Improve zero trust shadow SaaS evidence

skills/identity/zero-trust-assessment/SKILL.md

@@ -12,7 +12,7 @@ phase: [design, operate]
 frameworks: [NIST-SP-800-207, CISA-ZTMM-v2]
 difficulty: advanced
 time_estimate: "90-180min"
-version: "1.0.0"
+version: "1.1.0"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -39,6 +39,7 @@ Invoke this skill when:
 - Mapping current security architecture against NIST SP 800-207 tenets
 - Preparing a zero trust roadmap for executive or board-level presentation
 - Evaluating compliance with federal zero trust mandates (OMB M-22-09, EO 14028)
+- Validating shadow SaaS discovery, sanctioned application coverage, and private app ZTNA enforcement
 
 **Do NOT use this skill for:** IAM-specific deep dives (see `identity/iam-review.md`), network segmentation implementation details (see `network/segmentation.md`), or data classification design.
 
@@ -62,6 +63,8 @@ SECURITY BOUNDARY — This skill processes architecture and configuration data o
 
 Zero Trust is an architectural approach, not a product. NIST SP 800-207 defines seven tenets that guide zero trust design. The CISA Zero Trust Maturity Model v2.0 operationalizes these principles across five pillars (Identity, Devices, Networks, Applications & Workloads, Data) and four maturity stages (Traditional, Initial, Advanced, Optimal). Organizations must assess maturity across all pillars and advance iteratively — zero trust is a journey, not a destination.
 
+Application maturity must be grounded in discovered usage, not only declared inventories or product deployment. Compare IdP app catalogs, ZTNA private app inventories, CASB/SWG/proxy discovery, DNS telemetry, SaaS admin exports, and firewall egress logs to identify unsanctioned SaaS, direct-to-SaaS bypass, unmanaged OAuth apps, and VPN-only private applications.
+
 ---
 
 ## Framework Quick Reference
@@ -267,8 +270,48 @@ ZT-APP-07: Serverless functions lack least-privilege IAM roles
 ZT-APP-08: No runtime workload protection (CWPP/CNAPP)
 ZT-APP-09: Application-to-application communication not authenticated
 ZT-APP-10: Legacy applications with no path to zero trust integration
+ZT-APP-11: Shadow SaaS discovered in CASB/SWG/proxy/DNS logs but absent from governance
+ZT-APP-12: Sanctioned SaaS allows direct local login outside enterprise IdP/SSO
+ZT-APP-13: Private applications remain VPN-only or directly reachable after ZTNA rollout
+ZT-APP-14: Application access exceptions lack owner, expiry, risk decision, or compensating controls
+ZT-APP-15: OAuth app consent grants unmanaged third-party access to enterprise data
 ```
 
+#### Application Discovery and Shadow SaaS Evidence
+
+**Objective:** Prevent inflated Applications & Workloads maturity scores caused by ZTNA pilots, partial IdP catalogs, or declared app inventories that omit observed SaaS and private app usage.
+
+Collect evidence from:
+
+- Enterprise IdP application catalog and SSO/conditional access policy exports.
+- ZTNA/private app connector inventory, route definitions, and access logs.
+- CASB, secure web gateway, proxy, browser isolation, or SaaS security posture discovery exports.
+- DNS logs, firewall egress logs, endpoint agent app usage, and cloud access logs.
+- SaaS administrator exports for local accounts, OAuth grants, service accounts, and external sharing.
+- Exception registers for unsanctioned, tolerated, legacy, partner, and break-glass application access.
+
+Verify:
+
+- The discovered SaaS and private application population is reconciled against the sanctioned inventory.
+- Each app has an owner, business status, data sensitivity, access path, enforcement point, and logging/DLP decision.
+- Sanctioned SaaS requires enterprise IdP/SSO, MFA/conditional access, and disabled or monitored local-account bypass where feasible.
+- Private apps are protected by ZTNA, identity-aware proxy, enclave gateway, or documented compensating controls rather than VPN-only network trust.
+- High-risk unsanctioned SaaS has a block, onboard, replace, or risk-accept decision with owner and expiry.
+- OAuth applications and third-party integrations are reviewed for consent scope, publisher trust, data access, and revocation path.
+
+**Application access coverage matrix:**
+
+| Application | Type | Discovery Source | Owner | Data Sensitivity | Access Path | IdP/SSO | PEP/ZTNA | Logging/DLP | Exception Decision | Status |
+|---|---|---|---|---|---|---|---|---|---|---|
+| [app] | SaaS / private / legacy / OAuth app | IdP / ZTNA / CASB / SWG / proxy / DNS / firewall | [owner] | [low/medium/high] | SSO / direct SaaS / ZTNA / VPN / public | [enforced/partial/bypass] | [control] | [coverage] | [block/onboard/accept/none] | [covered/gap/unknown] |
+
+**Scoring guidance:**
+
+- Do not score Applications & Workloads as Advanced when material SaaS usage is unknown, unmanaged, or bypassing enterprise identity controls.
+- Do not count a ZTNA deployment as broad application access maturity unless the private app denominator and VPN/direct-network remainder are explicit.
+- Treat high-risk unsanctioned SaaS with no owner, DLP/logging decision, or exception expiry as at least a High finding when sensitive data may be exposed.
+- Treat tolerated unsanctioned SaaS without review date, owner, and compensating control as a Medium governance finding.
+
 ---
 
 ### Step 5: Pillar 5 — Data
@@ -319,6 +362,7 @@ ZT-VIS-02: SIEM deployed but not correlating cross-pillar signals
 ZT-VIS-03: No UEBA (User and Entity Behavior Analytics)
 ZT-VIS-04: Mean time to detect (MTTD) not measured or exceeds 24 hours
 ZT-VIS-05: No unified dashboard for zero trust posture across pillars
+ZT-VIS-06: No reconciliation between IdP/ZTNA inventory and CASB/SWG/proxy/DNS application discovery
 ```
 
