New Features - SaaS Security - 2023

Teams functionality available in the Standalone SaaS Security console is now available in Strata Cloud Manager as Application Groups . You can create an application group to group cloud apps and restrict admin access to cloud apps, incidents, and assets on SaaS Security API.

You can now choose to delete or close all associated incidents when you delete a policy rule.

When you are viewing an application's attribute values in the Application Details view in SaaS Security Inline, more precise information is now provided for the following Security and Privacy application attributes.

• Data Retention —Previously, this attribute indicated whether the SaaS application documented its data-retention policies. Now, this attribute indicates how long data is retained by the application after an account is closed.
• Encryption in Transit —Previously, this attribute indicated whether the SaaS application can encrypt network communication by using the Transport Layer Security (TLS) protocol. Now, this attribute identifies the highest level of the Transport Layer Security (TLS) protocol that the SaaS application supports.
• HTTP Security Headers —Previously, this attribute indicated whether the SaaS application used HTTP security headers. Now, this attribute identifies the HTTP security headers that are used by the SaaS application.

Gmail connector now uses limited privileges. The onboarding user can be a custom admin (not a super admin). The application in Google Marketplace also requests for limited permissions only. You can create custom admin roles to reduce permissions for already deployed connectors.

You can now onboard Google drive from the Strata Cloud Manager.

Third-party plugins enable users to extend the capabilities of a SaaS app, but can be a security risk to your organization. When a user adds a plugin, the user might inadvertently grant the plugin access to sensitive data. A plugin with privileged access might be exploited to exfiltrate data or otherwise harm your organization.

To help you address the threats posed by third-party plugins, SSPM gives you visibility into the third-party plugins that are being used in your organization. You can then take action by approving the plugin or by revoking user access to it.

SSPM provides third-party plugin scans for the following SaaS apps:

• Google Workspace
• Office 365
• Slack
• Jira (To enable third-party plugin scans for Jira, you must also onboard the Atlassian app.)
• Confluence (To enable third-party plugin scans for Confluence, you must also onboard the Atlassian app.)

SaaS Security customers using Microsoft Teams connector can no longer monitor chat messages and channel posts using Data Security connectors as Microsoft enforces API usage restrictions for it’s Microsoft Teams Graph APIs. Added changes to support Microsoft customers with E5 licenses.

SaaS Security Inline calculates a risk score for a SaaS app based on application attributes. SaaS Security Inline now displays a new category of attributes for Identity Access Management. The attributes displayed in this new category help you assess the authentication and access-control capabilities of an app. Some attributes in this new category were previously listed as Security and Privacy attributes. In addition, a new attribute in this category indicates whether a SaaS app supports password policies.

For the Security and Privacy attributes category, new attributes were added to indicate whether a SaaS app supports encryption at rest, encryption in transit, native data classification, and more.

SaaS Security Inline now considers these new attributes when calculating risk scores for applications. For this reason, many applications have updated risk scores. If you have previously changed the default risk score for a specific SaaS application, your custom risk score is not affected by any change in the default risk score. If you have configured the global risk score by assigning different weights to attributes, these customizations are also not affected.

Users can now check onboarding status that validates if the connector has onboarded successfully and fetched sample assets and user activities. Failures are reported with appropriate errors so that quick actions can be taken reducing troubleshooting time significantly. These validations are launched for the Office 365 and Microsoft Teams connectors.

For tenants provisioned before June 2, 2021, the SaaS Visibility view ( ExploreSaaS Visibility ) is the default visibility view on SaaS Security API. This feature was already unavailable for tenants provisioned after June 2, 2021, and will be unavailable for all tenants after June 2, 2023. For inline policy enforcement on your network, more granular control over SaaS application usage and user activity, greater analytics, and a large increase in the number of discovered SaaS applications, use SaaS Security Inline.

We are in the process of updating the SaaS Security Administrator’s Guide to include information for new customers and those who are migrating to the Cloud Management Console. Read the following information carefully to learn more about the updated terms and feature availability in the Cloud Management Console. This section will be updated during this transition.

• SaaS Security API is now Data Security in the Cloud Management Console.

• SaaS Security Inline is now Discovered Apps in the Cloud Management Console.

