Secure Cloud Apps

The Palo Alto Networks Aperture service allows you to consistently define and enforce policy for securing data across all of your sanctioned software as a service (SaaS). Although each SaaS application has its own settings to secure how users can store and share data, the settings and levels of enforcement vary by application. By adding your SaaS applications to the Aperture service, you have visibility into and control over how your users are accessing and sharing data across all of your sanctioned SaaS applications.
When the Aperture service first connects to a SaaS application, it scans all the assets in the application and matches against the policy rules to retroactively uncover incidents and then displays all active incidents on the Dashboard. To maximize the results from this initial discovery process, configure the global scan settings for policy, examine your corporate acceptable use policy for SaaS applications, and review the default policy rules in the Aperture service before you start the scan.
Configure the Aperture service to control unmanaged device access to your sanctioned SaaS applications by redirecting traffic through your next generation firewall. Utilizing your existing corporate Identity Provider, add Aperture and SaaS application integration to authenticate requests and grant access to users using Aperture as SAML proxy.
Additionally, you can use Aperture to connect to your Cortex Data Lake to access your next-generation firewall or GlobalProtect Cloud Service logs to present a holistic view of sanctioned and unsanctioned SaaS application usage. This SaaS visibility on Aperture allows you granular control over SaaS access, unsanctioned application usage, and external exposure of data.
While the Aperture service performs deep content inspection, it does not store any data from your monitored SaaS applications. It stores only metadata about your assets, which is data about your data.

Related Documentation