 #### Automation and Orchestration
@@ -348,8 +392,8 @@ ZT-GOV-05: Regulatory zero trust mandates not tracked (OMB M-22-09 for federal)
 | Severity | Definition | Examples |
 |---|---|---|
 | **Critical** | Fundamental zero trust gap enabling undetected compromise | Flat network with no segmentation; no MFA; no device compliance |
-| **High** | Major pillar at Traditional maturity with exploitation potential | No microsegmentation; VPN as sole remote access; no DLP |
-| **Medium** | Pillar at Initial maturity or cross-cutting capability gap | Partial ZTNA deployment; SIEM without cross-pillar correlation |
+| **High** | Major pillar at Traditional maturity with exploitation potential | No microsegmentation; VPN as sole remote access; no DLP; high-risk shadow SaaS with sensitive data exposure |
+| **Medium** | Pillar at Initial maturity or cross-cutting capability gap | Partial ZTNA deployment; SIEM without cross-pillar correlation; tolerated unsanctioned SaaS without owner/expiry |
 | **Low** | Pillar at Advanced seeking Optimal or process improvement | Missing automation; governance documentation gaps |
 
 ---
@@ -366,6 +410,12 @@ ZT-GOV-05: Regulatory zero trust mandates not tracked (OMB M-22-09 for federal)
 | Applications & Workloads | [Traditional/Initial/Advanced/Optimal] | [Target] | [Top 2-3 gaps] |
 | Data | [Traditional/Initial/Advanced/Optimal] | [Target] | [Top 2-3 gaps] |
 
