By leveraging the enhanced SaaS Application Hosting Characteristics in App-ID^™, you can now identify and control SaaS applications that could pose a risk to your organization due to unfavorable hosting characteristics. To help you understand the enterprise readiness of a SaaS application, five new characteristics have been added: certifications achieved, past data breaches, support for IP-based access restrictions, financial viability, and terms of service. Using these characteristics, you can identify and explore the extent of high risk application usage from the Application Command Center (ACC). The SaaS Application Usage report is also enhanced to incorporate this context with a summary page covering risky SaaS applications and highlights the characteristics on the detailed pages. For a more tailored view, you can use the characteristics when building custom reports. Armed with the usage and the detailed risk profile, you can make informed decisions about which SaaS applications should be allowed in your environment and create policy to enforce this.

Palo Alto Networks releases new App-IDs on a monthly basis that your security policy can begin to enforce without any additional configuration. While this enables the firewall to dynamically control application traffic with ever-increasing precision, it can also impact the availability of the mission-critical applications on which your organization relies.

Together, these new App-ID features enable you to equip the firewall with the latest application knowledge and ensure availability for mission-critical applications at the same time. Plus, they make it easier to move to and maintain an application-based security policy:

Unsanctioned usage of SaaS applications can be a way for your users to transmit sensitive information outside of your network. This kind of SaaS usage usually means that the user is accessing a consumer-version of the application. At the same time, you may have found that usage of the enterprise-version of these applications by specific individuals or organizations is both desirable and necessary.

You can now disallow SaaS consumer accounts while allowing usage of a specific enterprise account by managing HTTP header information. Many SaaS applications allow or disallow application access based on information contained on specific HTTP headers. This feature provides predefined header insertion rules for popular SaaS application such as G Suite and Microsoft Office 365. You can also create your own custom header insertion rules for SaaS applications for which predefined header insertion rules have not been provided by Palo Alto Networks, but that also use HTTP headers to limit service access.