Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/10/2019
02:30 PM
Scott Totman
Scott Totman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Merging Companies, Merging Clouds

Integrating cloud environments is anything but easy. Evaluating the security risks in doing so must be a starting component of an overall M&A strategy.

Mergers and acquisitions are an essential part of the enterprise business landscape. These deals foster innovation and create some of the biggest and most successful companies in the world.

But one of the largest potential pitfalls in any M&A transaction is mishandling IT integration and creating or failing to mitigate security risk. In the era of cloud computing, the cost of inheriting poor security can be massive and quickly destroy any value the transaction poses.

In addition, a common misconception is that if the two companies merging both operate in the cloud, integration will be easier. The reality is it's actually harder due to the added complexity — no two cloud environments are identical, and the rate of change is so much faster compared with traditional IT. Post-acquisition IT integration used to take five to ten years, but these days, given the nonstop pace of innovation, organizations don't have that luxury.

Today, evaluating cloud and container security risks must be a starting component of the overall M&A strategy. IT integrations must happen almost immediately, and the acquiring company needs to be ready to implement best practices and mitigate high-priority risks on day one. Failing to do so can have substantial financial repercussions in the form of breaches, loss of business and market value, fines, lawsuits, etc.

Following are three cloud considerations for organizations considering M&A activity.

Due Diligence Before It's Due
M&A deals can move quickly, and companies often procrastinate on technical due diligence. This can prove catastrophic when the acquirer realizes only after the deal has closed that significant security gaps exist in its new network caused by differing architectural choices, configurations, standards, etc., without a plan in place for immediate remediation.

That's why companies must begin evaluating cloud security and compliance risks from the very beginning of the M&A process. Agentless, read-only tools can enable organizations to address concerns around access while still allowing risk assessment to form a remediation strategy. Leveraging automation can enable continuous discovery to map infrastructure resources across all clouds, analyze operations, identify risks, and take action (in the form of alerts, mitigation, or remediation). This approach will help ensure major security issues can be fixed immediately after the deal closes.

Establish a Unified View of Infrastructure
One critical post-M&A activity is applying the acquiring company's governance standards across the new entity. Doing so on a global scale is typically expensive, complex, time-consuming, and fraught with error for several reasons:

  • Lack of capacity to accomplish enormous change
  • Poor documentation and inconsistencies in tagging, classifying, and mapping assets
  • Acquired staff turnover resulting in a loss of "tribal" knowledge
  • Political and cultural disruption within the acquired entity.

Automated tools are essential. It is impossible to achieve the unified view of all infrastructure needed to apply and enforce governance standards manually. Companies must ensure they are classifying and storing data consistently during the IT integration process; otherwise, they risk failing compliance audits and paying resulting penalties. Similar to security risk identification and remediation, the application and enforcement of governance standards cannot be a one-time event. The constantly evolving nature of cloud environments means automated assessment must be continuous and pervasive.

Create Efficiency at Scale
As little as five years ago, it was common for IT teams to be solely responsible for managing and securing all of their organizations’ infrastructures. This simplified IT integrations during M&A because communication was really only needed between two clearly defined groups of people.

This is far from reality in the cloud. Access is so highly distributed that a company can have hundreds or thousands of individual, digitally savvy employees managing different assets and applying changes hourly. Recognizing and planning around this new landscape is critical in an M&A deal. Mapping responsibilities and "ownership" of various assets matters just as much as mapping the resources themselves. This is the only way governance standards and security remediations can be implemented efficiently and at scale. While this may seem daunting, it’s faster and less risky to task the original owners — who have the contextual understanding and historical knowledge of the assets — with applying needed changes.

To this end, establishing automated feedback loops ensures the right people are assigned the right tasks, and it creates a track record of accountability. The change management process should also include automated prioritizing of tasks based on risk level, ensuring intolerable risks are addressed immediately.

Time to Adapt
Failure to recognize the added complexities and greater potential security risks of merging two or more cloud environments during an M&A can have serious consequences. Companies that are still relying on traditional IT may use the M&A to play catch up by acquiring more innovative companies that have already embraced the cloud. This strategy is reasonable enough, but it means companies with no prior experience in managing risk in the cloud are forced to quickly take an accurate inventory of all assets in this complex environment and ensure compliance and security standards are met.

The whole point of an M&A is to find synergies between two or more companies and emphasize those synergies for financial gain. But if not done right, integrating cloud environments and mitigating security risks can be an incredibly costly undertaking. And if vulnerabilities go undetected and unremediated — well, where there are clouds there could be rain.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Scott Totman brings more than two decades of experience in enterprise application development to DivvyCloud.  As VP of engineering, he is responsible for the ongoing development and delivery of DivvyCloud's software. Prior to joining DivvyCloud, Totman was the vice ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...