore how AccessOwl simplifies the process, but another option you can use is the Google Apps Manager (GAM). This is a popular command-line tool that provides an alternative way for Google Workspace admins to manage domain and user settings.

Steps:

1. Download and set up GAM. It’s a multiple-step process.

2. Create a script to access the email inbox for all the users and search for keywords such as “welcome,” “confirmation,” or specific SaaS app names. Here’s an example of a simple GAM command to search a user's Gmail inbox for emails containing the word “ChatGPT”.

gam user xyz@companyname.com show messages query "ChatGPT"

3. Compile a list of discovered tools based on these email notifications.

Pros

• Provides a nearly foolproof way to detect SaaS app usage

Cons

• Mastering GAM usage takes time

• Scripting knowledge is required

• Time and labor-intensive

• Only works if you know what you are searching for

4. Check Expense Reports

Reviewing company expense reports is another excellent way to discover SaaS apps. If you’re specifically tracking apps for SaaS spend management, this method is sufficient in itself. Unfortunately, it doesn't account for free tools, which are still a security and compliance risk.

Steps:

1. Work with your finance department to obtain expense reports.

2. Identify recurring payments or subscriptions related to software services.

3. Create a list of apps in use based on the data you collect

Pros

• Excellent for tracking paid SaaS tools for SaaS spend management

Cons

• Doesn’t account for free tools

• Requires collaboration with finance teams, which could slow down the process

5. Examine Network Activity

This was once a popular method to identify SaaS apps but has become less effective as businesses transition to hybrid and remote working models. This method relies on third-party tools like a Cloud Access Security Broker (CASB) to scan network traffic and identify the URLs and services users visit. You’ll then need to translate the data into specific apps that are in use within the business.

Pros

• Effective in traditional office environments with a central network

• Gives real-time data on app usage

Cons

• Less effective in remote/hybrid environments

• Involves filtering through lots of data

6. Browser Extension

You can also use a browser extension that monitors the user's browser window to try and identify instances where they’re logging in to a SaaS app.

Pros

• Can help you identify all kinds of SaaS apps regardless of the sign-in method

Cons

• Relies on employee compliance, which can be difficult to enforce

• Privacy concerns may lead employees to reject the extension

• Employees can switch to a different browser

How to simplify SaaS discovery through automation

If you went through the various steps and thought it’s a lot of work, I have good news for you. Automation can significantly simplify the process. It eliminates the chances of missing some tools and will save you a lot of time and effort.

Remember, SaaS discovery is an ongoing process. Even after a thorough manual discovery, new apps are regularly added, requiring continuous effort to keep up with the latest tools employees are adopting.

This is where SaaS management apps like AccessOwl come in.

Conclusion

Why AccessOwl is the best SaaS discovery tool

It’s a lightweight, easy-to-use tool that you add on top of Google Workspace for advanced SaaS app management. AccessOwl simplifies SaaS discovery and management by combining the two most effective methods—continuously auditing OAuth logs and scanning email activity.

It doesn’t matter whether employees are using personal devices, working remotely, or connecting through various networks. AccessOwl gives you full visibility into your organization’s SaaS landscape without the need for manual intervention or scripting expertise. Better yet, it works in the background without interfering with employees’ privacy or productivity.

During employee offboarding, AccessOwl will automatically delete a user’s account across all associated SaaS apps, including those that were unidentified during onboarding.

On top of SaaS discovery, AccessOwl helps automate SaaS user access, user account management, and SaaS vendor management, making it the perfect security and compliance partner for IT admins.

In short, AccessOwl serves as your single source of truth for all SaaS information, including:

• SaaS applications linked to your business

• SaaS users and their associated permissions

• Vendor information including data location, type of data processed, and compliance status

It also comes with a renewal calendar and SaaS cost tracking for effective SaaS spend management.

Ready to discover all the SaaS tools used across your organization? Start with our free shadow IT discovery tool and gain full visibility into your environment.