Rippling

Overview

Rippling detects shadow IT applications and identifies the employees using them through its integrated Identity and Access Management (IAM) platform, which monitors authentication events from an organization's primary identity provider. Shadow IT refers to the use of software, applications, or services by employees without the explicit approval or knowledge of the IT department. This practice introduces significant risks, including data security vulnerabilities, compliance violations, and unmanaged costs. Rippling's approach is to provide a centralized 'single pane of glass' for IT administrators to gain visibility and control over all applications being accessed with company credentials.

Key Features

Once a shadow IT application is detected, Rippling provides administrators with several response options. The discovered application appears in the IT administration dashboard, allowing for immediate review. Administrators can assess the application's purpose, potential security posture, and business value. Based on this assessment, they can choose to formally sanction the application and bring it under centralized management. This often involves adding it to the company's Single Sign-On (SSO) catalog, which ensures that access is governed by established security policies.

Technical Specifications

Rippling supports over 600 pre-integrated applications and custom SAML/SCIM connections for this purpose. Alternatively, if the application is deemed a security risk or is redundant, administrators can block access to it and instruct the employee to cease its use. This entire workflow is designed to move organizations from a reactive to a proactive stance on application management. Rippling also enhances control through 'device trust,' a feature that can restrict application access to only company-managed and compliant devices, further mitigating risks associated with shadow IT.

How It Works

The core detection mechanism involves integration with the organization's Google Workspace or Microsoft 365 environment. Rippling monitors the authentication logs generated by these identity providers. When an employee uses their work credentials to sign up for a new third-party application via an OAuth grant, such as clicking 'Sign in with Google' or 'Sign in with Microsoft,' Rippling's system captures this event. If the application is not already on the organization's list of approved or managed software, the system flags it as a potential shadow IT instance. Crucially, because the authentication event is tied to a specific user account, Rippling immediately identifies which employee initiated the sign-up. This information is then mapped directly to the employee's profile within the Rippling Human Resources Information System (HRIS), creating a clear link between the unsanctioned application and the individual user.

Use Cases

Limitations and Requirements

There are, however, notable limitations to this detection method. Rippling's primary mechanism is dependent on employees using their corporate identity provider (Google or Microsoft 365) to authenticate. It will not detect applications for which an employee signs up directly using their work email and a unique password, as this does not generate an OAuth event in the identity provider's logs. Similarly, it would not capture usage of applications signed up for with a personal email address, even if used for work purposes. This means that Rippling's detection is not exhaustive and should be considered one layer in a broader security strategy.

Comparison to Alternatives

While Rippling integrates with third-party SaaS management platforms like Torii and Zluri, which may offer additional discovery methods like browser extension monitoring or financial data analysis, Rippling's native detection capability is focused on identity provider logs. Therefore, a comprehensive shadow IT strategy may still require supplementary tools that perform network traffic analysis or endpoint monitoring to achieve full visibility.

Summary