Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/10/2019
02:30 PM
Scott Totman
Scott Totman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Merging Companies, Merging Clouds

Integrating cloud environments is anything but easy. Evaluating the security risks in doing so must be a starting component of an overall M&A strategy.

Mergers and acquisitions are an essential part of the enterprise business landscape. These deals foster innovation and create some of the biggest and most successful companies in the world.

But one of the largest potential pitfalls in any M&A transaction is mishandling IT integration and creating or failing to mitigate security risk. In the era of cloud computing, the cost of inheriting poor security can be massive and quickly destroy any value the transaction poses.

In addition, a common misconception is that if the two companies merging both operate in the cloud, integration will be easier. The reality is it's actually harder due to the added complexity — no two cloud environments are identical, and the rate of change is so much faster compared with traditional IT. Post-acquisition IT integration used to take five to ten years, but these days, given the nonstop pace of innovation, organizations don't have that luxury.

Today, evaluating cloud and container security risks must be a starting component of the overall M&A strategy. IT integrations must happen almost immediately, and the acquiring company needs to be ready to implement best practices and mitigate high-priority risks on day one. Failing to do so can have substantial financial repercussions in the form of breaches, loss of business and market value, fines, lawsuits, etc.

Following are three cloud considerations for organizations considering M&A activity.

Due Diligence Before It's Due
M&A deals can move quickly, and companies often procrastinate on technical due diligence. This can prove catastrophic when the acquirer realizes only after the deal has closed that significant security gaps exist in its new network caused by differing architectural choices, configurations, standards, etc., without a plan in place for immediate remediation.

That's why companies must begin evaluating cloud security and compliance risks from the very beginning of the M&A process. Agentless, read-only tools can enable organizations to address concerns around access while still allowing risk assessment to form a remediation strategy. Leveraging automation can enable continuous discovery to map infrastructure resources across all clouds, analyze operations, identify risks, and take action (in the form of alerts, mitigation, or remediation). This approach will help ensure major security issues can be fixed immediately after the deal closes.

Establish a Unified View of Infrastructure
One critical post-M&A activity is applying the acquiring company's governance standards across the new entity. Doing so on a global scale is typically expensive, complex, time-consuming, and fraught with error for several reasons:

  • Lack of capacity to accomplish enormous change
  • Poor documentation and inconsistencies in tagging, classifying, and mapping assets
  • Acquired staff turnover resulting in a loss of "tribal" knowledge
  • Political and cultural disruption within the acquired entity.

Automated tools are essential. It is impossible to achieve the unified view of all infrastructure needed to apply and enforce governance standards manually. Companies must ensure they are classifying and storing data consistently during the IT integration process; otherwise, they risk failing compliance audits and paying resulting penalties. Similar to security risk identification and remediation, the application and enforcement of governance standards cannot be a one-time event. The constantly evolving nature of cloud environments means automated assessment must be continuous and pervasive.

Create Efficiency at Scale
As little as five years ago, it was common for IT teams to be solely responsible for managing and securing all of their organizations’ infrastructures. This simplified IT integrations during M&A because communication was really only needed between two clearly defined groups of people.

This is far from reality in the cloud. Access is so highly distributed that a company can have hundreds or thousands of individual, digitally savvy employees managing different assets and applying changes hourly. Recognizing and planning around this new landscape is critical in an M&A deal. Mapping responsibilities and "ownership" of various assets matters just as much as mapping the resources themselves. This is the only way governance standards and security remediations can be implemented efficiently and at scale. While this may seem daunting, it’s faster and less risky to task the original owners — who have the contextual understanding and historical knowledge of the assets — with applying needed changes.

To this end, establishing automated feedback loops ensures the right people are assigned the right tasks, and it creates a track record of accountability. The change management process should also include automated prioritizing of tasks based on risk level, ensuring intolerable risks are addressed immediately.

Time to Adapt
Failure to recognize the added complexities and greater potential security risks of merging two or more cloud environments during an M&A can have serious consequences. Companies that are still relying on traditional IT may use the M&A to play catch up by acquiring more innovative companies that have already embraced the cloud. This strategy is reasonable enough, but it means companies with no prior experience in managing risk in the cloud are forced to quickly take an accurate inventory of all assets in this complex environment and ensure compliance and security standards are met.

The whole point of an M&A is to find synergies between two or more companies and emphasize those synergies for financial gain. But if not done right, integrating cloud environments and mitigating security risks can be an incredibly costly undertaking. And if vulnerabilities go undetected and unremediated — well, where there are clouds there could be rain.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Scott Totman brings more than two decades of experience in enterprise application development to DivvyCloud.  As VP of engineering, he is responsible for the ongoing development and delivery of DivvyCloud's software. Prior to joining DivvyCloud, Totman was the vice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11674
PUBLISHED: 2019-10-22
Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.
CVE-2019-12967
PUBLISHED: 2019-10-22
Stephan Mooltipass Moolticute through 0.42.1 (and possibly earlier versions) has Incorrect Access Control.
CVE-2019-17189
PUBLISHED: 2019-10-22
totemodata 3.0.0_b936 has XSS via a folder name.
CVE-2019-4523
PUBLISHED: 2019-10-22
IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 165481.
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.