Sanctioned SaaS applications are those that an organization has officially vetted, approved, and adopted for business use. They are selected precisely because they offer significant business benefits, are quick to deploy, have a low initial cost compared to on-premises solutions, and provide the scalability inherent to the SaaS model. These applications are formally supported by IT and are considered critical tools for productivity and operations. The characteristics described in the question are the primary drivers for an organization to formally "sanction" a SaaS application.

A. Benign: This term classifies an application as non-malicious. While a sanctioned application must be benign, this classification only refers to its security risk, not its business approval status.

B. Tolerated: These are applications that are not officially supported by IT but are permitted for use. They are not formally adopted for their business benefits across the organization.

D. Secure: This is a desired attribute of any application used within an organization, especially a sanctioned one. However, "secure" is a characteristic, not a formal classification of business adoption status.

1. Palo Alto Networks Prisma SaaS Administrator's Guide: In the section "Manage Application Definitions

" the guide defines application statuses. It states

"Sanctioned applications are those that you have vetted and approved for use in your organization." This directly links the term "sanctioned" to official approval for business use. (Reference: Prisma SaaS Administrator's Guide

"Application Definitions" section).

2. Palo Alto Networks Solution Brief: "Prisma SaaS - Complete Visibility and Control for SaaS Applications": This document outlines the challenges of SaaS adoption and categorizes applications. It describes sanctioned applications as those "officially deployed and managed by IT" to support business functions

contrasting them with unsanctioned or "shadow IT" applications. (Reference: Palo Alto Networks

"Prisma SaaS" Solution Brief

Page 2

"The Challenge" section).

3. Palo Alto Networks White Paper: "Aperture SaaS Security": (Aperture was the predecessor to Prisma SaaS). This paper discusses the need to differentiate between SaaS applications. It explains that "sanctioned" applications are those the business relies on

which necessitates security and control

distinguishing them from applications that are merely tolerated or unsanctioned. (Reference: Palo Alto Networks

"Aperture SaaS Security" White Paper

"Enforcing Policies on Sanctioned SaaS Applications" section).