SaaS Security
SaaS Visibility Application Attributes
Table of Contents
SaaS Visibility Application Attributes
Explore attributes on which the risk score for a SaaS app is based.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the SaaS Security Inline license:
|
Attributes are characteristics on which the risk score is calculated. You can
drill down into the Application Dictionary to evaluate
the attributes for:
- Vendor and product—Basic information about the vendor and its product. For example, Product URL and NPS Score.
- Compliance—Adherence to regulatory standards or framework. For example, GDPR (General Data Protection Regulation) and CJIS (Criminal Justice Information Services).
- Security and Privacy—Product capabilities and terms and conditions that can improve your organization’s security and privacy. For example, Data Ownership.
- Identity Access Management—Information about the product's authentication and access-control capabilities.
- GenAI — For GenAI apps only, information about the GenAI app. For example, whether the app vendor uses user-submitted data to train GenAI models.
Compliance program requirements change over time, so verify this
information with your organization’s due diligence department before
you complete your risk assessment.
Attribute | Summary Description | Detailed Description |
|---|---|---|
App Name | Name of the SaaS app. | Name of the app as it’s known in the industry, preceded by a summary of the SaaS app’s
capabilities as expressed by the vendor. |
App Domains | Default domain of the SaaS app. | Default domain of the SaaS app. |
Category | Product’s service category. | Product’s service category
for filtering. For example, Google Chart Tools is categorized as Analytics with Business Intelligence Level
2 subcategory and Data Visualization Level
3 subcategory. Categories and subcategories are dynamic, changing
over time as the product evolves or new industry categories become available.
If you need custom categorization, use custom tags. |
L2 Subcategory—Product’s service subcategory,
Level 2. | ||
L3 Subcategory—Product’s service subcategory,
L3. | ||
Consumer Popularity | Popularity as aggregated by social media
metrics. | A value derived from social media statistics,
including likes, followers, and reviews and used to gauge a product’s perceived
quality. |
Employee Count | Total employee count. | Total employee count as compiled by various
registries. The total is an approximation. |
Founded | Date company incorporated or opened for
business. | Date company incorporated or opened for
business and as outlined in the company’s Articles of Incorporation. |
Headquarters Location | Geographic location of company’s strategic
planning and executive management. | Geographic location of company’s strategic
planning and executive management. |
Holding (Public/Private) | Type of ownership. | Ownership shares are publicly traded vs.
privately held. |
How is this app detected? | Detection methods include: App-ID classification—detection
method on PAN‑OS 10.1 or later. URL classification—URL-based App-ID. | You can only create recommendations for enforcement on your firewall for SaaS apps that are
detected using App-ID
classification. Therefore, the total number of SaaS apps in the
Application Dictionary will be greater
than the number displayed in Select
Applications when you create a recommendation
because your firewall uses App-IDs to identify traffic on your
network, and a subset of the SaaS apps in the Application Dictionary
don’t have App-IDs. |
Linkedin URL | Company’s Linkedin profile. | Company’s Linkedin account where you can
find more information about the company’s profile. |
NPS Score | Indicator of future growth as measured by customer experience and loyalty with a score between
<0 (weak) and 100 (strong): % of Promoters - % of Detractors =
Net Promoter Score (NPS). For example, if a SaaS app has 35%
Promoters and 25% Detractors, the SaaS app’s NPS score is 10. | Indicator of future growth as measured by customer experience and loyalty: % of Promoters - % of
Detractors = Net Promoter Score (NPS). For example, if a SaaS app
has 35% Promoters and 25% Detractors, the SaaS app’s NPS score is
10. Passives are neutral and don’t impact the score. |
Opensource | Indicates whether the product is opensource. | SaaS app is opensource. Some analysts argue that there is no evidence that open source is
riskier, but there is operational risk if a SaaS vendor does not
have infrastructure in place to quickly apply patches to known
vulnerabilities. |
Privacy policy | Privacy statement disclosure is publicly
available. | Privacy statement that outlines how the
company’s product gathers, uses, discloses, and manages customer
data is publicly available. |
Product URL | Website link to get more information about the SaaS app. | Website link to get more information about the SaaS app. |
Type of Service | SaaS product’s marketplace niche. | The niche that the SaaS product meets in
the marketplace. For example, cloud storage and backup. |
Vendor Name | Parent or subsidiary that markets, sells, and distributes the SaaS app. | The entity that markets, sells, and distributes the SaaS app. The vendor can be a subsidiary of a
parent company or the parent company itself. |
Attribute | Summary Description | Detailed Description |
