SaaS Visibility Application Attributes

Explore attributes on which the risk score for a SaaS application is based.
Attributes are characteristics on which the risk score is calculated. You can drill down into the Application Dictionary to evaluate the attributes for:
  • Vendor and product
    —Basic information about the vendor and its product. For example, Product URL and NPS Score.
  • Compliance
    —Adherence to regulatory standards or framework. For example, GDPR (General Data Protection Regulation) and CJIS (Criminal Justice Information Services).
  • Security and Privacy
    —Product capabilities and terms and conditions that can improve your organization’s security and privacy. For example, Data Ownership.
Compliance program requirements change over time, so verify this information with your organization’s due diligence department before you complete your risk assessment.
Vendor and Product Attributes
Attribute
Summary Description
Detailed Description
App Name
Name of the SaaS application.
Name of the application as it’s known in the industry, preceded by a summary of the SaaS application’s capabilities as expressed by the vendor.
App Domains
Default domain of the SaaS application.
Default domain of the SaaS application.
Category
Product’s service category.
Product’s service category for filtering. For example, Google Chart Tools is categorized as
Analytics
with
Business Intelligence
Level 2 subcategory and
Data Visualization
Level 3 subcategory.
Categories and subcategories are dynamic, changing over time as the product evolves or new industry categories become available. If you need custom categorization, use custom tags.
L2 Subcategory—Product’s service subcategory, Level 2.
L3 Subcategory—Product’s service subcategory, L3.
Consumer Popularity
Popularity as aggregated by social media metrics.
A value derived from social media statistics, including likes, followers, and reviews and used to gauge a product’s perceived quality.
Employee Count
Total employee count.
Total employee count as compiled by various registries. The total is an approximation.
Founded
Date company incorporated or opened for business.
Date company incorporated or opened for business and as outlined in the company’s Articles of Incorporation.
Headquarters Location
Geographic location of company’s strategic planning and executive management.
Geographic location of company’s strategic planning and executive management.
Holding (Public/Private)
Type of ownership.
Ownership shares are publicly traded vs. privately held.
How is this app detected?
Detection methods include:
App-ID classification
—detection method on PAN‑OS 10.1 or later.
URL classification
—detection method prior to PAN-OS 10.1.
You can only create recommendations for enforcement on your firewall for SaaS apps that are detected using App-ID classification. Therefore, the total number of SaaS apps in the
Application Dictionary
will be greater than the number displayed in
Select Applications
when you create a recommendation because your firewall uses App-IDs to identify traffic on your network, and a subset of the SaaS apps in the Application Dictionary do not have App-IDs.
Linkedin URL
Company’s Linkedin profile.
Company’s Linkedin account where you can find more information about the company’s profile.
NPS Score
Indicator of future growth as measured by customer experience and loyalty with a score between <0 (weak) and 100 (strong): % of Promoters - % of Detractors = Net Promoter Score (NPS). For example, if a SaaS application has 35% Promoters and 25% Detractors, the SaaS application’s NPS score is 10.
Indicator of future growth as measured by customer experience and loyalty: % of Promoters - % of Detractors = Net Promoter Score (NPS). For example, if a SaaS application has 35% Promoters and 25% Detractors, the SaaS application’s NPS score is 10. Passives are neutral and do not impact the score.
Opensource
Indicates whether the product is opensource.
SaaS application is opensource. Some analysts argue that there is no evidence that open source is riskier, but there is operational risk if a SaaS vendor doesn’t have infrastructure in place to quickly apply patches to known vulnerabilities.
Privacy policy
Privacy statement disclosure is publicly available.
Privacy statement that outlines how the company’s product gathers, uses, discloses, and manages customer data is publicly available.
Product URL
Website link to get more information about the SaaS application.
Website link to get more information about the SaaS application.
Type of Service
SaaS product’s marketplace niche.
The niche that the SaaS product meets in the marketplace. For example, cloud storage and backup.
Vendor Name
Parent or subsidiary that markets, sells, and distributes the SaaS application.
The entity that markets, sells, and distributes the SaaS application. The vendor can be a subsidiary of a parent company or the parent company itself.
