This article provides a reference for the fields that are available for applications in the App Catalog. Use this reference to understand the metadata that Cato shows for each application and how these fields can help you evaluate apps for your organization.
The App Catalog is continuously updated with new applications and metadata by Cato’s Security Research team, and this data is used across the CMA to help you evaluate apps and use them in policies and rulebases.
Categories refers to the Cato category for this application.
This table explains the metadata that is available for the applications.
| Field | Description | |
|---|---|---|
| App Quick View | ||
| 1 | Type | Indicates whether the app is a cloud application, on-premise application, or service |
| 2 | Risk | Numerical score that represents the app’s risk level |
| 3 | Classification | Shows whether the app is currently sanctioned or unsanctioned, and lets you add the app to Sanctioned Apps |
| App Overview | ||
| 4 | Description | Summary of the application’s purpose and functionality |
| 5 | Headquarters | Location of the company that owns the application |
| 6 | Website | Official vendor website |
| 7 | Size | Estimated size of the organization |
| Security | ||
| 8 | MFA Support | Indicates whether multi-factor authentication is supported |
| 9 | SSO Support | Indicates whether Single Sign-On is supported |
| 10 | RBAC Support | Indicates whether role-based access control is available |
| 12 | Encryption in Transit | Indicates whether data is encrypted during transmission |
| 13 | TLS Version Support | Supported TLS versions for the application |
| 14 | Encryption at Rest | Indicates whether stored data is encrypted |
| 15 | Encryption Strength at Rest | Describes the encryption strength for stored data, when available |
| 16 | Weak Cipher Support | Indicates whether weak encryption is allowed |
| 17 | Trusted Certificates | Indicates whether the application uses trusted certificates |
| 18 | HTTP Security Headers | Indicates whether secure HTTP headers are present |
| 19 | Physical Data Center Security | Indicates whether physical security controls are disclosed or supported |
| 20 | Audit Trail | Indicates whether activity logging is available |
| 21 | Disaster Recovery | Indicates whether recovery mechanisms are available |
| 22 | Data Segregation by Tenant | Indicates whether tenant data is logically separated |
| 23 | Remember Password | Indicates whether persistent login is supported |
| 24 | Data Retention Policy | Defines how long customer data is stored |
| 25 | Data Deletion Policy | Defines how and when customer data is deleted |
| 26 | Data Ownership | Specifies ownership of stored customer data |
| Compliance - Core Frameworks | ||
| 27 | ISO 27001 | Information security management certification |
| 28 | SOC 1 | SOC 1 reports on controls that can affect customers’ financial reporting |
| 29 | SOC 2 | SOC 2 reports on controls for security, availability, processing integrity, confidentiality, and privacy |
| 30 | SOC 3 | SOC 3 is a public summary of SOC 2 controls for broad sharing |
| 31 | HIPAA | Healthcare data protection compliance |
| 32 | PCI-DSS | Payment card industry data security standard |
| 33 | GDPR | European data protection regulation |
| 34 | SOX | Financial reporting compliance |
| 35 | ISAE 3402 | Assurance standard for service organizations |
| 36 | FedRAMP | US government cloud security authorization |
| 37 | FISMA | Federal information security standard |
| 38 | NIST SP 800-53 | NIST framework that defines security and privacy controls for information systems and organizations |
| 39 | ISO 27017 | Cloud security standard |
| 40 | ISO 27018 | Privacy protection for cloud data |
| 41 | ISO 27002 | Information security controls standard |
| 42 | CSA STAR | Cloud Security Alliance certification |
| 43 | C5 Attestation | German cloud compliance framework |
| 44 | Cyber Essentials Plus | UK cybersecurity certification |
| 45 | COBIT | IT governance framework |
| 46 | FERPA | US education privacy regulation |
| 47 | COPPA | US children’s privacy regulation |
| 48 | GLBA | Financial services privacy regulation |
| 49 | CJIS | Criminal justice information standard |
| 50 | FINRA | Financial industry regulation |
| 51 | FFIEC | US financial institution guidance |
| 52 | GAPP | Privacy framework developed by US and Canadian accounting bodies for managing and assessing an organization’s privacy program |
| 53 | EU-US Data Privacy Framework | Cross-border data transfer compliance |
| 54 | TrustArc Privacy | A US-based third-party privacy certification program that validates an organization’s privacy practices |
| 55 | Japan Privacy Mark | Japan-based third-party certification for organizations that meet privacy protection requirements |
| 56 | Jericho Forum Commandments | Security design principles defined by a customer-led industry group for secure architectures in open, networked environments |
| Identity and Access Management | ||
| 57 | Access Control Enforcement | Indicates that the application can natively restrict and enforce user access |
| 58 | IP-Based Access Restrictions | Shows whether the application supports IP-based access restrictions |
| 59 | SAML Authentication | Shows whether the application supports SAML authentication |
| Activities | ||
| 60 | Upload | Ability to upload content |
| 61 | Download | Ability to download content |
| 62 | Send Voice Message | Ability to send voice data |
| 63 | Remove/Delete | Ability to delete content |
| 64 | Full Path URL Access | Access via a direct URL |
| AI Risk | ||
| 65 | AI Risk Level | Cato assigned risk for the AI app |
| 66 | AI Level | How AI is involved with the app |
| 67 | AI Threat | Summary of potential threat from the AI app |
0 comments
Please sign in to leave a comment.