|---|---|---|
C5 | Germany’s Cloud Computing Compliance Controls Catalog (C5) recommendations define
operational security against common cyberattacks. | When in compliance with Germany’s Cloud Computing Compliance Controls Catalog (C5) recommendations, the
vendor implemented operational security controls to protect against
common cyberattacks. |
CJIS | US FBI’s Criminal Justice Information Services (CJIS) policy on US FBI’s
Criminal Justice data security for sensitive criminal justice data. | When in compliance with the US FBI’s Criminal Justice Information Services (CJIS) policy, the SaaS app
adheres to data security for sensitive criminal justice data. |
COBIT | Control Objectives for Information and Related
Technologies (COBIT) framework for quality,
control, and reliability of information systems. | When in compliance with Control Objectives
for Information and Related Technologies (COBIT), the vendor implemented
a security framework to ensure quality, control, and reliability
of information systems. |
COPPA | US Children's Online Privacy Protection
Act (COPPA) privacy law governs
data collection privacy for children age 13 and under. | When in compliance with the US Children's Online Privacy Protection Act (COPPA), the SaaS app
adheres to US Federal privacy law that governs what type of
information online services can and can’t request from children age
13 and under without parental consent. |
CSA STAR | Cloud Security Alliance (CSA) Security Trust
Assurance and Risk (STAR) best practices for
secure cloud computing environments. | When certified with Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR), indicates that the vendor
implemented advanced best practices to ensure a secure cloud
computing environment. Certification is based on self-assessment and
a third-party audit. |
FEDRAMP | Federal Risk and Authorization Management (FEDRAMP) program provides security assessment, authorization,
and continuous monitoring of cloud products and services. | When in compliance with the Federal Risk and Authorization Management (FEDRAMP) program, which provides
security assessment, authorization, and continuous monitoring of
cloud products and services, SaaS app is authorized for Federal
Agency cloud deployments. |
FERPA | US Federal Education Rights and Privacy Act (FERPA) privacy law governs
parental protections for children's education records. | When in compliance, with the US Federal Education Rights and Privacy Act (FERPA) privacy law, the SaaS app
complies with parental protections with regard to children's
education records, academic and disciplinary reports, and personal
and family information. |
| FFIEC | The Federal Financial Institutions Examination Council (FFIEC) is an interagency body of the U.S. government made up of several financial regulatory agencies. |
The FFIEC publishes guidelines for IT management, cybersecurity, and
protection of consumer financial data. Failure to comply with FFIEC
guidelines can result in fines and penalties for federally
supervised financial institutions. When in compliance with the
FFIEC, the SaaS app follows the guidelines, practices, and
principles laid out by the FFIEC.
|
FINRA | US Federal Industry Regulatory Authority
(FINRA) rules
govern the integrity of the US financial system. | |
| FISMA | The Federal Information Security Management Act (FISMA) describes compliance parameters for the storage and processing of government data. |
FISMA requires federal agencies and their private-sector vendors to
implement information security controls that ensure the data
security postures of federal information systems are protected. All
private-sector firms that sell services to the federal government
must comply with FISMA requirements. Compliance with FISMA indicates
that the vendor adheres to the FISMA requirements.
|
GAPP | Canadian-US Generally Accepted Privacy Principles data privacy framework for management and prevention of data privacy risks in accounting. | When in compliance with Canadian-US Generally Accepted Privacy Principles data privacy framework,
which outlines how accounting professionals collect, use, retain,
and disclose identifiable information (PII), indicates that the
vendor adheres to principles that manage and prevent privacy risks
in accounting, as defined by Canadian Institute of Chartered
Accountants (CICA) and the American Institute of Certified Public
Accountants (AICPA). Also included in SOC 2. |
GDPR | EU’s General Data Protection Regulation
(GDPR) privacy laws govern
the transfer of personal data outside Europe and European Economic
Area. | When in compliance with the EU’s General Data Protection Regulation (GDPR), the SaaS app
complies with EU privacy laws governing the transfer of personal
data outside Europe and the European Economic Area. |
GLBA | US Federal Gramm-Leach Bliley Act (GLBA) privacy law governs
the sharing and protection of customer data. | When in compliance with the Gramm-Leach Bliley Act (GLBA), the SaaS app
complies with US Federal privacy laws that govern the sharing and
protection of customer data. |
HIPAA | Health Insurance Portability and Accountability
Act (HIPPA) standards for protection
and confidential handling of health information. | When in compliance with the Health Insurance Portability and Accountability Act (HIPPA), the SaaS app
