Search

US-20260129082-A1 - SECURITY CONTROLS ACROSS SAAS APPS

US20260129082A1US 20260129082 A1US20260129082 A1US 20260129082A1US-20260129082-A1

Abstract

Various techniques for security controls across SaaS apps are disclosed. In some embodiments, a system/method/computer program product for providing security controls across SaaS apps includes collecting configuration settings for each of a plurality of Software as a Service (SaaS) applications (apps) for a SaaS security service, wherein the configuration settings are related to security for one or more of the plurality of SaaS apps; grouping each of the configuration settings into one of a plurality of categories and one of a plurality of subcategories; and determining that a configuration setting associated with at least one of the plurality of SaaS apps is not in compliance with a rule of a security policy.

Inventors

  • ChienHua Lu
  • Nicolas Antonio Filip-Sanchez
  • Taylor Ettema

Assignees

  • PALO ALTO NETWORKS, INC.

Dates

Publication Date
20260507
Application Date
20260105

Claims (20)

  1. 1 . A system comprising: a processor configured to: collect configuration settings for each of a plurality of Software as a Service (SaaS) applications (apps) for a SaaS security service, wherein the configuration settings are related to security for one or more of the plurality of SaaS apps; group each of the configuration settings into one of a plurality of categories and one of a plurality of subcategories; determine that a configuration setting associated with at least one of the plurality of SaaS apps is not in compliance with a rule of a security policy; and perform an action in the event that the configuration setting violates one or more rules of a plurality of rules of the security policy configured for security compliance for each of the plurality of subcategories; and a memory coupled to the processor and configured to provide the processor with instructions.
  2. 2 . The system recited in claim 1 , wherein the rule is associated with at least one of the plurality of rules of the security policy configured for security compliance for each of the plurality of subcategories.
  3. 3 . The system recited in claim 1 , wherein the plurality of SaaS apps are associated with an enterprise customer of the SaaS security service.
  4. 4 . The system recited in claim 1 , wherein the SaaS security service is implemented as a cloud-based security service.
  5. 5 . The system recited in claim 1 , wherein a security platform enforces the security policy.
  6. 6 . The system recited in claim 1 , wherein a security platform enforces the security policy, wherein the security platform comprises a network gateway.
  7. 7 . The system recited in claim 1 , wherein a network gateway enforces the security policy, and wherein the network gateway comprises a virtual firewall.
  8. 8 . The system recited in claim 1 , wherein the processor is further configured to: automatically analyze each of the configuration settings for each of the plurality of SaaS apps based on the plurality of rules of the security policy configured for security compliance for each of the plurality of subcategories.
  9. 9 . The system recited in claim 1 , wherein the performing of the action comprises to: in response to a determination that the configuration setting violates the one or more rules of the plurality of rules of the security policy, reconfigure the configuration setting.
  10. 10 . The system recited in claim 1 , wherein the performing of the action comprises to: in response to a determination that the configuration setting violates the one or more rules of the plurality of rules of the security policy, perform drift protection for the configuration setting.
  11. 11 . A method, comprising: collecting configuration settings for each of a plurality of Software as a Service (SaaS) applications (apps) for a SaaS security service, wherein the configuration settings are related to is security for one or more of the plurality of SaaS apps; grouping each of the configuration settings into one of a plurality of categories and one of a plurality of subcategories; determining that a configuration setting associated with at least one of the plurality of SaaS apps is not in compliance with a rule of a security policy; and performing an action in the event that the configuration setting violates one or more rules of the plurality of rules of the security policy configured for security compliance for each of the plurality of subcategories.
  12. 12 . The method of claim 11 , wherein the rule is associated with at least one of the plurality of rules of the security policy configured for security compliance for each of the plurality of subcategories.
  13. 13 . The method of claim 11 , wherein the SaaS security service is implemented as a cloud-based security service.
  14. 14 . The method of claim 11 , wherein a security platform enforces the security policy.
  15. 15 . The method of claim 11 , wherein the performing of the action comprises: in response to a determination that the configuration setting violates the one or more rules of the plurality of rules of the security policy, performing drift protection for the configuration setting.
  16. 16 . A system comprising: a processor configured to: collect configuration settings for each of a plurality of Software as a Service (SaaS) applications (apps) for a SaaS security service, wherein the configuration settings are related to security for one or more of the plurality of SaaS apps; means for grouping each of the configuration settings into one of a plurality of categories and one of a plurality of subcategories; means for determining that a configuration setting associated with at least one of the plurality of SaaS apps is not in compliance with a rule of a security policy; and means for performing an action in the event that the configuration setting violates one or more rules of a plurality of rules of the security policy configured for security compliance for each of the plurality of subcategories; and a memory coupled to the processor and configured to provide the processor with instructions.
  17. 17 . The system recited in claim 16 , wherein the rule is associated with at least one of the plurality of rules of the security policy configured for security compliance for each of the plurality of subcategories.
  18. 18 . The system recited in claim 16 , wherein the SaaS security service is implemented as a cloud-based security service.
  19. 19 . The system recited in claim 16 , wherein a security platform enforces the security policy.
  20. 20 . The system recited in claim 16 , wherein a security platform enforces the security policy, wherein the security platform comprises a network gateway.

Description

CROSS REFERENCE TO OTHER APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 18/213,710, entitled SECURITY CONTROLS ACROSS SAAS APPS filed Jun. 23, 2023 which is incorporated herein by reference for all purposes. BACKGROUND OF THE INVENTION A firewall generally protects networks from unauthorized access while permitting authorized communications to pass through the firewall. A firewall is typically a device or a set of devices, or software executed on a device, such as a computer, that provides a firewall function for network access. For example, firewalls can be integrated into operating systems of devices (e.g., computers, smart phones, or other types of network communication capable devices). Firewalls can also be integrated into or executed as software on computer servers, gateways, network/routing devices (e.g., network routers), or data appliances (e.g., security appliances or other types of special purpose devices). Firewalls typically deny or permit network transmission based on a set of rules. These sets of rules are often referred to as policies. For example, a firewall can filter inbound traffic by applying a set of rules or policies. A firewall can also filter outbound traffic by applying a set of rules or policies. Firewalls can also be capable of performing basic routing functions. BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings. FIG. 1 is a system diagram overview of an example architecture for providing security controls across SaaS apps in accordance with some embodiments. FIG. 2 is an example policy schema for providing security controls across SaaS apps in accordance with some embodiments. FIG. 3A is an example graphical user interface screen for the SaaS security service in accordance with some embodiments. FIG. 3B is another example graphical user interface screen for the SaaS security service in accordance with some embodiments. FIG. 4A illustrates an embodiment of a network gateway in accordance with some embodiments. FIG. 4B is a functional diagram of logical components of an embodiment of a data appliance. FIG. 5 is a flow diagram illustrating a process for providing security controls across SaaS apps in accordance with some embodiments. FIG. 6 is another flow diagram illustrating a process for providing security controls across SaaS apps in accordance with some embodiments. DETAILED DESCRIPTION The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions. A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured. A firewall generally protects networks from unauthorized access while permitting authorized communications to pass through the firewall. A firewall is typically a device, a set of devices, or software executed on a device that provides a firewall function for network access. For example, a firewall can be integrated into operating systems of devices (e.g., computers, smart phones, or other types of network communication capable devices). A firewall can also be integrated into or executed as one or more software applications on various types of device