The Problem

Day1…Welcome to the corporation, but sorry, you don’t have access to our applications. We’d love to let you read the acquired workforce welcome page but we’re still waiting to get the networks connected…

Day1 is when the acquisition is legal and takes effect. During Mergers and Acquisitions (M&A) there’s pre-day1 activities that occur on both sides but in many, if not most, cases these don’t include technical integrations of networks or platforms, nor would they include detailed security reviews (e.g., network scans or pen tests).

In today’s work-from-anywhere reality, connecting office networks is simply not enough. The newly acquired face big productivity challenges that stem from remotely connecting to two environments (existing infrastructure and new corporate resources), causing a VPN ‘swivel-chair experience’. This is especially true for day1 – dayX activities (users required to access HR systems, productivity services, set new passwords, etc).

We saw this issue firsthand at Adobe and Cisco – enabling access to core resources via a zero trust network access (ZTNA) arch greatly improved the experience for the newly acquired.

Pre-Day1 Security

During the mergers & acquisitions (M&A) process and prior to Day1, the acquiring company does some due diligence including security reviews. The issue is that traditional integrations after an M&A result in joining both company networks together in order to enable access to resources.

This can both be costly and increase risk due to the unknown security posture of the acquired company.

There are many examples of breaches where an attack begins in an acquired company then traverses networks into the acquiring company network.

Here’s some other write-ups that cover the topic, statistics and examples:

https://www.forbes.com/sites/allbusiness/2018/11/11/data-privacy-cybersecurity-mergers-and-acquisitions/?sh=65e8ecc872ba

https://www.ibm.com/downloads/cas/RJX5MXJD

https://itchronicles.com/security/your-guide-to-cybersecurity-risks-that-come-with-mergers-acquisitions/

Pre-Day1 Technical Challenges

There are several technical challenges that IT teams still struggle with during an M&A:

  1. Connecting two completely different networks, often with overlapping CIDR ranges and incompatible tooling (like IP address management, internet gateways, etc.)
  2. Managing corporate devices using different device managers and varying software stacks
  3. Enforcing consistent corporate security policies, while still providing access to the new workforce.

A common technical challenge I have seen over and over again is maintaining IP-address-based access control lists. For example, the acquired company uses a shared office where every tenant on the shared Wi-Fi network uses the same public IP address… an IP whitelisting rule for the shared office would allow unknown and untrusted users onto the corporate network!

Security Challenges

It’s really hard to understand the security stance of a newly acquired company prior to day1. You are limited to what you can do, what you can see. It’s very unlikely that you can perform scans or intrusive testing. You may be able to see some documentation, but even that depends on the situation.

This means that connecting the network of the acquired company to your network is an increase in risk that you may not wish to take on. This is especially true if their network is in countries you deem higher risk or networks shared with other companies (i.e., shared office space).

During my career we managed to leverage our zero trust platform during several acquisitions to enable access to services without needing to join entire networks. This saved investing in additional infrastructure, expanding operational complexities and more importantly assuming additional risk. Do you really want devices on a network you know little about having full access to your campus network?

So, let’s dig in a little further…

Details

First of all, we’re assuming by now you’ve got your zero trust network access platform up and running and this means the following:

  • You’ve enabled remote and on-premises access to critical internal corporate resources irrespective of the user’s network location (or home) via your zero trust network/remote access platform.
  • You’re now incorporating device health validation (e.g., minimum OS version, device is managed, etc.) as part of the authentication workflow.

Once these are in place it’s possible to simply configure the endpoints of the new workforce which will then enable their access to your zero trust enabled applications.

If you want to enable access to the new workforce on day one the quickest path is leveraging your zero trust platform. As we just explained above, the traditional method of connecting the two company networks increases your risk, costs, and also results in day1 access being hard to achieve.

The solution is very similar to that of solving the vendor/contractor access issue; where you need to enable unmanaged devices to securely access applications. It’s very likely that the acquired company already has IT managed devices (MDM/UEM) where you’re unable to remove that software and it’s also likely they have an existing endpoint security solution that you are also unable to swap out prior to or on Day1.

This is why a decent Zero Trust partner enables you to leverage existing investments, recognizing that there are many MDM, endpoint, and authentication platforms that would be integrated. So during an M&A situation the coexistence of these solutions in the acquired and acquiring companies is very important.

So in the M&A scenario the HR system is loaded with the new employee data which then synchronizes with your identity platform. This would be something you stage prior to day1, if you’ve got a decent Identity Management program then you’ll have already defined the birth rights so regardless of role the new workforce would be in the groups enabling access to core applications.

These applications would be available via your zero trust platform and the new workforce now simply need to enroll their devices.

Day1

So the big day has arrived and you need to set the new workforce up enabling them to access your core services. There’s a few simple steps:

  1. Complete the identity setup following your normal process (typically users log in with their new account, change their password and complete MFA setup)
  2. Now they click a link to register their device which adds them to the zero trust platform enabling:
    1. Certificate-based authentication
    2. Device posture check
    3. Policy enforcement
    4. One-click application access

So, within 5 minutes on Day1 you can have thousands of users up and running accessing your applications, no VPN and also no need for you to install MDM on their devices or swap out their endpoint security software.

Benefits

There’s a few great benefits using this method:

  • Enabling the new workforce to access to the acquiring company’s apps and services in minutes
  • Improving security by preventing traffic from the acquired company to your company
  • Reducing operational costs and complexity in your networking services
  • Improving user experience by introducing a frictionless method of access when working from home (eliminating ‘swivel-chair access’)
  • The same M&A use case applies to how you can enable vendor access

Wrap

Having done this during my time at Adobe, we found this approach helped accelerate the successful integration of the acquired company and its workforce. Once again improving security, improving workforce experience, and reducing costs.

Reflecting back, it now seems like common sense yet this alludes so many companies. If your company is acquisitive then this approach will be a huge win for IT, Security, and your new workforce.

author avatar
Den Jones