complies with laws that mandate the industry-wide standards for
health care information, and protection and confidential handling of
health information. |
HITRUST CSF | HITRUST CSF security framework
to meet multiple regulations (ISO/IEC 27000-series and HIPAA) that
govern sensitive and regulated data. | When in compliance with HITRUST CSF security framework, which
instructs organizations on how to efficiently meet multiple
regulations (such as and HIPAA), the vendor-implemented security and
privacy controls related to how the organization creates, accesses,
stores, and exchanges sensitive and regulated data. |
ISAE 3402 | International Auditing and Assurance Standards
Board (ISAE) 3402 reporting standard for auditors of
SOC 1 reports. | As defined by International Auditing and
Assurance Standards Board (ISAE), when in compliance, the
vendor’s SOC1 report adheres to the ISAE 3402 reporting standards
for auditors. This report covers internal controls for financial
reporting. |
ISO 27001 | International Organization for Standardization
(ISO) 27001
standard for controls and processes related to information security. | When adhering to this International Organization
for Standardization (ISO) 27001 mandatory standard,
the vendor systematically examines its controls and processes related to
information security. |
ISO 27002 | International Organization for Standardization
(ISO) 27002
best practices for security controls implementation. | When adhering to this International Organization
for Standardization (ISO) 27002 optional standard,
the vendor considers best practices on how to implement security
controls. |
ISO 27017 | International Organization for Standardization
(ISO) 27017
updated controls to improve cloud security. | When statement of compliance is received,
vendor, updated existing controls related to International Organization
for Standardization (ISO) 27001/27002 predecessors
for cloud security. |
ISO 27018 | International Organization for Standardization
(ISO) 27018
new controls to improve cloud security. | When statement of compliance is received,
vendor, implemented new controls related to International Organization
for Standardization (ISO) 27001/27002 predecessors
for cloud security. |
ISO 9000 | ISO 9000 quality definitions
and standards for implementation of an ISO 9001-certified quality
management system. | Quality definitions and
standards for implementing an ISO 9001-certified quality
management system. |
ISO 9001 | ISO 9001 standard for implementation
of a ISO-certified quality management system. | When certified, indicates that the vendor’s
quality management system adheres to a specific quality standard,
which is based on gap analysis and internal audits. This certification
is globally recognized. Ongoing evaluation and maintenance is required
to retain certification, indicating that vendor consistently provides
products and services that meet customer and regulatory requirements
and demonstrates continuous improvement of the organization’s products, services,
and/or processes. |
ITAR | US International Traffic in Arms Regulations (ITAR) export control laws
that govern export of defense and military-related technologies | When in compliance with US International Traffic in Arms Regulations (ITAR) export control laws
that govern export of defense and military-related technologies,
indicates that the vendor has the necessary safeguards to protect US
national security and foreign policy objectives. Compliance includes
registration with US
Directorate of Defense Trade Controls (DDTC). |
Jericho Forum Commandments | (now The Open Group Security Forum)
principles for cloud security. | When in agreement with Jericho Forum Commandments (now The Open Group Security Forum) principles, indicates that the vendor subscribes to the best practice that security solutions should not rely on a network as a security perimeter, but rather cloud security ("de-perimeterisation"). |
NIST SP 800-53 | US National Institute of Standard and Technology (NIS SP 800-53) standard
and guidelines for FISMA compliance govern the security and privacy
of federal information systems. | When in compliance with US National Institute
of Standard and Technology (NIS SP 800-53) standard and
guidelines for FISMA compliance, indicates that the vendor adheres
to regulations that govern security and privacy of federal information
systems. |
PCI | Payment Card Industry (PCI) security best practices
for storing and transmitting consumer credit card data in the cloud. | When in compliance with Payment Card Industry
(PCI), indicates that the provider
hosting your credit card data adheres to specific security best
practices for storing and transmitting your credit card data in
the cloud. |
Privacy Shield | EU-US and Swiss-US Privacy Shield framework
for transferring personal data from the EU and Switzerland to the
US. | When in compliance with EU-US and Swiss-US Privacy Shield framework, indicates that the vendor
has a mechanism in place to comply with data protection requirements
when transferring personal data from the EU and Switzerland to the
US. |
Privacy Mark (Japan) | JIPDEC award for safe
and secure data standards in business operations. | When awarded this compliance mark by JIPDEC, vendor organized its business operations
