The Shadow IT Report shows the number of sanctioned and unsanctioned applications being used and their number of users. It also shows the application categories, the risk index, and the certifications for each application. Zscaler supports up to 50K cloud applications.

Shadow IT has drastically grown in recent years, especially with the adoption of multiple applications. These applications are installed by bypassing the IT department's approval for different reasons, like the ease of setting up applications with fewer approval stages and bottlenecks, the application being more efficient than the choices provided by the organization, etc.

On the other hand, IT departments also appreciate fewer application requests so that they can direct their focus on more business-critical tasks. But oversight of the IT department can lead to significant security risks. These unsanctioned applications must come under the radar of your IT team or relevant department at some stage to monitor their vulnerabilities and mitigate the exploitation surface for the attackers.

About the Shadow IT Report Page

On the Shadow IT Report page (Analytics > SaaS Security > Applications), you can do the following:

1. Filter the data of the entire shadow IT page with your selections. You can click Remove All Filters at any time.
   • Application Category

     Filter by the following application categories:

     • All
     • Administration
     • AI & ML Applications
     • Productivity and CRM Tools
     • Consumer
     • Custom Applications
     • DNS Over HTTPS Services
     • Collaboration and Online Meetings
     • File Sharing
     • Finance
     • General Browsing
     • Health Care
     • Hosting Providers
     • Human Resources
     • Instant Messaging
     • IT Services
     • Legal
     • Sales & Marketing
     • Social Networking
     • Streaming Media
     • System & Development
     • Web Mail
     • Web Search

     Close
   • Risk Index

     Filter by the risk index number (1–5, 1 being the lowest risk and 5 being the highest).

     Close
   • Application Status

     Filter by the following sanctioned states of the applications:

     • All
     • Sanctioned
     • Unsanctioned

     Close
   • Total Bytes

     Filter by the sum of upload and download bytes of the application:

     • All
     • <100 MB
     • >100 GB
     • 1 GB - 10 GB
     • 10 GB-100 GB
     • 100 MB - 1 GB

     Close
   • Tags

     Filter the report for applications associated with specific tags.

     Close
   • Number of Employees

     Filter by the number of employees the application company has:

     • All
     • <100
     • 100–1000
     • 1000–10000
     • >10000

     Close
   • Certifications

     Filter by the types of certifications that the organization adheres to. You can choose to include or exclude:

     • All
     • AICPA
     • CCPA
     • CISP
     • COPPA
     • CSA STAR
     • EU-U.S. Privacy Shield Framework
     • EU-U.S. and Swiss-U.S. Privacy Shield
     • FedRAMP
     • FERPA
     • FIPS
     • FISMA
     • GDPR
     • HIPAA
     • HITECH
     • ISAE 3000
     • ISO 10002
     • ISO 14001
     • ISO 20243
     • ISO 20252
     • ISO 26262
     • ISO 27001
     • ISO 27017
     • ISO 27018
     • JIS Q 15001
     • NIST
     • None
     • PCI DSS
     • RGPD
     • SAFE-BioPharma
     • SOC
     • SOC 1
     • SOC 2
     • SOC 3
     • SSAE 18
     • TRUSTe

     Close
   • SSL Cert Key Size

     Filter by the size of the SSL cert key that the organization uses. As per the current standards, the 2048-bit SSL RSA key size is considered to be secure. A 1024-bit key is outdated, and a 4096-bit SSL key is the latest and the most secure size:

     • All
     • 256 Bits
     • 384 Bits
     • 1024 Bits
     • 2048 Bits
     • 3072 Bits
     • 4096 Bits
     • Unknown

     Close
   • Signature Algorithm of SSL Certification

     Filters the list of SaaS applications based on the cryptographic signature algorithms used in their SSL/TLS certificates.

     • All
     • MD5-SHA1 RSA
     • SHA1 ECDSA
     • SHA1 RSA
     • SHA256 ECDSA
     • SHA256 RSA
     • SHA256 RSA-PSS
     • SHA384 ECDSA
     • SHA384 RSA
     • SHA512 ECDSA
     • SHA512 RSA
     • SHA512 RSA-PSS
     • Unknown

     Close
   • Hosting and Security Characteristics

     View the hosting and security characteristics of each application. You can modify the characteristics:

