Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/10/2019
02:30 PM
Scott Totman
Scott Totman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

Merging Companies, Merging Clouds

Integrating cloud environments is anything but easy. Evaluating the security risks in doing so must be a starting component of an overall M&A strategy.



Mergers and acquisitions are an essential part of the enterprise business landscape. These deals foster innovation and create some of the biggest and most successful companies in the world.

But one of the largest potential pitfalls in any M&A transaction is mishandling IT integration and creating or failing to mitigate security risk. In the era of cloud computing, the cost of inheriting poor security can be massive and quickly destroy any value the transaction poses.

In addition, a common misconception is that if the two companies merging both operate in the cloud, integration will be easier. The reality is it's actually harder due to the added complexity — no two cloud environments are identical, and the rate of change is so much faster compared with traditional IT. Post-acquisition IT integration used to take five to ten years, but these days, given the nonstop pace of innovation, organizations don't have that luxury.

Today, evaluating cloud and container security risks must be a starting component of the overall M&A strategy. IT integrations must happen almost immediately, and the acquiring company needs to be ready to implement best practices and mitigate high-priority risks on day one. Failing to do so can have substantial financial repercussions in the form of breaches, loss of business and market value, fines, lawsuits, etc.

Following are three cloud considerations for organizations considering M&A activity.

Due Diligence Before It's Due
M&A deals can move quickly, and companies often procrastinate on technical due diligence. This can prove catastrophic when the acquirer realizes only after the deal has closed that significant security gaps exist in its new network caused by differing architectural choices, configurations, standards, etc., without a plan in place for immediate remediation.

That's why companies must begin evaluating cloud security and compliance risks from the very beginning of the M&A process. Agentless, read-only tools can enable organizations to address concerns around access while still allowing risk assessment to form a remediation strategy. Leveraging automation can enable continuous discovery to map infrastructure resources across all clouds, analyze operations, identify risks, and take action (in the form of alerts, mitigation, or remediation). This approach will help ensure major security issues can be fixed immediately after the deal closes.

Establish a Unified View of Infrastructure
One critical post-M&A activity is applying the acquiring company's governance standards across the new entity. Doing so on a global scale is typically expensive, complex, time-consuming, and fraught with error for several reasons:

  • Lack of capacity to accomplish enormous change
  • Poor documentation and inconsistencies in tagging, classifying, and mapping assets
  • Acquired staff turnover resulting in a loss of "tribal" knowledge
  • Political and cultural disruption within the acquired entity.

Automated tools are essential. It is impossible to achieve the unified view of all infrastructure needed to apply and enforce governance standards manually. Companies must ensure they are classifying and storing data consistently during the IT integration process; otherwise, they risk failing compliance audits and paying resulting penalties. Similar to security risk identification and remediation, the application and enforcement of governance standards cannot be a one-time event. The constantly evolving nature of cloud environments means automated assessment must be continuous and pervasive.

Create Efficiency at Scale
As little as five years ago, it was common for IT teams to be solely responsible for managing and securing all of their organizations’ infrastructures. This simplified IT integrations during M&A because communication was really only needed between two clearly defined groups of people.

This is far from reality in the cloud. Access is so highly distributed that a company can have hundreds or thousands of individual, digitally savvy employees managing different assets and applying changes hourly. Recognizing and planning around this new landscape is critical in an M&A deal. Mapping responsibilities and "ownership" of various assets matters just as much as mapping the resources themselves. This is the only way governance standards and security remediations can be implemented efficiently and at scale. While this may seem daunting, it’s faster and less risky to task the original owners — who have the contextual understanding and historical knowledge of the assets — with applying needed changes.

To this end, establishing automated feedback loops ensures the right people are assigned the right tasks, and it creates a track record of accountability. The change management process should also include automated prioritizing of tasks based on risk level, ensuring intolerable risks are addressed immediately.

Time to Adapt
Failure to recognize the added complexities and greater potential security risks of merging two or more cloud environments during an M&A can have serious consequences. Companies that are still relying on traditional IT may use the M&A to play catch up by acquiring more innovative companies that have already embraced the cloud. This strategy is reasonable enough, but it means companies with no prior experience in managing risk in the cloud are forced to quickly take an accurate inventory of all assets in this complex environment and ensure compliance and security standards are met.

The whole point of an M&A is to find synergies between two or more companies and emphasize those synergies for financial gain. But if not done right, integrating cloud environments and mitigating security risks can be an incredibly costly undertaking. And if vulnerabilities go undetected and unremediated — well, where there are clouds there could be rain.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Scott Totman brings more than two decades of experience in enterprise application development to DivvyCloud.  As VP of engineering, he is responsible for the ongoing development and delivery of DivvyCloud's software. Prior to joining DivvyCloud, Totman was the vice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...