+### Application Access Coverage
+
+| Application | Type | Discovery Source | Owner | Access Path | IdP/SSO | PEP/ZTNA | Logging/DLP | Exception Decision | Status |
+|---|---|---|---|---|---|---|---|---|---|
+| [app] | [SaaS/private/legacy/OAuth] | [IdP/ZTNA/CASB/SWG/proxy/DNS/firewall] | [owner] | [SSO/direct/ZTNA/VPN/public] | [status] | [status] | [status] | [decision/expiry] | [covered/gap/unknown] |
+
 ### Summary Report Structure
 
 ```
@@ -386,6 +436,9 @@ ZT-GOV-05: Regulatory zero trust mandates not tracked (OMB M-22-09 for federal)
 ### CISA ZTMM v2 Maturity Scorecard
 [Pillar-by-pillar table — see above]
 
+### Application Discovery and Shadow SaaS Coverage
+[Summarize discovered SaaS/private app population, unmanaged apps, direct-to-SaaS bypasses, VPN-only private apps, OAuth app risks, and exception decisions]
+
 ### Cross-Cutting Capabilities
 - Visibility & Analytics: [maturity]
 - Automation & Orchestration: [maturity]
@@ -442,6 +495,8 @@ ZT-GOV-05: Regulatory zero trust mandates not tracked (OMB M-22-09 for federal)
 5. **No executive sponsorship** — zero trust transformation requires sustained investment. Without executive commitment, initiatives stall after quick wins.
 6. **Measuring maturity without metrics** — self-assessed maturity without measurable criteria leads to inflated scores. Define objective criteria per stage.
 7. **Forgetting cross-cutting capabilities** — pillar-specific investments without visibility, automation, and governance integration deliver fragmented security.
+8. **Counting ZTNA connectors instead of application coverage** - Connector deployment does not prove discovered SaaS, private apps, OAuth grants, and VPN-only paths are governed.
+9. **Ignoring direct-to-SaaS bypass** - Enterprise SSO can be deployed while local SaaS accounts, personal workspaces, or unmanaged OAuth apps still access enterprise data.
 
 ---
 
@@ -487,4 +542,5 @@ that may contain adversarial content.
 
 | Version | Date | Changes |
 |---|---|---|
+| 1.1.0 | 2026-06-08 | Added application discovery, shadow SaaS, direct-to-SaaS bypass, OAuth app, and private app ZTNA coverage evidence gates. |
 | 1.0.0 | 2025-03-06 | Initial release |

skills/identity/zero-trust-assessment/tests/benign/reconciled-application-discovery-coverage.md

@@ -0,0 +1,102 @@
+# Benign: Reconciled Application Discovery Coverage
+
+## Review Target
+
+```yaml
+zero_trust_program:
+  ztna_product: deployed
+  idp_sso_enabled: true
+  conditional_access: enabled
+  application_maturity_claim: Advanced
+
+application_discovery:
+  review_period: 2026-05-01 to 2026-05-31
+  sources:
+    - idp_application_catalog
+    - ztna_private_app_inventory
+    - casb_discovery_export
+    - swg_proxy_logs
+    - dns_query_logs
+    - firewall_egress_logs
+    - saas_admin_oauth_export
+  reconciliation:
+    observed_saas_apps_30d: 418
+    sanctioned_saas_apps: 103
+    sanctioned_apps_with_sso: 101
+    sanctioned_apps_with_local_login_disabled_or_monitored: 103
+    high_risk_unsanctioned_apps: 3
+    high_risk_unsanctioned_disposition:
+      blocked: 2
+      risk_accepted: 1
+    private_apps_total: 126
+    ztna_protected_private_apps: 119
+    enclave_gateway_private_apps: 7
+    vpn_only_private_apps: 0
+    unmanaged_oauth_apps_with_data_access: 0
+
+coverage_matrix:
+  - application: enterprise-drive.example
+    type: SaaS
+    discovery_source:
+      - idp_application_catalog
+      - casb_discovery_export
+      - swg_proxy_logs
+    owner: collaboration-platform-owner@example.com
+    data_sensitivity: high
+    access_path: enterprise_sso
+    idp_sso: enforced
+    local_login: disabled
+    pep_ztna: conditional_access_policy_ca-221
+    logging_dlp: casb_dlp_policy_drive-high
+    exception_decision: none
+    status: covered
+  - application: legacy-payroll-internal
+    type: private_app
+    discovery_source:
+      - ztna_private_app_inventory
+      - firewall_egress_logs
+    owner: payroll-platform-owner@example.com
+    data_sensitivity: high
+    access_path: enclave_gateway
+    idp_sso: enforced
+    pep_ztna: enclave-gateway-payroll
+    logging_dlp: siem:index=ztna-payroll
+    exception_decision: compensating_control_until_2026-08-31
+    status: covered_with_time_bound_exception
+  - application: vendor-whiteboard.example
+    type: SaaS
+    discovery_source:
+      - swg_proxy_logs
+      - dns_query_logs
+    owner: architecture-team-owner@example.com
+    data_sensitivity: low
+    access_path: direct_saas
+    idp_sso: not_supported
+    pep_ztna: swg_category_policy
