An Introduction to Web Apps Management

Gartner is predicting end-user spending on Business Intelligence Web apps will grow by 23.3% between 2017 and 2022. Spending on SaaS-based Supply Chain Management applications will also grow by 21.2% between 2017 and 2022.  

The onset of Cloud technology brings new challenges for companies and whilst Web apps compliance is not the first issue, Web app optimization and usage analysis are essential in modern day Software Asset Management. The first and newest challenge is to recognize what Web apps are being used in your environment. The reason for this is that today, SaaS can be, and frequently is, purchased outside the oversight of the IT department. Most SaaS subscriptions can be started with a credit card.  

To be able to see all applications running in the Cloud, Xensam only need the same agent; Xearch, to collect the Web apps. The system consistently provides key usage data which shows whether the user/computer has used this application and how much actual time was spent in the Web app, as well as the average active usage over a defined timeline. All this with no configuration required – all out of the box. So, if you want to learn how many users are using Slack and which version, you are simply two clicks away with Xensam. 


  • Increasing cost
  • Shadow IT
  • Overspending
  • Bundles/Suites
  • Lock-in


  • Inventory 
  • Normalization 
  • Optimization
  • Compliance
  • Usage (Active Usage)

Shadow IT 

Shadow IT describes the situation where IT purchases are being made without the involvement of the IT department. The purchases may not be in the IT budget, nor approved by the IT department, but the item is still deployed in the business. 

Modern day SaaS reminds a little of the era of Boxed software licensing and the CD that got shared between multiple desktops for installation of new applications. In this case, Web apps are not necessarily installed in the same way but rather purchased and consumed without IT teams being involved. The comparison to box licensing is compounded by the realization that the box product was purchased by using a company credit card and installed on the computer(s).  

Of course, with SaaS you don’t have to go to a store, merely visit a vendor website to subscribe and immediately run the application in a browser or download it to your computer if necessary. Internal business departments of a company have stopped waiting for IT to approve the purchase, which only comes to light in the event of an audit or security breach.  

The latest in Shadow IT trends is that software vendors are directly targeting the end-user for upselling of their products. For example, Microsoft now includes the capability allowing end-users to purchase add-on applications direct in the user view without needing IT or Management approval. If an end-user wants Microsoft Power BI or Flow for example, they can now just add that to their subscription without notifying anyone or requiring approval.

Potential SaaS Audits 

There is a lot of speculation that software can’t be incompliantly licensed in the cloud. This is not true and if there is one thing we know in the software industry, software vendors are continuously chasing revenue with software audits as a sure-fire way to acquire easy money. One way for the software vendor to do this is to change license metrics. Another way is to enforce an upgrade by retiring the cheaper/free versions and requiring standardization to a higher suite.  

In some cases, for example, customers may be mixing Microsoft 365 subscription levels and Suite levels within their Microsoft 365 tenancies. That means that customers with a less expensive F1 (first-line worker) license or E3 suite license could potentially have access to some of the higher-end features that are only part of Microsoft 365 E5, leading to compliance issues. 
Microsoft Defender Advanced Threat Protection (Standardization in cloud), for example, enabled within a tenancy, means customers legally need to license the feature for every user in that tenancy, similar to the Enterprise Agreement standardization of Office Pro, Core CAL or Windows Pro. Managing compliance for this is somewhat complex and you will need to inventory all users and computers properly. Incompliance may not be discovered until your organization is audited. 


One of the reasons that software vendors encourage Cloud technology transition is recurring revenues from subscriptions and the potential for customer overspend. Unused user accounts, lack of transparency, visibility and over-sized contracts are main concerns with Cloud software consumption. To adequately manage Cloud environments and restrict overspend, Application Usage analysis is key. You need to have full insight of what SaaS and IaaS solutions are being used, then scrutinize what is verifiably being used.  

To go back to the example of Microsoft 365, do the users have E3 or E5 plans – but are only using E1 or F1 functionality? Do you have consultant “zombie” users that are no longer with the company but still consuming SaaS licenses? If you’re using Salesforce, what plan of Salesforce are you buying and what are you using? Have you committed to Azure or AWS on monthly or yearly spend and are you fully utilizing that investment?  

