Learn about the guidelines for effective collaboration
between network administrator and SaaS administrator on policy rule
management.
Where Can I Use This?
What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager)
Prisma Access (Managed by Panorama or Strata Cloud Manager)
SaaS Security Inline license
NGFW or Prisma Access license
Or any of the following licenses that include the SaaS Security Inline license:
CASB-X
CASB-PA
Before you create SaaS policy rule recommendations,
consider the following guidelines for effective workflow and rulebase
management, starting with collaboration, followed by authoring.
SaaS security is a team effort. In most large organizations, the administrator who authors SaaS
policy rule recommendations is distinct from the administrator who has the authority
to import and commit those rule recommendations to Security policy—each contributor
playing a unique role in security. Your platform provides the unique role permissions to enforce your
organization’s workflows.
SaaS Security Inline tightly integrates with your Palo Alto NetworksNGFW or Prisma Access and uses SaaS policy rule recommendations
to facilitate a seamless workflow between your organization’s SaaS administrator and
NGFW administrator or Prisma Access administrator. A SaaS
policy rule recommendation is a request from the SaaS administrator to the NGFW administrator or Prisma Access administrator for specific
SaaS policy enforcement. Such collaboration is designed to increase your
organization’s security posture.
As you collaborate on SaaS policy rule recommendations, adhere
to the following workflow guidelines:
Collaborate on policy rule authoring—Product integration enables collaboration, but isn’t
intended to replace communication. Because a NGFW administrator
or Prisma Access administrator understands all the intricacies of Security
policy and your organization’s rulebase, the integration provides the NGFW administrator or Prisma Access administrator complete
control and flexibility to override any SaaS administrator’s SaaS policy rule
recommendation. Although a SaaS administrator can recommend Security policy
rules, the actual rule that the NGFW administrator or Prisma Access administrator creates determines enforcement and isn’t
displayed in the SaaS Security Inline web interface. However,
collaboration works best when both administrators operate as if the SaaS side is
the source of truth.
Collaborate on policy rule management—SaaS policy rule recommendations might require
changes, either to improve the rule or to resolve an error. In such cases, NGFW administrators or Prisma Access administrators don’t
delete the SaaS policy rule recommendations, or the Security policy rules on
which the SaaS policy rule recommendations are based; rather, the NGFW administrator or Prisma Access administrator asks the
SaaS administrator to modify the existing recommendation or delete and create a
new rule with the agreed upon changes to keep the interfaces in sync.
Collaborate daily—The sooner your policy rule recommendations are active, the sooner your
organization will prevent risky SaaS app usage. It's recommended that NGFW administrators or Prisma Access administrators check and
implement policy rule recommendations daily. If the NGFW
administrator or Prisma Access administrator did not import a SaaS policy
rule recommendation, the recommendation might not be in good order, and the SaaS
administrator must promptly coordinate with the network administrator to modify
the recommendation.
Guidelines for SaaS Policy Rule Recommendation Authoring
It’s important for SaaS administrators to help NGFW administrators or Prisma Access administrators keep the
rulebase manageable (avoid shadow rules or conflicting rules) by creating SaaS
policy rule recommendations that are targeted. Before you create your SaaS policy
rule recommendations, adhere to the following authoring guidelines to achieve SaaS
policy rule recommendations that meet your organization’s unique security needs:
Wait for the data—Wait for SaaS Security Inline to display 7 business days of
analytics, then analyze and view the discovered SaaS apps.
Research user behavior—Reach out to your users to find
out why and how they use specific SaaS apps, and if they have business
reasons for doing so.
Determine risk tolerance—Each organization has its own
risk tolerance. Understand and identify your organization’s risk
tolerance and existing compliance agreements.
Assess SaaS app compliance—Assess the compliance attributes for
the SaaS apps your users use based on your organization’s risk tolerance
and existing compliance agreements. Define custom risk scores, if
necessary, to represent how your company perceives the risk of individual
SaaS apps.
Categorize your SaaS apps—Tag sanctioned
and unsanctioned and tolerated SaaS apps based on your organization’s
business, risk tolerance, and compliance and contract obligations.