Compliance Attributes
Attribute
Summary Description
Detailed Description
C5
Germany’s Cloud Computing Compliance Controls Catalog (C5) recommendations define operational security against common cyber-attacks.
When in compliance with Germany’s Cloud Computing Compliance Controls Catalog (C5) recommendations, the vendor implemented operational security controls to protect against common cyber-attacks.
CJIS
US FBI’s Criminal Justice Information Services (CJIS) policy on US FBI’s Criminal Justice data security for sensitive criminal justice data.
When in compliance with US FBI’s Criminal Justice Information Services (CJIS) policy, the SaaS application adheres to data security for sensitive criminal justice data.
COBIT
Control Objectives for Information and Related Technologies (COBIT) framework for quality, control, and reliability of information systems.
When in compliance with Control Objectives for Information and Related Technologies (COBIT), the vendor implemented a security framework to ensure quality, control, and reliability of information systems.
COPPA
US Children's Online Privacy Protection Act (COPPA) privacy law governs data collection privacy for children age 13 and under.
When in compliance with US Children's Online Privacy Protection Act (COPPA), the SaaS application adheres to US Federal privacy law that governs what type of information online services can and cannot request from children age 13 and under without parental consent.
CSA STAR
Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) best practices for secure cloud computing environments.
When certified with Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR), indicates that the vendor implemented advanced best practices to ensure a secure cloud computing environment. Certification is based on self-assessment and a third party audit.
FEDRAMP
Federal Risk and Authorization Management (FEDRAMP) program provides security assessment, authorization, and continuous monitoring of cloud products and services.
When in compliance with Federal Risk and Authorization Management (FEDRAMP) program, which provides security assessment, authorization, and continuous monitoring of cloud products and services, SaaS application is authorized for Federal Agency cloud deployments.
FERPA
US Federal Education Rights and Privacy Act (FERPA) privacy law governs parental protections for children's education records.
When in compliance, with US Federal Education Rights and Privacy Act (FERPA) privacy law, the SaaS application complies with parental protections with regard to children's education records, academic and disciplinary reports, and personal and family information.
FINRA
US Federal Industry Regulatory Authority (FINRA) rules govern the integrity of the US financial system.
When in compliance with the Federal Industry Regulatory Authority (FINRA), a broker appears in the Central Registration Depository (CRD) system and is an indication of a security firm’s business integrity.
GAPP
Canadian-US Generally Accepted Privacy Principles (GAPP) data privacy framework for management and prevention of data privacy risks in accounting.
When in compliance with Canadian-US Generally Accepted Privacy Principles (GAPP) data privacy framework, which outlines how accounting professionals collect, use, retain, and disclose identifiable information (PII), indicates that the vendor adheres to principles that manage and prevent privacy risks in accounting, as defined by Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA). Also included in SOC 2.
GDPR
EU’s General Data Protection Regulation (GDPR) privacy laws govern the transfer of personal data outside Europe and European Economic Area.
When in compliance with EU’s General Data Protection Regulation (GDPR), the SaaS application complies with EU privacy laws governing the transfer of personal data outside Europe and European Economic Area.
GLBA
US Federal Gramm-Leach Bliley Act (GLBA) privacy law governs the sharing and protection of customer data.
When in compliance with Gramm-Leach Bliley Act (GLBA), the SaaS application complies with US Federal privacy laws that govern the sharing and protection of customer data.
HIPAA
Health Insurance Portability and Accountability Act (HIPPA) standards for protection and confidential handling of health information.
When in compliance with Health Insurance Portability and Accountability Act (HIPPA), the SaaS application complies with laws that mandate the industry-wide standards for health care information, and protection and confidential handling of health information.
HITRUST CSF
HITRUST CSF security framework to meet multiple regulations (ISO/IEC 27000-series and HIPAA) that govern sensitive and regulated data.
When in compliance with HITRUST CSF security framework, which instructs organizations on how to efficiently meet multiple regulations (such as and HIPAA), the vendor implemented security and privacy controls related to how the organization creates, accesses, stores, and exchanges sensitive and regulated data.
ISAE 3402
International Auditing and Assurance Standards Board (ISAE) 3402 reporting standard for auditors of SOC 1 reports.
