SaaS Security
The First Integrated CASB That Keeps Pace with the SaaS Explosion

As sensitive data is increasingly uploaded, created, shared, and exposed across multiple sanctioned applications, it becomes more vulnerable to loss and theft. If they are not properly secured, sanctioned SaaS applications can be harmful when it comes to creating new risks. In addition, cloud-based threats have increased in volume and sophistication, using advanced techniques to bypass standard defense methods, affecting sensitive data and users.

Besides corporate sanctioned applications, there are countless public SaaS applications available that employees can access without the knowledge of the IT department. Lack of visibility into SaaS usage prevents the IT department from having control over the employees’ use and abuse of unsanctioned SaaS applications, which can introduce serious risks to the organization, such as data leakage and noncompliance.

In our work-anywhere world, all sanctioned and unsanctioned SaaS applications remain accessible when employees choose to bypass VPN backhauling systems, preventing IT departments from having the necessary visibility or control over the extent of their use by employees.

Cloud adoption and hyper growth of SaaS applications

Business Benefits

• Automatically discover and control new applications to keep pace with the SaaS explosion.
• Ensure data protection and compliance across all SaaS applications with the industry’s first cloud-delivered enterprise DLP.
• Prevent zero-day threats in real time with natively integrated, MLbased attack prevention without third-party security tools.
• Leverage easy-to-deploy enterprise SaaS security with the lowest TCO compared to legacy CASB solutions.

---

---

Use Cases

---

---

---

---

Limitations of Today’s Conventional Approaches

Today’s conventional point controls, such as traditional cloud access security brokers (CASB), secure web gateways (SWG), and built-in SaaS security capabilities, are broken due to numerous architectural and operational limitations. Because these solutions only solve part of the problem, organizations often need to deploy several tools to try to get holistic defense.

Security teams patch these tools together, increasing operational complexity and reducing security efficacy. Moreover, piecing together information from disparate, individual tools that don’t share data natively only provides part of the benefits. Ultimately this model is more time-consuming and hinders any security team’s ability to keep pace with overexposure of data and defend against attackers.

Reactive Shadow IT Discovery

Legacy solutions rely on a signature-based approach for SaaS discovery via application libraries that are often populated out of context. In fact, they require security analysts to manually come up with SaaS application signatures in retrospect, rather than leveraging a global community to inform a proactive mechanism that will uncover emerging application risks before they become real problems.

Piecemeal Security

CASBs and a few SaaS providers offer basic security capabilities that are limited in breadth and depth. Their data protection implementation, for example, is not enterprise-grade and is limited to cloud environments only. Such solutions are also not designed to detect the endless variants of threats that adversaries are constantly creating to evade security systems. Embedded security capabilities offered by SaaS and cloud service providers don’t secure multiple cloud environments.

Operational Complexity and High TCO

Legacy SaaS solutions like traditional CASB are standalone and disjointed from the security infrastructure. They are also quite difficult to deploy and manage because they are proxy-based and require complex traffic redirection from the network firewall and proxy auto-configuration (PAC) agents. Most importantly, these solutions don’t provide a unified data protection policy approach together with the on-premises channels.

---

Solution: Palo Alto Networks SaaS Security

Palo Alto Networks SaaS Security is the first integrated CASB that keeps pace with the SaaS explosion. Natively integrated with the Palo Alto Networks Next-Generation Firewall platform (cloud-based, virtual, and hardware form factors), it delivers proactive visibility, best-in-class protection, and the fastest time to value for all SaaS applications, along with simple deployment and low total cost of ownership (TCO).

