How to navigate the M&A process from an identity security perspective

June 22, 2023
Identity security concerns aren’t something organizations can afford to put on the backburner amid an M&A

In 2017, Verizon announced its intention to purchase Yahoo for $4.8 billion. But just months after that initial announcement, Yahoo disclosed that it had been the victim of a pair of data breaches affecting more than 1 billion user accounts. At the time, the two breaches were the largest ever recorded—and they seriously complicated an already complex acquisition. Ultimately, Verizon still chose to go through with the deal—albeit with a hefty, $350 million discount—but the incident still serves to underscore the importance of performing cybersecurity due diligence amid any merger or acquisition.

While Yahoo incident remains the most famous example of a breach disclosure complicating an M&A deal, it is far from the only one. And the cybersecurity landscape itself has become more complex in the years since that incident, particularly as the number of digital identities in use has risen exponentially. The average organization now manages tens or even hundreds of thousands of identities—and integrating them into an entirely new system architecture can be a significant challenge. When navigating an M&A, it’s critical to have a plan in place to identify and address identity security challenges before they can escalate into emergencies.

Understanding the Danger and Adopting the Right Mindset

Before connecting an entirely new company to your network, it’s important to know exactly what you’re getting. Traditionally, security professionals think about this in terms of compromise. Could there be an attacker present within the system already? Would integrating those systems into your own network grant the attacker unwanted access? Do the identities currently on the network have the correct level of access, or are they dangerously overprivileged?

A recent research report indicates that 84% of organizations experienced at least one identity-related breach within the past year. That same report indicated that inadequately managed privileges were the culprit more than a third of the time, while stolen credentials were responsible for another third. It can be hard enough for organizations to manage their own identities—just ask Colonial Pipeline. One of the most high-profile breaches in recent memory stemmed from privileged access granted to an account thought to be inactive, highlighting the challenge of maintaining the correct level of access for every identity. When an entirely new organizational structure is added to the mix, it gets even harder.

Taking the Right Steps to Prevent Disaster

Fortunately, there are concrete steps that organizations can take to avoid some of the most common identity-related pitfalls amid an M&A. Before you integrate a new company’s identities with your own, make sure you’ve tried to identify roles within that company. Pulling over a ton of discrete permissions is a recipe for chaos—a company might have 10,000 user identities with over a million different permutations of access needs.

The longer you put off addressing that problem, the worse it’s going to get—those identities will accumulate new entitlements, new permissions, and new problems. Nip it in the bud by creating specific roles before you bring those new identities on board. If you can make those roles line up with those that already exist within your organization, that’s even better. It’s also a good idea to designate sponsors within your organization for each role. Those sponsors should have a thorough understanding of the privileges and access needs of employees in those roles and can be a helpful resource when it comes to identifying overprivileged accounts that represent a security risk.

Accounting for Cloud Environments and Unstructured Data

It's also critical to look at unstructured data. The new company may have security solutions in place to protect applications like payroll and HR systems, but is there sensitive information sitting in email inboxes or filesharing services? A spreadsheet of payment information or social security numbers saved to Box or Google Drive represents a dangerous security risk, and it’s important to have tools in place that can identify sensitive unstructured data and apply the appropriate access restrictions.

Finally, do what you can to clean up cloud environments. Access to many cloud environments is being managed by a DevOps manager with a spreadsheet. That’s a disaster waiting to happen. At a minimum, least-access configuration needs to be implemented on cloud roles for developers, and there needs to be a request and certification process for overlooked but critically privileged identities. All of this needs to be cleaned up and finished before a new company’s infrastructure is connected to your own—waiting until after the M&A has taken place will make these measures significantly more difficult to implement.

Identity Security Must Be a Top-Level Concern

The last thing an organization wants to discover is that the business it just acquired brought along a catastrophic security flaw. But as the number of identities in use continues to skyrocket and attackers continue to find new ways to exploit them, it’s an increasingly plausible scenario. Yahoo isn’t a singular example, but a cautionary tale—one that underscores the importance of performing due diligence. Identity security concerns aren’t something organizations can afford to put on the back burner amid an M&A—they need to be a top-level concern, and they need to be addressed long before the two systems are integrated.

About the author: Grady Summers has a variety of technology and leadership positions spanning over 20 years and now serves as the Executive Vice President of Products at SailPoint. Grady is responsible for driving SailPoint’s technology roadmap and solution strategy, ensuring strong and consistent execution across SailPoint’s identity portfolio. Most recently, Grady was the Executive Vice President of Products and Customer Success at FireEye. Prior to that, Grady was a Principal at Ernst and Young, helping to lead the firm’s information security practice, and was the Chief Information Security Officer (CISO) at General Electric, overseeing a large global cybersecurity organization.