As defined by International Auditing and Assurance Standards Board (ISAE), when in compliance, the vendor’s SOC1 report adheres to the ISAE 3402 reporting standards for auditors. This report covers internal controls for financial reporting.
ISO 27001
International Organization for Standardization (ISO) 27001 standard for controls and processes related to information security.
When adhering to this International Organization for Standardization (ISO) 27001 mandatory standard, the vendor systematically examines its controls and processes related to information security.
ISO 27002
International Organization for Standardization (ISO) 27002 best practices for security controls implementation.
When adhering to this International Organization for Standardization (ISO) 27002 optional standard, the vendor considers best practices on how to implement security controls.
ISO 27017
International Organization for Standardization (ISO) 27017 updated controls to improve cloud security.
When statement of compliance is received, vendor, updated existing controls related to International Organization for Standardization (ISO) 27001/27002 predecessors for cloud security.
ISO 27018
International Organization for Standardization (ISO) 27018 new controls to improve cloud security.
When statement of compliance is received, vendor, implemented new controls related to International Organization for Standardization (ISO) 27001/27002 predecessors for cloud security.
ISO 9000
ISO 9000 quality definitions and standards for implementation of an ISO 9001-certified quality management system.
Quality definitions and standards for implementing an ISO 9001-certified quality management system.
ISO 9001
ISO 9001 standard for implementation of a ISO-certified quality management system.
When certified, indicates that the vendor’s quality management system adheres to a specific quality standard, which is based on gap analysis and internal audits. This certification is globally recognized. Ongoing evaluation and maintenance is required to retain certification, indicating that vendor consistently provides products and services that meet customer and regulatory requirements and demonstrates continuous improvement of the organization’s products, services, and/or processes.
ITAR
US International Traffic in Arms Regulations (ITAR) export control laws that govern export of defense and military related technologies
When in compliance with US International Traffic in Arms Regulations (ITAR) export control laws that govern export of defense and military related technologies, indicates that the vendor has the necessary safeguards to protect US national security and foreign policy objectives. Compliance includes registration with US Directorate of Defense Trade Controls (DDTC).
Jericho Forum Commandments
(now The Open Group Security Forum) principles for cloud security.
When in agreement with Jericho Forum Commandments (now
The Open Group Security Forum
) principles, indicates that the vendor subscribes to the best practice that security solutions should not rely on a network as a security perimeter, but rather cloud security ("de-perimeterisation").
NIST SP 800-53
US National Institute of Standard and Technology (NIS SP 800-53) standard and guidelines for FISMA compliance govern security and privacy of federal information systems.
When in compliance with US National Institute of Standard and Technology (NIS SP 800-53) standard and guidelines for FISMA compliance, indicates that the vendor adheres to regulations that govern security and privacy of federal information systems.
PCI
Payment Card Industry (PCI) security best practices for storing and transmitting consumer credit card data in the cloud.
When in compliance with Payment Card Industry (PCI), indicates that the provider hosting your credit card data adheres to specific security best practices for storing and transmitting your credit card data in the cloud.
Privacy Shield
EU-US and Swiss-US Privacy Shield framework for transferring personal data from the EU and Switzerland to the US.
When in compliance with EU-US and Swiss-US Privacy Shield framework, indicates that the vendor has a mechanism in place to comply with data protection requirements when transferring personal data from the EU and Switzerland to the US.
Privacy Mark (Japan)
JIPDEC award for safe and secure data standards in business operations.
When awarded this compliance mark by JIPDEC, vendor organized its business operations in accordance with safe and secure data standards.
Safe Harbor Compliance
EU-US Safe Harbor framework governs privacy of data transfered within European Economic Area (EEA).
When in compliance, SaaS application complies with EU-US Safe Harbor framework that governs privacy of data transfered within European Economic Area (EEA).
SSAE 18
Statement for Attestation Engagement Standards (SSAE) compliance, as defined by American Institute of Certified Public Accountants (AICPA), comprise internal controls for financial reporting compatible with globally accepted accounting principles.
