Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/10/2019
02:30 PM
Scott Totman
Scott Totman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Merging Companies, Merging Clouds

Integrating cloud environments is anything but easy. Evaluating the security risks in doing so must be a starting component of an overall M&A strategy.

Mergers and acquisitions are an essential part of the enterprise business landscape. These deals foster innovation and create some of the biggest and most successful companies in the world.

But one of the largest potential pitfalls in any M&A transaction is mishandling IT integration and creating or failing to mitigate security risk. In the era of cloud computing, the cost of inheriting poor security can be massive and quickly destroy any value the transaction poses.

In addition, a common misconception is that if the two companies merging both operate in the cloud, integration will be easier. The reality is it's actually harder due to the added complexity — no two cloud environments are identical, and the rate of change is so much faster compared with traditional IT. Post-acquisition IT integration used to take five to ten years, but these days, given the nonstop pace of innovation, organizations don't have that luxury.

Today, evaluating cloud and container security risks must be a starting component of the overall M&A strategy. IT integrations must happen almost immediately, and the acquiring company needs to be ready to implement best practices and mitigate high-priority risks on day one. Failing to do so can have substantial financial repercussions in the form of breaches, loss of business and market value, fines, lawsuits, etc.

Following are three cloud considerations for organizations considering M&A activity.

Due Diligence Before It's Due
M&A deals can move quickly, and companies often procrastinate on technical due diligence. This can prove catastrophic when the acquirer realizes only after the deal has closed that significant security gaps exist in its new network caused by differing architectural choices, configurations, standards, etc., without a plan in place for immediate remediation.

That's why companies must begin evaluating cloud security and compliance risks from the very beginning of the M&A process. Agentless, read-only tools can enable organizations to address concerns around access while still allowing risk assessment to form a remediation strategy. Leveraging automation can enable continuous discovery to map infrastructure resources across all clouds, analyze operations, identify risks, and take action (in the form of alerts, mitigation, or remediation). This approach will help ensure major security issues can be fixed immediately after the deal closes.

Establish a Unified View of Infrastructure
One critical post-M&A activity is applying the acquiring company's governance standards across the new entity. Doing so on a global scale is typically expensive, complex, time-consuming, and fraught with error for several reasons:

  • Lack of capacity to accomplish enormous change
  • Poor documentation and inconsistencies in tagging, classifying, and mapping assets
  • Acquired staff turnover resulting in a loss of "tribal" knowledge
  • Political and cultural disruption within the acquired entity.

Automated tools are essential. It is impossible to achieve the unified view of all infrastructure needed to apply and enforce governance standards manually. Companies must ensure they are classifying and storing data consistently during the IT integration process; otherwise, they risk failing compliance audits and paying resulting penalties. Similar to security risk identification and remediation, the application and enforcement of governance standards cannot be a one-time event. The constantly evolving nature of cloud environments means automated assessment must be continuous and pervasive.

Create Efficiency at Scale
As little as five years ago, it was common for IT teams to be solely responsible for managing and securing all of their organizations’ infrastructures. This simplified IT integrations during M&A because communication was really only needed between two clearly defined groups of people.

This is far from reality in the cloud. Access is so highly distributed that a company can have hundreds or thousands of individual, digitally savvy employees managing different assets and applying changes hourly. Recognizing and planning around this new landscape is critical in an M&A deal. Mapping responsibilities and "ownership" of various assets matters just as much as mapping the resources themselves. This is the only way governance standards and security remediations can be implemented efficiently and at scale. While this may seem daunting, it’s faster and less risky to task the original owners — who have the contextual understanding and historical knowledge of the assets — with applying needed changes.

To this end, establishing automated feedback loops ensures the right people are assigned the right tasks, and it creates a track record of accountability. The change management process should also include automated prioritizing of tasks based on risk level, ensuring intolerable risks are addressed immediately.

Time to Adapt
Failure to recognize the added complexities and greater potential security risks of merging two or more cloud environments during an M&A can have serious consequences. Companies that are still relying on traditional IT may use the M&A to play catch up by acquiring more innovative companies that have already embraced the cloud. This strategy is reasonable enough, but it means companies with no prior experience in managing risk in the cloud are forced to quickly take an accurate inventory of all assets in this complex environment and ensure compliance and security standards are met.

The whole point of an M&A is to find synergies between two or more companies and emphasize those synergies for financial gain. But if not done right, integrating cloud environments and mitigating security risks can be an incredibly costly undertaking. And if vulnerabilities go undetected and unremediated — well, where there are clouds there could be rain.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Scott Totman brings more than two decades of experience in enterprise application development to DivvyCloud.  As VP of engineering, he is responsible for the ongoing development and delivery of DivvyCloud's software. Prior to joining DivvyCloud, Totman was the vice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .