Oct 28 2019
Magical Mystery SaaS Management Tour
CoreView & Alpin
When CoreView bought Alpin, many asked — who the heck is Alpin and what exactly do they do? We decided the best answers would come from Alpin CEO and Co-Founder Julien Denaes, who was kind enough to walk us through how to use Alpin, what it does, and the solution’s key benefits.
Now let us turn things over to Julien.
Thanks, and thanks for giving me the opportunity to talk about the product I know, love, and helped develop. Let us start from the beginning – how customers set up their use of the solution.
Signing up is straightforward. People can self-serve, self-sign up with the G Suite administrator account, or on a 365 account, or they can even create their own instance with a sign-in with an email and password address. Of course, we are trying to push people to connect with G Suite or Office 365, because as soon as they do, we get their full list of users in a directory.
Then they fill in the permission screen. With G Suite especially, we ask for the minimum set of permissions. We do not want to be intrusive. It is like a first date. I do not want the key for your apartment. Let us get to know each other. Just give us the list of your users and their tokens (3rd party applications).
After that, we can go deeper. As I said, when you connect, you are just signing up. That creates your instance, and we only have access to your users. Later down the road, customers bypass everything and connect to the dashboard itself. Especially with the G Suite integration, that set of permissions is not intrusive. Then we can go into Google Drive, go into Gmail, and become a Google admin. This is what we call add-ons. We do not ask for the keys to the realm directly. First, we just start dating, then get to know each other.
As soon as you connect, you see a dashboard that is customizable by user. Every user can decide what they want to see when connecting to Alpin – and personalize their dashboard. All our modules are highly customizable. You can add more modules directly, and have a list of reports you can add dynamically. People in finance, IT, or security, can display the things that relate to them.
When you connect to Alpin, you see items about products, vendors, license renewals calendar, users, and of course zombies. We also have some call to actions such as asking for data to analyze costs and connect integrations.
Alpin, just as CoreView, works when it has access to data. Data comes from multiple sources. It could be manually uploaded, which is why the import data call to action is everywhere. We can import from a CSV, your SAP, or Expensify. You can export to us from anything, just drag and drop it. Alpin takes care of processing the data, making sense of the data, and reporting it back.
This data captures what the organization is spending for SaaS, and what is going on with renewals. Customers get their arms around the economics and have detailed ways of actually saving on SaaS such as cancelling multiple subscriptions when they do not need them. All this data points to what is licensed, what is paid for, and so on.
Data comes from two main sources. Many times it is invoices, contracts, and lots of manually gathered information. Alpin looks at what the data is and if we can automate it, of course we will. It really depends on the format that is given to us, the kind of data, where it comes from, and therefore how we can process it. That changes from customer to customer. That is why this import data call to action so important in us getting to know each other.
Of course, we much prefer to have connected integrations (direct ties to data sources) because we automate so many things. That is where we have a ton of integrations. These direct integrations include Concur, Coupa, Expensify, QuickBooks, NetSuite’s, Sage; all those integrations are financial integrations. The reason why we propose those is to do discovery.
Other integrations are more about governance, monitoring, security and automation control.
The Three Faces of Alpin
We have separated the Alpin platform into three main buckets. The first is SaaS management. Here customers see product, vendors, licenses, and payments. Then we have the integrations. You also have the list of users, the zombies and so on. There are also settings related to the configuration of your own tenant.
Product and vendors are interesting — this is where we start the conversation with the customer.
As soon as a customer connects, we look at all the products we can discover — and we discover products everywhere. We may discover products in QuickBooks, Expensify, LastPass, G Suite, Okta, maybe even Chrome extensions, the browsing history, or G Suites tokens. We developed many sources for discovery as we knew from day 1, unlike the competition, that one source is not enough.
Customers can manage the products they discover, though often there is a reason not to. It may be a free plugin or internally developed tool. If there is no reason to manage that specific application, they can ignore it.
When you ignore it, it is simply hiding from the specific list of discovered products. If you want to retrieve the product that you ignored, just change the filter.
When you choose to manage a product, we ask for some metadata, like functional or financial owner. You can then add tags, and manage the tag groups. You can tag a product, license, vendor, or user – you can really tag anything. We report and filter on those tags.
Meanwhile, as soon as Alpin discovers a product, it automatically categorizes them as, for instance, a CRM platform, business development tool, sales solution, or whatever it is. The Alpin SaaS Catalog has around 40,000 products that are classified with their vendor information.
Once you decide to manage a product, you want to consistently monitor and look at it. In the case of G Suite, for example, you know all about the licenses Alpin retrieved automatically since you connected G Suite to Alpin.
Alpin also analyzes renewals. Customers know when the application renews such as every month or year, when it can be cancelled, and when you have to pay such as every month, quarter or year. You know who the vendor contact is and the sales rep. You can customize the data you want to have for each license. Alpin retrieves all this information at the license level. Not at a product level, not at a vendor level, but the license level. It is as granular as possible.
The more information we have, which we can retrieve by APIs or get by looking at the contract document, the more we populate the renewal calendar that is built in front of you automatically.
If we do not discover a product, you can add it manually. Let us say CoreView does not exist in the products list. You can add CoreView. The website is Coreview.com and the product is CoreSuite or one of the other solutions. By entering those two bits of information, the name of the product and the website URL, Alpin takes care of the due diligence on that product and that vendor, finding the right logos, the right description, the right licenses, and so on.