As defined by American Institute of Certified Public Accountants (AICPA) for Attestation Engagement Standards (SSAE), including SSAE 18, formerly SAS70 and SSAE 16, when compliant, indicates that the vendor has effective internal controls for financial reporting compatible with globally accepted accounting principles such as ISAE 3402.
SOC 1
SOC 1 (System and Organization Controls) audit, as defined by American Institute of Certified Public Accountants (AICPA), comprises internal controls for financial reporting.
As defined by American Institute of Certified Public Accountants (AICPA), for data centers and SaaS vendors, when in compliance, indicates that an independent auditing firm verified that the vendor passed a SOC 1 audit of internal controls for financial reporting in accordance with SSAE 18 standards, which includes Type 1 (snapshot in time) and Type 2 (6-month period) reports.
SOC 2
SOC 2 (System and Organization Controls) audit, as defined by American Institute of Certified Public Accountants (AICPA), comprises including security, availability, processing integrity, and data privacy.
As defined by American Institute of Certified Public Accountants (AICPA), for data centers and SaaS vendors, when in compliance, indicates that an independent auditing firm verified that the vendor passed a SOC 2 audit in accordance with SSAE 18 standard and vendor received a SOC 2 report, which is written for a customer audience. This audit offers assurance related to:
  • security, availability, processing integrity of provider’s system.
  • confidentiality of the information that the provider’s system processes or maintains for users.
  • privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for users.
SOC 3
SOC 3 (System and Organization Controls) audit, as defined by American Institute of Certified Public Accountants (AICPA), comprises including security, availability, processing integrity, and data privacy.
As defined by American Institute of Certified Public Accountants (AICPA), SOC 3 audit covers the same audit as SOC 2—including security, availability, processing integrity, and data privacy. However, a SOC 3 audit results in a SOC 3 report, which has less detail and specifically written for a general audience.
SOX
Sarbanes-Oxley Act (SOX) law governs the accuracy of financial information.
When in compliance with Sarbanes-Oxley Act (SOX), vendor had an independent, annual audit whereby vendor provided proof of accurate and secure financial reporting.
TRUSTArc
TRUSTArc certification of privacy management processes.
When certified, indicates the company’s privacy management processes comply with US government laws and best practices as examined by TRUSTArc, a privacy compliance technology company.
Security and Privacy Attributes
Attribute
Description
Data Ownership
Based on the SaaS app’s terms and conditions, one of the following values displays:
  • Customer Ownership
    —Your organization has full rights over the data when using the service. For example, the terms and conditions might state, “...
    as between the parties, user owns all intellectual property rights in user data and user applications
    ....”
  • Vendor Ownership
    —Your organization grants the service access to use the data. For example, the terms and conditions might state, “
    ...You acknowledge and agree that any questions, comments, suggestions, ideas, feedback, or other information regarding the Site (“Submissions”) provided by you to us are non-confidential and shall become our sole property
    ....”
  • Unknown
    —Attribute for the SaaS app is under research.
Regardless of the value that displays in the SaaS Security web interface, it’s important that you have your Legal team review the service’s terms and conditions before you onboard the SaaS app.
IP Based Restriction
IP based restriction is the ability to restrict login access to the SaaS application for specific IP addresses. Based on the SaaS application’s capabilities, one of the following values displays:
  • —SaaS application offers the ability to configure IP based restriction.
  • No
    —SaaS application does not offer IP based restriction.
  • Unknown
    —Attribute for the SaaS app is under research.
MFA
Multi‑factor Authentication (MFA) offers an additional layer of security for login access. Based on the SaaS application’s capabilities, one of the following values displays:
  • —SaaS application offers the ability to enable MFA.
  • No
    —SaaS application does not offer MFA.
  • Unknown
    —Attribute for the SaaS app is under research.
SAML
Security Assertion Markup Language (SAML) is an additional security control that enables users to authenticate to the SaaS application using Single sign‑on (SSO) or company credentials. Based on the SaaS application’s capabilities, one of the following values displays:
  • —SaaS application offers the ability to enable SAML.
  • No
    —SaaS application does not offer SAML.
  • Unknown
    —Attribute for the SaaS app is under research.

Recommended For You