{"id":17732,"date":"2020-07-07T10:57:55","date_gmt":"2020-07-07T14:57:55","guid":{"rendered":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?p=17732"},"modified":"2022-10-14T18:26:41","modified_gmt":"2022-10-14T22:26:41","slug":"ma-cybersecurity-challenges-we-asked-an-expert","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/ma-cybersecurity-challenges-we-asked-an-expert.html","title":{"rendered":"M&#038;A Cybersecurity Challenges? We Asked an Expert"},"content":{"rendered":"\n<p>When companies merge or get acquired, the buyer assumes tremendous liability as a data breach can cost many millions of dollars or more. In fact, cybersecurity can be considered perhaps the ultimate landmine in the acquisition process because it can be hidden and cause a massive explosion. Moreover, just like a land mine, it is possible the injury could be severe or cause death.<\/p>\n\n\n\n<p>Loss of customer faith, loss of revenue, loss of data and trade secrets are just some of the potential issues to be worried about.<\/p>\n\n\n\n<p>To help you protect your organization from such challenges we spoke with Chris Hickman, chief security officer at digital identity security vendor <a href=\"http:\/\/www.keyfactor.com\">Keyfactor<\/a>. Here is our exclusive interview:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/07\/Chris-Hickman-Keyfactor-Chief-Security-Officer.png\" alt=\"\" class=\"wp-image-17733\" srcset=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/07\/Chris-Hickman-Keyfactor-Chief-Security-Officer.png 150w, https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2020\/07\/Chris-Hickman-Keyfactor-Chief-Security-Officer-90x90.png 90w\" sizes=\"(max-width: 150px) 100vw, 150px\" \/><figcaption> Chris Hickman, chief security officer at digital identity security vendor <a href=\"http:\/\/www.keyfactor.com\/\">Keyfactor<\/a> <\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>What are the security challenges and opportunities during a M&amp;A?<\/strong><\/p>\n\n\n\n<p>A M&amp;A of a business unit rather\nthan an&nbsp;entire business entity introduces an additional level of complexity.&nbsp;When\nbuying only part of a business you have to have a clear path to cut over\nsecurity context as no co-existence is usually possible.<\/p>\n\n\n\n<p>It&#8217;s\ncommon that merging organizations have different approaches to digital identity\nmanagement and differing opinions on how to secure them. This is more common\nwhen both parties already have their own public key infrastructure (PKI)\nenvironment and processes that need to be integrated. Each organization will\nhave its own set of identities and templates that have already been deployed\nand their own way of managing applications.<\/p>\n\n\n\n<p>What\nmany organizations fail to realize is that a M&amp;A provides the perfect\nopportunity to incorporate an enhanced digital identity management platform to\nboth elevate overall security capabilities and optimize the IT project work\nassociated with&nbsp;the M&amp;A.<\/p>\n\n\n\n<p>From\na security perspective, the organizations on either side may generally lack\nsecurity visibility of integrated servers and applications. Having a tool in\nplace to detect and report on these issues can ensure that the new security\nteam is able to quickly assess weaknesses and respond to them quickly, instead\nof being caught off guard by future audit findings. <\/p>\n\n\n\n<p>When\nthe merging organizations have multiple PKI environments, the issuing\nCertificate Authorities (CAs) from both environments need to be distributed to\nall endpoints across the combined organizations. This ensures that all\ncertificates can be trusted. If teams miss this step, application whitelisting\ncan fail on security devices and SSL connections to enterprise applications\ncould fail or perform inconsistently, overwhelming the help desk. SSL interception\ntechnologies such as WAN accelerators, SSL Inspection devices and proxy servers\ncould also cause traffic blocks if their issued certificates are not trusted by\nall entities.<\/p>\n\n\n\n<p><strong>Do these challenges extend to liability related to an unknown breach at the acquired company like Verizon\/Yahoo?<\/strong><\/p>\n\n\n\n<p>Potentially.\nIn the case of the Marriott\/Starwood breach, Marriott accepted and assumed\nresponsibility for the breach even though it happened prior to the\nmerger.&nbsp;In the case of Yahoo and Verizon, past breaches at Yahoo forced a\nreduction in the acquisition offer price, leading to a lower valuation of Yahoo\nand shared liability for any litigation arising from the breaches.<\/p>\n\n\n\n<p><strong>What are the key areas to look at when considering IT spend for a M&amp;A?<\/strong><\/p>\n\n\n\n<p>Having\nthe right identity management tools in place at the beginning of the engagement\ncan make a difference in the success of the project, especially since a M&amp;A\ncan open up new IT budget opportunities. Corporations realize that they will\nneed to invest in new tools and services to complete the M&amp;A activity.\nOrganizations often create special integration budgets to absorb activity costs\nand write them off as spending related to the M&amp;A.