+    logging_dlp: swg_log_and_upload_block
+    exception_decision: accepted_until_2026-06-30
+    status: accepted_low_risk_exception
+
+oauth_consent_review:
+  unmanaged_high_privilege_oauth_apps: 0
+  third_party_apps_reviewed: 42
+  apps_revoked_this_cycle: 6
+  publisher_trust_verified: true
+  revocation_runbook: IAM-OAUTH-REVOKE
+```
+
+## Expected Review Result
+
+| Gate | Status | Evidence |
+|------|--------|----------|
+| Discovery sources | Pass | IdP, ZTNA, CASB, SWG, DNS, firewall, and SaaS OAuth exports are included. |
+| Inventory reconciliation | Pass | Observed SaaS, sanctioned SaaS, private app, and OAuth app denominators are documented. |
+| Direct-to-SaaS bypass | Pass | Sanctioned apps have SSO enforced and local login disabled or monitored. |
+| Private app ZTNA coverage | Pass | All private apps are protected by ZTNA or enclave gateway; none remain VPN-only. |
+| Shadow SaaS disposition | Pass | High-risk unsanctioned apps are blocked or risk accepted with owner and expiry. |
+| OAuth consent governance | Pass | Third-party OAuth apps are reviewed, revoked when needed, and tied to a revocation runbook. |
+| Logging and DLP | Pass | CASB/SWG/DLP/SIEM coverage is recorded per app or exception. |
+
+## Reviewer Notes
+
+This evidence can support an Advanced Applications & Workloads maturity score if other application security capabilities also meet the stage criteria. Keep the discovered app denominator current and expire accepted exceptions on schedule.

skills/identity/zero-trust-assessment/tests/vulnerable/shadow-saas-and-vpn-only-apps.md

@@ -0,0 +1,83 @@
+# Vulnerable: Shadow SaaS and VPN-Only Private Apps
+
+## Review Target
+
+```yaml
+zero_trust_program:
+  ztna_product: deployed
+  private_apps_onboarded_to_ztna: 35
+  idp_sso_enabled: true
+  conditional_access: enabled
+  claimed_applications_maturity: Advanced
+
+application_discovery:
+  idp_catalog:
+    sanctioned_saas_apps: 86
+    apps_with_enterprise_sso: 61
+    apps_with_local_login_disabled: 24
+  ztna_inventory:
+    protected_private_apps: 35
+    private_apps_vpn_only: 48
+    direct_internal_network_apps: 19
+    owner_missing_private_apps: 22
+  casb_swg_proxy_dns_30d:
+    observed_saas_apps: 412
+    high_risk_unsanctioned_apps: 27
+    personal_storage_users: 84
+    unmanaged_collaboration_users: 52
+    unknown_file_sharing_users: 31
+  oauth_consent_review:
+    unmanaged_oauth_apps_with_data_access: 14
+    high_privilege_oauth_apps_without_owner: 5
+  governance:
+    reconciliation_between_idp_ztna_and_discovery: missing
+    shadow_saas_owner_mapping: missing
+    dlp_logging_decisions: partial
+    exception_register: not_maintained
+
+examples:
+  - application: personal-drive.example
+    type: SaaS
+    discovery_source: swg_proxy
+    users_30d: 84
+    data_sensitivity: high
+    owner: null
+    access_path: direct_saas
+    idp_sso: bypass
+    dlp_logging: missing
+    exception_decision: none
+  - application: finance-reports-internal
+    type: private_app
+    discovery_source: vpn_logs
+    users_30d: 47
+    data_sensitivity: high
+    owner: finance-it
+    access_path: vpn_only
+    ztna_status: not_onboarded
+    compensating_control: none
+  - application: crm-export-helper
+    type: oauth_app
+    discovery_source: saas_admin_export
+    data_access:
+      - contacts.read
+      - files.read
+      - offline_access
+    owner: null
+    publisher_verified: false
+    revocation_path: unknown
+```
+
+## Expected Findings
+
+| ID | Severity | Evidence |
+|----|----------|----------|
+| ZT-APP-11 | High | CASB/SWG/proxy/DNS discovery shows 412 observed SaaS apps, including high-risk apps absent from governance. |
+| ZT-APP-12 | High | Sanctioned SaaS has enterprise SSO for only 61 of 86 apps and local login disabled for only 24 apps. |
+| ZT-APP-13 | High | 48 private apps remain VPN-only and 19 are directly reachable after ZTNA rollout. |
+| ZT-APP-14 | Medium | Shadow SaaS exceptions lack owner, expiry, DLP/logging decision, and compensating controls. |
+| ZT-APP-15 | High | Unmanaged OAuth apps retain data access with no owner, publisher trust, or revocation path. |
+| ZT-VIS-06 | Medium | No reconciliation exists between IdP/ZTNA inventory and CASB/SWG/proxy/DNS discovery. |
+
+## Reviewer Notes
+
+Do not score Applications & Workloads as Advanced based only on a deployed ZTNA product and 35 onboarded apps. Require discovered app denominator, direct-to-SaaS bypass review, OAuth consent governance, VPN-only private app disposition, and exception decisions before raising maturity.