Key Components and Capabilities

• Shadow IT Visibility and Control
  Automatically discover and prevent risks for thousands of new SaaS applications before they become a problem. App-ID™ technology leverages the power of the broad global community to provide continuous identification, categorization, and granular risk-based control of known and previously unknown SaaS applications, ensuring new applications are discovered automatically as they become popular. The SaaS Security catalog delivers granular visibility into applications, their usage within your organization, and their risks. There are more than 10 descriptive attributes and more than 30 compliance-related attributes in addition to users’ information and their activities (e.g., uploads, downloads, sessions). Applications are classified across more than 400 different categories in the catalog. Default risk scores can also be customized based on the risk attributes that matter most to your organization. Risk mitigation controls and policy recommendations can be automated for existing and future applications, eliminating time-consuming manual policy definitions.
• Comprehensive Inline Security
  Protect all SaaS applications and secures all traffic—web and non-web. SaaS Security extends the NGFW security services to SaaS applications inline and via API with deep application visibility, segmentation, secure access, and threat prevention. Industry-first inline machine learning (ML) models run on the ML-Powered NGFW, trained by the largest datasets, deliver signatures in under 10 seconds, resulting in a 99.5% reduction in systems infected. These comprehensive capabilities span the on-premises and mobile workforce to stop threats across all applications, resulting in a 45% breach reduction over three years.
• API-Based Protection
  Connect directly to sanctioned SaaS applications, using an out-of-band, API-based approach. SaaS Security protects all these SaaS applications consistently by applying Enterprise DLP, ML-powered threat prevention, and ongoing monitoring of user activity and administrative configurations. This deployment mode works across any access point regardless of the user’s location or device. It preserves the user experience with corporate SaaS applications because it’s nonintrusive and doesn’t interfere with standard business processes. Enterprise DLP and ML-powered threat prevention are consistent across all SaaS applications and throughout your entire enterprise. These capabilities help accurately protect all sensitive data stored in cloud applications, maintain compliance with regulations such as PCI DSS and GDPR, and stop all unknown and known threats in real time, without requiring third-party security tools. Adaptive access control lets you granularly manage access to SaaS applications as well as define acceptable use policy. Clientless capabilities are also supported to secure access from unmanaged devices accessing SaaS applications. Finally, the solution can detect and report on anomalous user activities that may be associated with stolen credentials or malicious insider behavior, such as bulk data downloads or large data sharing.
• Enterprise Data Protection
  Provide data protection and compliance controls consistently across all SaaS applications, and comprehensively throughout the enterprise across clouds, on-premises networks, and users, with the industry’s first cloud-delivered enterprise DLP. Palo Alto Networks Enterprise DLP is based on a single cloud engine for accurate detection and consistent policy for sensitive data both at rest and in transit. It scans, classifies, and protects all data stored within SaaS applications and while it’s in motion to make sure policy violations, exposures, and regulatory compliance are properly addressed. Enterprise DLP automatically detects sensitive content via ML-based data classification and hundreds of data patterns using regular expressions or keywords (e.g., credit card or ID numbers, financial records, GDPR, other data privacy- and compliance-related information) and applies customizable data profiles and Boolean logic to scan for collective types of data. Type of exposure (e.g., public or internal), confidence levels, and precise context criteria (e.g., number of occurrences and pattern logic) reduce incidents and inaccurate detection. Advanced ML simplifies data classification. Detection of flexible document properties, such as third-party data tagging, augments the identification of sensitive data. SaaS Security also includes file blocking profiles that can be used to prevent files from being downloaded, which is an important part of a cloud data protection strategy.

Palo Alto Networks Enterprise DLP

---

CASB and Enterprise DLP: Key Enablers for SASE

As key elements of the Palo Alto Networks secure access service edge (SASE) solution, SaaS Security and Enterprise DLP play a key role in enabling organizations to consistently protect their data, applications, and users across networks and clouds while avoiding the complexity of multiple point products, significantly simplifying adoption, and saving resources—technical, human, and financial.

Our comprehensive SASE solution brings together networking and network security services in a single cloud-based platform to safeguard against risks to data, applications, and users; assist you through your cloud and network transformation; and help you safely adopt SaaS applications.

---

Building on Zero Trust with SaaS Security

Implementation of an effective Zero Trust security model for cloud-enabled enterprises has to take into account a least-privileged access strategy for SaaS applications and their sensitive data.

Palo Alto Networks SaaS Security is a fundamental part of the Palo Alto Networks Zero Trust architecture, allowing organizations to consistently secure access to SaaS applications and data across a highly distributed environment, including employees working from remote locations and their BYO devices.

Features and Capabilities Highlights

• Unified management across inline, API, and DLP
• Directly integrated with NGFW platform; no need for proxy
• Integrated with WildFire, the industry’s leading cloud-based malware analysis solution
• Visibility and risk control over thousands of SaaS apps
• Customizable risk scores with 40+ attributes
• User activity and data exposure monitoring
• Multimode: inline and API controls
• Unmanaged device access control
• Out-of-the-box compliance reports (e.g., GDPR)
• Custom tagging

---

Privacy and Licensing

Palo Alto Networks has strict privacy and security controls in place to prevent unauthorized access to sensitive or personally identifiable information. We apply industry-standard best practices for security and confidentiality. You can find further information in our privacy datasheets.

Licensing and Support Requirements:

• SaaS Security includes SaaS Inline Security, SaaS API Security, and DLP, which are individually licensed
• NGFW (hardware/virtual) or Prisma Access
• Cortex Data Lake
• PAN-OS 8.1.x+ (10.1 for ACE and policy recommendation)