Learning to Save Money
Alpin billing and accounts views are about making sure that you can manage your different cost centers, billing accounts, and contracts you have with a specific vendor.
Bills and payments are retrieved automatically from Expensify, from Concur, from Coupa, from NetSuite and so on. You can also upload them. You can even combine payments, and pay two bills or five bills at the same time in one payment.
Key documents are held by Alpin, such as an NDA, renewal agreement, cancellation, or discount agreement. Alpin holds documents the customer does not want to lose, or wants to share between IT, procurement, security, and the finance department. Instead of having those documents living in mailboxes of people, the customer can upload them to Alpin, or link them to their SharePoint, OneDrive or any data or storage source.
Security and Compliace
Breaches and certifications are two tabs where the customer does not have to do anything. Alpin is simply providing information, such as the latest statement about GDPR from Google or Salesforce. We link to the latest certifications information from all your managed vendors.
Licenses and Renewals
Licenses and renewals are easy to track and manage – at least with Alpin. In fact, all the licenses and renewals are on one screen. A customer can look at the renewal calendar, for example, and see there are six contracts renewing in March.
Alpin shows exactly how much money those contracts represent, which is great for budget forecasting. It is a good exercise for finance and IT to make sure they have their act together. If it is a large amount, from a cash flow point of view, it is best to make sure the large payments are scheduled and forecasted.
The payments dashboard is extremely customizable for us, taking less than 20 minutes to fully customize. You can see all payments across all vendors. This is critical for chargebacks.
Chargebacks: This is Where Finance and Procurement Fall in Love
The best way to explain chargebacks is with an example. Let us say you want to chargeback Atlassian software to groups within your company. Assume Atlassian cost $82,000 for the past year and a half. Great, but you need to know who is using Atlassian, to drill down and understand whom you need to charge it back to, for how much, and for what reason. This could be at the department level, vendor level, or user level. Alpin is extremely specific, extremely granular, for these kind of things. That is extremely helpful for large enterprises – they have a great use case where the chargeback is important.
Alpin also analyzes and compares SaaS solutions in specific categories to understand which provide the best value. For instance, IT or finance can look at all the vendors in project management category, and see how much Asana costs versus Wrike versus JIRA.
You can drill it down and ask, “Why is this one costing me so much while we already have JIRA?”
More on Taming Zombies
Zombies are users that are kind of the living dead, and not using what they had signed up for. Alpin competitors identify a user or account as a zombie because their last login date is greater than 30 days, 60 days, or 90 days. This number of days is actually a parameter that you can define yourself in Alpin. However, the last login date does not say much. You have to go a little bit deeper. Alpin is the only one doing that. We not look only at the login date. We look really at the activity.
Let us say that you have Box or Dropbox and Box is installed on your computer. Every day, as soon as you open your computer, you logged into Box. However, what if you do not create a document? What if you do not view, share, edit, or delete a document? Then you have no activity, and have Box for the sake of having Box. We are the only one looking at not only the last login date, but also the last activity date.
Metrics and Application Adoption
Metrics are critical to understanding everything about your SaaS solutions. The key is to leverage what Alpin finds in your integrations. For example, if people connect to Okta or Azure AD or OneLogin, Alpin looks at the user login and user activity through the provider of this SSO. Alpin builds a dashboard that shows for instance, who is using Salesforce, Amazon Web Services, or any other tracked SaaS service.
This is the adoption level of this application over time by this user, in this department. Alpin can show, for example, that since the customer launched Microsoft Teams, there was a decrease of usage of Slack. In this case, the end users go through Okta, and through Okta integration, an Alpin customer sees the users, the apps, and the activity.
Again in this use case, Okta is just one source of data, Alpin always combines many sources and then consolidates to make sure the reporting is as precise and complete as possible.
We also measure risk, such as the risk of a G Suite token, and do so on a scale up to 100. Alpin looks for tokens and items that are extremely intrusive, and have actions where you can revoke the token — you can revoke access or even black list the application. The next time the person tries to give a token to that application, we intercept the token and revoke it instantly. This is a unique security feature that is definitely G Suite oriented, and has proven to be helpful.
Blacklisting and Revoking Tokens
What are the intrusive activities Alpin spots that provoke a blacklist and token revocation? The most famous example is a so-called game developed on Android. The game developer was purportedly based in Netherlands, but was in fact a Russian company. This game accessed all the emails, not only the headers, but the content of all the people installing that game. CEOs, CFOs, CIOs had all given permission to this game that was really a Russian company reading all your emails. We reported this to our customers, and guided them to blacklist this application. They were extremely thankful of course.
We do that on the Chrome history as well. We look at the Chrome history to understand the usage of a specific website by people. We also blacklist websites. Alpin can warn people when they are browsing a suspicious or off-limits website, and ask them to visit a different site. Let us say you do not want people to use LinkedIn. You can blacklist this domain, and if you want, give a company contact that may approve the site for you if there is a special need.
Search is also handy. To find a project management tool, you search on “project management” and click on the tags. If you need to see licenses, but only those in marketing, you just leverage the tagging system.
The Shadowy World of Unapproved and Unmanaged SaaS
Shadow IT is a great term to get people interested in what it is that Alpin does. However, Alpin goes far beyond that.
Then when you start to identify Shadow IT apps, you are not just identifying them so they can be blocked by IT because of various issues, but can go deep into the economics and the usage of those Shadow IT applications and their security issues.
Alpin is not only for security integrity and Shadow IT, but it also broadly useful for finance, procurement, IT, and the security team.