in accordance with safe and secure data standards. |
Safe Harbor Compliance | EU-US Safe Harbor framework
governs privacy of data transfered within European Economic Area
(EEA). | When in compliance, SaaS app complies with the EU-US Safe Harbor framework that
governs privacy of data transfered within the European Economic Area
(EEA). |
SSAE 18 | As defined
by American Institute of Certified Public Accountants (AICPA)
for Attestation Engagement Standards (SSAE), including SSAE
18, formerly SAS70 and SSAE 16, when compliant, indicates that the
vendor has effective internal controls for financial reporting compatible
with globally accepted accounting principles such as ISAE 3402. | |
SOC 1 | SOC 1 (System and Organization Controls)
audit, as defined by American Institute of Certified Public Accountants (AICPA),
comprises internal controls for financial reporting. | As defined by American Institute of Certified
Public Accountants (AICPA), for data centers and
SaaS vendors, when in compliance, indicates that an independent
auditing firm verified that the vendor passed a SOC 1 audit of internal
controls for financial reporting in accordance with SSAE 18 standards,
which includes Type 1 (snapshot in time) and Type 2 (6-month period)
reports. |
SOC 2 | SOC 2 (System and Organization Controls)
audit, as defined by American Institute of Certified Public Accountants (AICPA),
comprises including security, availability, processing integrity,
and data privacy. | As
defined by American Institute of Certified Public Accountants (AICPA),
for data centers and SaaS vendors, when in compliance, indicates
that an independent auditing firm verified that the vendor passed
a SOC 2 audit in accordance with SSAE 18 standard and vendor received
a SOC 2 report, which is written for a customer audience. This audit offers
assurance related to:
|
SOX | Sarbanes-Oxley Act (SOX) law governs the accuracy
of financial information. | When in compliance with Sarbanes-Oxley Act
(SOX), vendor
had an independent, annual audit whereby vendor provided proof of
accurate and secure financial reporting. |
TRUSTArc | TRUSTArc certification
of privacy management processes. | When certified, indicates the company’s
privacy management processes comply with US government laws and
best practices as examined by TRUSTArc, a privacy compliance
technology company. |
Attribute | Description |
|---|---|
|
Audit Log
|
This attribute indicates whether the SaaS app can record user actions
to a log file for later analysis. Based on the SaaS app's
capabilities, one of the following values displays:
|
Data Ownership | Based on the SaaS app’s terms and conditions,
one of the following values displays:
Regardless of the
value that displays in the SaaS Security web interface, it’s important
that you have your Legal team review the service’s terms and conditions
before you onboard the SaaS app. |
|
Data Retention
|
This attribute identifies the SaaS app's data-retention policies.
Based on the SaaS app, one of the following values displays:
|
|
Disaster Recovery
|
This attribute indicates whether the SaaS app has a comprehensive
contingency plan for responding to disasters. Following a natural
disaster or an orchestrated attack, the SaaS app provider should
have an established plan for recovering data. Based on the SaaS app,
one of the following values displays:
|
|
Encryption at Rest
| Identifies whether the data that is stored in the SaaS
app’s data center or in cloud storage is encrypted. Based on the SaaS
app, one of the following values displays:
|
|
Encryption in Transit
|
This attribute identifies the highest level of the Transport Layer
Security (TLS) protocol that the SaaS app supports. Based on the
SaaS app's capabilities, one of the following values displays:
|
|
Encryption Strength at Rest
|
If the data managed by the SaaS app is encrypted, this attribute
identifies the encryption strength. Based on the SaaS app's
capabilities, one of the following values displays:
|
|
File/Content Sharing
|
File sharing refers to the practice of enabling shared access to
documents managed by the SaaS app. File sharing introduces the risk
of malware and the loss or exposure of sensitive information. Based
on the SaaS app's capabilities, one of the following values
displays:
|
|
Native Data Classification
|
This attribute indicates whether the SaaS app provides features for
classifying the data that it manages. Data classification enables
you to organize data into categories, which helps you identify
sensitive data. Identifying the sensitive data helps you to better
protect the data and to comply with applicable laws. Based on the
SaaS app's capabilities, one of the following values displays:
|
|
HTTP Security Headers
|
This attribute identifies the HTTP security headers that are used by
the SaaS app. HTTP security headers help protect against common
cyberattacks, such as clickjacking and Cross-Site Scripting (XSS)
attacks. Based on the HTTP security headers that are used, one or
more of the following values display:
|
|
Privacy Policy
|
This attribute indicates whether the SaaS app has a published privacy
policy. A privacy policy describes how the SaaS app or app provider
handles user data. For example, a privacy policy might include
information about how data is collected, managed, or disclosed.