Conversely, are you running so many VMs and applications in IaaS that you can’t control them anymore? It all comes back to having a clear insight of what’s running and how and what is being used? 

License Lock in 

What does Lock in mean? Lock in refers to a situation where it is almost impossible to change or cancel the contract/subscription with the vendor. Vendors use bundled suites, technology, data and price as lock in mechanisms. Bundles include different functionality and SA/Maintenance rules that ensure you purchase an entire suite when you may only need specific functions or components. If you attempt to move away from the suite you are locked in due to contractual stipulations or unable to cancel the subscription as this will require wholesale changes to the deployment and/or dependent technologies.  

Technology or data lock in exists in, for example, Microsoft SharePoint – as you have all your data on SharePoint, which makes it very difficult to migrate to another solution due to technological reasons and potential cost of migration. Lock in due to financial reasons is the most common issue as on-premise solutions become more expensive than Cloud – the vendor will also discount Cloud purchases whilst on-premise solutions attract no cost concession.   


There are more challenges with Cloud than just SaaS, there is also IaaS. Infrastructure as a Service (IaaS) management requires intelligence on what product or service is running within your environment and from which IaaS vendor. How much cores? RAM? Storage and CPU? In addition, how many users are accessing these platforms? 

Xensam’s Cloud Solution 

Xensam manage all the different Cloud technologies, and we always try to apply the same thinking: “Out of the box”. SaaS and IaaS are both handled with the same agent that provides the on-premise data. No extra plugins. Just select the “Cloud” column to see all VMs running as IaaS, and from which vendor. Diving deeper into the VM will reveal all hardware (CPU, Processor, Core, RAM and storage), as well as the software information. In the “Software” section, simply select “Web” in the “Platform” column, and all the Web apps will be presented. You can always drill down in the data and see exactly which computer is being used and how much the user is precisely using the application. All this functionality is included in the standard license with no extra cost and from a technical perspective, no inconvenient & intrusive browser plug-in is needed either. This Data will help you to understand what VM is being used and what VM can be terminated. And this is the same data that will be the driver if you should move your on-premise VMs to cloud or keep them on-premise.  

Agent-Based Cloud Discovery  

The first advantage of agent-based discovery is the fact that there is no need for any browser plugin as the agent analyses Web apps directly. This negates the need for a plug-in installation for every browser, as well as updates and maintenance for each plugin. Some browsers don’t even allow sideloaded plugins, for example, Mozilla. A trend we will probably see more of in the future. (  

The challenge with API cloud discovery is the inconsistent recognition due to inaccurate data transfer in API calls. The API calls a browser makes are plenty, and a lot of those calls have nothing to do with the actual Web app that you are using, which might result in a false Web app recognition. And since the API only shows that an application has been started and not what is currently being used, nor the duration of that usage, makes Web app usage tracking almost impossible with API based cloud discovery. This causes false positives around phantom Web apps and regular oversight of applications that are being used by your business.  

Furthermore, the end user can see that their web traffic is being monitored due to the visible installation of the browser plugin, this creates irritation and frustration and can also lead to the end user uninstalling the plugin. 

It is also being reported that API plug-in discovery is presenting the opportunity to manipulate the data, creating unnecessary complexity and concern. 

Reasons Not to Use Plugins 

  • Additional Installation for Each Browser
  • Poor Quality Data from Cloud Recognition
  • No Usage Data
  • Irritated End-users
  • End-user can Stop/Remove Plug-ins
  • Manipulation of Data

Xensam Agent Cloud Discovery 

With the native “Xearch” agent, Xensam captures all the Web apps by analyzing the URL, leading to data accuracy and usage data that is unmatched in the industry.  

End-users privacy will also be protected as general web traffic is not monitored, nor is the end-user alarmed with an inclusion of a strange plug-in on their browser. There is also no risk of potential manipulation or contamination of the data as the information is broadcast directly and encrypted to the Xensam User Interface.  

Furthermore, we can help optimize the Cloud environment based on what is being actively used or not, using a plethora of standard prebuilt reports in the Xensam system. The entire Cloud dataset is delivered via an incredibly intuitive user interface at no added cost. 

One all-encompassing Solution: Xensam SAM Suite. Plug and Play!