Understanding the Fields in the App Catalog

Overview

This article provides a reference for the fields that are available for applications in the App Catalog. Use this reference to understand the metadata that Cato shows for each application and how these fields can help you evaluate apps for your organization.

The App Catalog is continuously updated with new applications and metadata by Cato’s Security Research team, and this data is used across the CMA to help you evaluate apps and use them in policies and rulebases.

App Cat1.png

App Field Descriptions

Categories refers to the Cato category for this application.

This table explains the metadata that is available for the applications.

Field Description
App Quick View
Type Indicates whether the app is a cloud application, on-premise application, or service
Risk Numerical score that represents the app’s risk level
Classification Shows whether the app is currently sanctioned or unsanctioned, and lets you add the app to Sanctioned Apps
App Overview
Description Summary of the application’s purpose and functionality
Headquarters Location of the company that owns the application
Website Official vendor website
Size Estimated size of the organization
FQDN
FQDN The FQDNs associated with each app
Security
MFA Support Indicates whether multi-factor authentication is supported
SSO Support Indicates whether Single Sign-On is supported
RBAC Support Indicates whether role-based access control is available
Encryption in Transit Indicates whether data is encrypted during transmission
TLS Version Support Supported TLS versions for the application
Encryption at Rest Indicates whether stored data is encrypted
Encryption Strength at Rest Describes the encryption strength for stored data, when available
Weak Cipher Support Indicates whether weak encryption is allowed
Trusted Certificates Indicates whether the application uses trusted certificates
HTTP Security Headers Indicates whether secure HTTP headers are present
Physical Data Center Security Indicates whether physical security controls are disclosed or supported
Audit Trail Indicates whether activity logging is available
Disaster Recovery Indicates whether recovery mechanisms are available
Data Segregation by Tenant Indicates whether tenant data is logically separated
Remember Password Indicates whether persistent login is supported
Data Retention Policy Defines how long customer data is stored
Data Deletion Policy Defines how and when customer data is deleted
Data Ownership Specifies ownership of stored customer data
Compliance - Core Frameworks
ISO 27001 Information security management certification
SOC 1 SOC 1 reports on controls that can affect customers’ financial reporting
SOC 2 SOC 2 reports on controls for security, availability, processing integrity, confidentiality, and privacy
SOC 3 SOC 3 is a public summary of SOC 2 controls for broad sharing
HIPAA Healthcare data protection compliance
PCI-DSS Payment card industry data security standard
GDPR European data protection regulation
SOX Financial reporting compliance
ISAE 3402 Assurance standard for service organizations
FedRAMP US government cloud security authorization
FISMA Federal information security standard
NIST SP 800-53 NIST framework that defines security and privacy controls for information systems and organizations
ISO 27017 Cloud security standard
ISO 27018 Privacy protection for cloud data
ISO 27002 Information security controls standard
CSA STAR Cloud Security Alliance certification
C5 Attestation German cloud compliance framework
Cyber Essentials Plus UK cybersecurity certification
COBIT IT governance framework
FERPA US education privacy regulation
COPPA US children’s privacy regulation
GLBA Financial services privacy regulation
CJIS Criminal justice information standard
FINRA Financial industry regulation
FFIEC US financial institution guidance
GAPP Privacy framework developed by US and Canadian accounting bodies for managing and assessing an organization’s privacy program
EU-US Data Privacy Framework Cross-border data transfer compliance
TrustArc Privacy A US-based third-party privacy certification program that validates an organization’s privacy practices
Japan Privacy Mark Japan-based third-party certification for organizations that meet privacy protection requirements
Jericho Forum Commandments Security design principles defined by a customer-led industry group for secure architectures in open, networked environments
Identity and Access Management
Access Control Enforcement Indicates that the application can natively restrict and enforce user access
IP-Based Access Restrictions Shows whether the application supports IP-based access restrictions
SAML Authentication Shows whether the application supports SAML authentication
Activities
Upload Ability to upload content
Download Ability to download content
Send Voice Message Ability to send voice data
Remove/Delete Ability to delete content
Full Path URL Access Access via a direct URL
AI Risk
AI Risk Level Cato assigned risk for the AI app
AI Level ​How AI is involved with the app
AI Threat ​Summary of potential threat from the AI app

Was this article helpful?

0 out of 0 found this helpful

0 comments