Based on the SaaS app, one of the following values displays:
|
|
Protected from Downgrade Attacks
|
This attribute indicates whether the SaaS app is protected from TLS
downgrade attacks. A downgrade attack (also known as a version
rollback attack or bidding-down attack) attempts to reduce the level
of a protocol or cryptographic algorithm to an older and less-secure
version. A SaaS app is vulnerable to TLS downgrade attacks if the
app allows connections to fall back to deprecated versions of TLS
with known vulnerabilities, such as TLS 1.1 and TLS 1.0. Based on
the TSL versions that are supported by the SaaS app, one of the
following values displays:
|
|
Session Timeout
|
This attribute identifies the time range in which the SaaS app's
session timeout occurs. A session timeout feature will force the
user to log in again if the user has not performed any actions for a
set period. Based on the SaaS app's capabilities, one of the
following values displays:
|
|
Spoof Risk Level
|
This attribute identifies how well the SaaS app domain is protected
from domain spoofing. To determine how well the domain is protected
from domain spoofing, SaaS Security Inline examines DNS
records for Sender Policy Framework (SPF) and Domain-based Message
Authentication, Reporting and Conformance (DMARC). A SaaS app with a
weak DNS configuration is prone to phishing attacks. Based on the
SaaS app domain's DNS configuration, one of the following values
displays:
|
| Terms and Conditions |
This attribute indicates whether the SaaS app has a published set of
terms and conditions. Based on the SaaS app, one of the following
values displays:
|
| Third Party Data Sharing |
This attribute indicates whether the SaaS app can share user data
with third-party apps or services. Based on the SaaS app, one of the
following values displays:
|
|
Attribute
|
Description
|
|---|---|
|
IP Based Restriction
|
IP-based restriction is the ability to restrict login access to the
SaaS app for specific IP addresses. Based on the SaaS app’s
capabilities, one of the following values displays:
|
|
MFA
|
Multi‑factor Authentication (MFA) offers an additional
layer of security for login access. Based on the SaaS app’s
capabilities, one of the following values displays:
|
|
Password Policy
| This attribute indicates whether the SaaS app supports password
policies, such as rules for password complexity or an expiration period
for passwords. Based on the SaaS app's capabilities, one of the
following values displays:
|
|
RBAC
|
Role-based access control (RBAC) enables you to manage user access to
operations based on the user's job function. To perform
administrative actions, a user must be assigned to a role with
administrator permissions. Based on the SaaS app's capabilities, one
of the following values displays:
|
|
SAML
|
Security Assertion Markup Language (SAML) is an additional
security control that enables users to authenticate to the SaaS app
using Single sign‑on (SSO) or company
credentials. Based on the SaaS app’s capabilities, one of the
following values displays:
|
|
Attribute
|
Description
|
|---|---|
|
Data Used In Models
|
This attribute indicates whether the app vendor uses user-submitted
data to train GenAI models. Based on information derived from the
app documentation, such as terms and conditions agreements or a data
policy, one of the following values displays:
|
| Enterprise Plan |
This attribute indicates whether the app vendor offers an enterprise
plan and support for the GenAI app.
|
|
Features
|
This attribute identifies the GenAI capabilities of the app. For
example, this attribute indicates whether the app provides GenAI
capabilities for conversational chat, image editing, image
generation, video editing, video generation, and writing
assistance.
|
|
Input Data Types
|
The type of input that the GenAI model requires or accepts. Possible
input formats include the following data types:
|
|
Interface
|
The types of interfaces that are available for accessing the GenAI
SaaS app. Possible interfaces include the following interfaces:
|
|
Output Data Types
|
The type of output that the GenAI model returns to the user. Possible
output formats include the following data types:
|
|
Popularity
|
This attribute is a number that indicates how popular the GenAI app
is based on PAN-DB URL statistics. There are three popularity
ranges, which represent low, medium, and high popularity. For more
information, see the description of the Popularity Range attribute.
The GenAI risk score calculation considers both low and high
popularity to represent a greater risk. The GenAI risk score
calculation considers low popularity to be a greater risk because
apps with fewer users are more likely to have issues related to
compliance, data security, and so on. The GenAI risk score
calculation considers high popularity to be a greater risk because a
data breach would have a large impact.
|
|
Popularity Range
|
The range into which the Popularity attribute value falls. The GenAI
app will fall into one of the following popularity ranges, which
represent low, medium, and high popularity. These ranges affect how
SaaS Security Inline weighs the Popularity attribute when
calculating the GenAI risk score.
|
|
Terms Conditions Data Usage
|
This attribute indicates whether the SaaS app has a published privacy
policy that describes the terms and conditions for the handling of
user data. Based on the SaaS app, one of the following values
displays:
|