<\/p>\n\n\n\n<p>When\nit comes to digital identities, there are three key IT spend areas specific to\nthe M&amp;A process:<\/p>\n\n\n\n<ul><li>Tools&nbsp;\u2013&nbsp;Having the right tools in place can help\nminimize labor costs associated with the M&amp;A, as well as long-term IT\nmanagement costs. The right platform should make all digital identity\nmanagement tasks more efficient and data more accurate. <\/li><\/ul>\n\n\n\n<ul><li>People\n\u2013&nbsp;Ensure that you have enough people to do the job\nright. Digital identities are a key piece of your overall security strategy. A\nM&amp;A isn\u2019t the time to cut corners. Ensure that you are adequately staffed\nto address the issues that come up and correct them. This may include bringing\nin consultants or additional staff during the M&amp;A.<\/li><\/ul>\n\n\n\n<ul><li>Security\n\u2013&nbsp;Redesign and rebuild during a M&amp;A provides the\nopportunity to make improvements. Your environment should always be more secure\nafter a M&amp;A than it was before. Digital identity is a key attack vector for\nsecurity incidents and must be continually improved. If you are migrating your\nCAs during a M&amp;A, take the opportunity to put additional safeguards in\nplace. Here are a few examples of improvement opportunities that may present\nthemselves:<\/li><\/ul>\n\n\n\n<ul><li>Consider\noutsourcing your infrastructure to PKI management experts.&nbsp;<ul><li>Implement new\ntools for auditing and reporting of certificate use.&nbsp;Improved\nvisibility of your environment for how certificates are being issued and\ndeployed will greatly increase your ability to detect and respond to incidents\nquickly.<\/li><\/ul><ul><li>Implement HSM\ntechnology to secure critical identities.&nbsp;At\na minimum, this should be included the storage of your issuing CAs, as well as\nhigh-value certificates such as code signing certificates or certificates used\nfor external facing critical systems.<\/li><\/ul><ul><li>Implement a secure\ncode signing solution.&nbsp;Signing your\ninternally developed code and scripts can greatly increase your security\nposture. It can enable technologies such as application whitelisting and secure\nsoftware deployment tools. Since code signing certificates are critical assets\nin your company, make sure you have a solid plan of how to manage these\ncertificates prior to deployment.<\/li><\/ul><ul><li>Improve physical\nsecurity.&nbsp;If the M&amp;A project requires you to move equipment,\nmake sure that the new data center has security controls in place for best\npractice deployment. Secure your assets with secured cabinets or video\nsurveillance systems.<\/li><\/ul><ul><li>Implement new\nautomation technologies to allow automated certificate management and\ndeployment.&nbsp;This can be done in conjunction with DevOps projects\nthat may kick off as a part of the integration.<\/li><\/ul><\/li><\/ul>\n\n\n\n<p><strong>Why is a M&amp;A a perfect time to implement the proper enterprise tools for digital identity management?<\/strong><\/p>\n\n\n\n<p>Many\napplications will need to be moved or re-platformed as a result of the merger.\nHaving a tool in place to quickly issue certificates and deploy them to the\nappropriate locations is vital and helpful in reducing or eliminating manual\nprocess that can slow down integration tasks and cause human errors.<\/p>\n\n\n\n<p><strong>What are the common questions about digital identity that should be addressed during early integration phases during a M&amp;A?<\/strong><\/p>\n\n\n\n<p>The\nfirst step is always to assess what you really need to merge. This is true for all\nIT infrastructure. The digital identity function is commonly overlooked by\norganizations as unessential and many organizations often begin addressing it\nfar too late in the process.<\/p>\n\n\n\n<p>Here\nare some common questions about digital identity that must be answered early in\nthe process:<\/p>\n\n\n\n<ul><li>What\ncertificate authorities are in use? (public and private)<\/li><li>How\nare certificates issued and what is the approval process?<\/li><li>What\ncertificates already exist in the environment and where are they installed?<\/li><li>How\nare code signing keys issued and secured and who has access to them?<\/li><li>Who\nhas the ability and access to perform certificate management tasks?<\/li><li>Are\nany applications or infrastructure components reliant on these issuance\nprocesses for automation?<\/li><li>How\ncan we establish enterprise wide trust for identities from both organizations?<\/li><li>How\nmany certificates do we have in use before and after this migration? (Note: If\nyou are currently relying on a digital identity management product that relies\non per-certificate fees, this could have a significant impact on the project\nbudget.)<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>When companies merge or get acquired, the buyer assumes tremendous liability as a data breach can cost many millions of dollars or more. In fact, cybersecurity can be considered perhaps the ultimate landmine in the acquisition process because it can be hidden and cause a massive explosion. Moreover, just like a land mine, it is<\/p>\n","protected":false},"author":44,"featured_media":1869,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[156],"tags":[2918,1796,2917,1133],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/17732"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=17732"}],"version-history":[{"count":2,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/17732\/revisions"}],"predecessor-version":[{"id":17735,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/17732\/revisions\/17735"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media\/1869"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=17732"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=17732"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=17732"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}