• See Common Services for Subscription and Add-ons, Tenant management, Identity and Access, and Device Association.
• Navigation process in the new Cloud Management Console has been documented wherever applicable.
• Images and screen shots will be updated as customers migrate to the Cloud Management Console.

You can now activate SaaS Security Inline for a VM-Series firewall. You activate SaaS Security Inline for VM-Series firewalls by using Software NGFW credits. This support for VM-Series firewalls supplements SaaS Security Inline's existing support for physical NGFWs and Prisma Access.

You can now connect a Confluence Data Center instance to SaaS Security API to scan for page content, attachments, and comments to gain visibility into your company’s data and protect against data exfiltration. To get started, simply onboard the Confluence Data Center app.

You can connect a Workday instance to Data Security to gain visibility into Workday User Activities. A user activity policy can be defined to create incidents for suspicious activities.

Onboard a Workday App

Supported Content, Remediation, and Monitoring

If you are using the Jira issue tracking system to manage your team's tasks, you can now create Jira tickets directly from SSPM. To configure the Jira integration, you link SSPM to your Jira instance. When you are viewing a policy violation in SSPM, you can then create a Jira ticket to investigate and resolve the misconfiguration.

You can now obtain a standalone license for SSPM. SSPM was previously available only through licenses for larger solutions, such as the CASB on Prisma Access add-on for single tenant or multitenant. SSPM is still available through these larger solutions. Because SSPM is a cloud-delivered service, it does not require Prisma Access or NGFW.

After obtaining a standalone SSPM license, you’ll receive an activation email from Palo Alto Networks. You can then click the email link to activate the license through Common Services.

Syslog and API Client Integration on SaaS Security API now supports one Syslog receiver and one API client app with access to log data.

In addition to the Grid license, SaaS Security API now supports the Select license for Slack Enterprise V2. To get started, onboard the Slack Enterprise V2 app.

Note: The Tenant Detail view is part of a beta release of tenant-level detection. It is provided only for evaluation and testing purposes. For the full release, tenant-level controls in policy recommendations are also planned.

For certain discovered applications, SaaS Security Inline can detect the specific application tenants that are being accessed by users. For these applications, a new Tenant Details view displays details about individual application tenants.

Currently, tenant-level detection is available for the following applications: Bitbucket, Box, Egnyte, Frontify, Github, SharePoint, Slack, WebEx, Workday, Workplace by Facebook, Zendesk, and Zoom.

You can navigate to the Tenant Details view from the Discovered Applications view or the Discovered Users view. The Tenants column for these views shows the number of application instances or tenants that were accessed. Click on the number of tenants to go to the Tenant Details view.

For certain discovered applications, SaaS Security Inline can detect the specific application tenants that are being accessed by users. SaaS Security Inline leverages this capability to provide you with visibility and control at the tenant level for the supported applications. This capability is now extended to support Azure OpenAI applications. For Azure OpenAI applications, you can now submit policy rule recommendations at the tenant level. The policies, if committed on the firewall, will affect only the application tenants identified in the policy recommendation.

For certain discovered applications, SaaS Security Inline can detect the specific application tenants that are being accessed by users. SaaS Security Inline leverages this capability to provide you with visibility and control at the tenant level for the supported applications. This capability is now extended to support the Okta and Confluence applications. For Okta and Confluence applications, you can now submit policy rule recommendations at the tenant level. The policies, if committed on the firewall, will affect only the application tenants identified in the policy recommendation.

For certain discovered applications, SaaS Security Inline can now detect the specific application tenants that users are accessing. SaaS Security Inline uses this new capability to provide you with visibility and control at the tenant level for the supported applications.

• A new Tenant Details view displays details about individual application tenants. You can navigate to the Tenant Details view from the Discovered Applications view or the Discovered Users view. The Tenants column for these views shows the number of application instances or tenants that were accessed. Click on the number of tenants to go to the Tenant Details view.
• You can now submit policy rule recommendations at the tenant level. These policy rules, if committed on the firewall, will affect only the application tenants identified in the policy recommendation. For example, you might create a SaaS policy rule recommendation to block downloads from Box for one tenant only.