     • Yes: has the characteristic
     • No: does not have the characteristic
     • Unknown: not determined
     • All: considers all the preceding options
       • Poor Terms of Service: Checks the legal terms and conditions that include questionable parameters (e.g., if the application uses shared customer data for other purposes or with other third-party applications).
       • Data Breaches in the Last 3 Years: Checks if the application reported a known data breach.
       • Source IP Restrictions: Checks if the application provides options to allow or restrict access from specific IP addresses. If the application does not provide this option, the attack surface widens as anyone can access the application.
       • MFA Support: Checks if the application supports multi-factor authentication.
       • Admin Audit Logs: Checks if the application supports logging or provides a trail of all admin activities. This helps in identifying any malicious or anomalous activities.
       • SSL Pinned: Checks if the application has SSL certification pinned. Pinned certificates make the traffic difficult to decrypt and validate its contents, which can have malicious files.
       • Data Encryption in Transit: Checks the minimum TLS version that the application supports. The latest TLS version is the most secure. Applications still using any version earlier than TLS 1.1 are considered less secure.
       • Evasive: Checks if the application supports accessing data anonymously without expecting the user to create an account and log in. If there is no login option, anyone can access the application anonymously without providing their identity. For example, some applications allow users to share files without authenticating them. This can lead malicious users to spread malware and makes identifying the user difficult.
       • HTTP Security Header Support: Checks if all security headers (i.e., X-XSS-Protection, X-Frame-Options, Strict-Transport-Security, Content-Security-Policy, and X-Content-Type-Options) are securely implemented.
       • Valid SSL Certificate: Checks if the application's SSL certificate is valid or not.
       • Published CVE Vulnerability: Checks if the application has published CVE vulnerabilities.
       • DNS CAA Policy: The DNS Certification Authority Authorization (CAA) is an internet security policy mechanism. Domain name holders indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. This attribute captures if domains mention particular CAA authorities for this application.
       • Weak Cipher Support: Checks for weak ciphers. Ciphers are also known as encryption or decryption algorithms. This attribute indicates key sizes that are less than 128 bits. The keys are used for making SSL connections with the servers.
       • File Sharing: Checks if the application supports file sharing, which can be risky as content can be shared outside the organization by users.
       • Vulnerable to Heartbleed: Checks if the application is vulnerable to a Heartbleed attack.
       • Vulnerable to POODLE: Checks if the application is vulnerable to POODLE attack.
       • Vulnerable to Logjam: Checks if the application is vulnerable to Logjam attack.
       • Support for WAF: Checks if the application supports web application firewall (WAF).
       • Remote Access Screen Sharing: Checks if the application supports remote access screen sharing. This can be risky as it widens the attack surface. If a malicious user gets hold of a valid remote access session, it can lead to data exfiltration.
       • Vulnerability Disclosure Policy: Checks if the application has a vulnerability disclosure policy. Applications should provide this option so that ethical users or hackers can report on any misconfigurations that could lead to attacks.
       • Sender Policy Framework: Checks if the application supports sender policy framework (SPF) authentication. SPF authentication works by strictly specifying the number of allowed domain IP addresses that can send emails from your domain. When setting up SPF, the domain owner adds a file or record on the server which indicates to the receiving server what domains are allowed to send emails.
       • DomainKeys Identified Mail: Checks if the application supports DomainKeys Identified Mail (DKIM). DKIM authentication is similar to SPF; this is added as a TXT record by adding it in your domain panel. It makes sure that none of the emails going from server to server are tampered with by anyone in the middle and that emails can be clearly identified from the other end.
       • Domain-Based Message Authentication: Checks if the application supports Domain-Based Message Authentication, Reporting, and Conformance (DMARC). DMARC builds on SPF and DKIM to further validate emails by verifying SPF and DKIM records. This enables you to configure policies in case DMARC validation fails, and it also generates reports.

     Close
2. Source: You can view the report generated by the Zscaler service or a third-party vendor (e.g., Palo Alto Networks). The third-party data is displayed by ingesting near real-time firewall and web proxy logs, then collecting necessary data points, masking sensitive information, and securely streaming the data further to the Zscaler cloud for Shadow IT reporting.
3. For: You can view data from the last 1 day, 7 days, 15 days, month, or quarter. The default time is the last 7 days.
4. Overview: The following sections are an overview of the applications. The information in these sections changes according to the filters that you select.
   • Total Applications: The total number of sanctioned and unsanctioned applications that are in use.
   • Total Bytes: The total bytes consumed by all the applications, both upload and download.
   • Upload Bytes: The total upload bytes for all the applications.
   • Download Bytes: The total download bytes for all the applications.
5. Applications by Status: This section shows the distribution of sanctioned and unsanctioned applications in your organization.
6. Applications with Potential Access to Corporate Platforms: This section shows the number of applications with potential access to your corporate SaaS platforms (e.g., Google Workspace, Azure AD). In the Cloud Applications table, if the number in the Potential Integrations column is greater than zero, then the application has potential access. Data in this section is populated by Zscaler 3rd-Party App Governance.
7. Top Application Categories: This section shows the categorization of applications. You can filter this section to view the data for the Number of Applications, Download Bytes, Total Bytes, or Upload Bytes for each application category. Hover over a category to view the breakdown between sanctioned and unsanctioned applications.
8. Applications by Risk Index: This section shows the number of applications in each risk index (1–5, 1 being the lowest risk and 5 being the highest).

9. Schedule a daily, weekly, or monthly shadow IT report. You can view and manage your scheduled shadow IT reports on the Scheduled Reports page (Analytics > Interactive Reports > Scheduled Reports).

   See image.

   Close

10. Download the report as a CSV file.
11. Search for an application by its name.
12. Cloud Applications: View a list of all the applications. For each application, you can view:

• Application: The application name. When you click on an application, you are redirected to the Application Information page.
• Application Category: The application category of the application.
• Total Bytes: The sum of upload and download bytes of the application.
• Upload Bytes: The total bytes uploaded by the application.
• Download Bytes: The total bytes downloaded by the application.
• Users: The number of unique authenticated users who accessed the application within the specified time range. When you click on the user number for an application, you are redirected to the Users table on the Application Information page.
• Locations: The number of unauthenticated locations from where the application is accessed. When you click on the location number for an application, you are redirected to the Location table on the Application Information page. This information is displayed only when you select the Source as Zscaler.
• Potential Integrations: The number of potential integrations associated with the application in your organization. For example, if your organization uses Grammarly and the application shows at least one integration in this column, then Grammarly has potential access to your corporate SaaS platforms, such as Google Workspace. Data in this column is populated by 3rd-Party App Governance.
• Application Risk Index: The risk index number.
• Application Status: Whether the application is sanctioned or unsanctioned.
• Tags: The tags associated with the application. You can create tags on the Cloud Application Tags page and associate them to apps on the Application Information or Cloud Applications page.
• Notes: The notes that you added for the application on the Application Information page. The column stays blank if you haven't added any notes.

13. Modify the table and its columns.