For many businesses a merger or acquisition is highly charged. There’s often excitement about new beginnings mixed with angst that comes with any major business change – not least when it comes to IT security.
During a merger and acquisition, you have two enterprises each running complex IT infrastructures with hundreds if not thousands of applications. Usually, these applications don’t just simply integrate together– rather, some perform overlapping functions and need to be altered or extended; some need to be used in parallel; while others need to be decommissioned and removed.
This means amending, altering and updating firewall policies to accommodate new connectivity, new applications and new servers and often new firewalls – crucially, without creating IT security risks or outages. In essence, from the IT security perspective, a merger or acquisition is a massively complicated project that, if not planned and implemented properly, can seriously impact business operations for a long time.
Starting the migration process
And, as with many IT projects, getting underway can seem daunting – particularly when there are very different infrastructures and different teams that need to be bought together to undertake the project. Generally speaking however, there are a couple of key steps that can quickly help you get going.
First, you need a complete inventory of the business applications of both organizations. This can be done with auto-discovery tools that collect data on any item that is connected to the network. Once the application and its components are “discovered” and you know how they communicate with each other you’ll have a clear and accurate map of all the network connectivity flows. This is your blueprint for how you will migrate the current environment to the new environment from an application connectivity perspective. While its one huge task to build the foundation, it will put your security and networking group in a position to transform your business.
Next, you need to complete a vulnerability assessment (VA) across both enterprise networks, and identify the business-critical applications at risk. The network inventory, which determines all the application connectivity flows, is a good starting point for the VA – giving you the basis to understand the risk associated with each application. In this next step you need to identify and prioritize the devices you really care about. For example, you probably are concerned with vulnerabilities on the trading application that contains the most vital customer and corporate risk information from the company that you just acquired, but may not care too much about vulnerabilities on a system that has no sensitive data.
By following these steps you’ll get a clear business-centric view of the entire enterprise environment: you’ll be able to identify and map all the critical business applications, easily link vulnerabilities and cyber risks to specific applications, assess risk and make smart decisions on how to prioritize remediation actions based on business-driven needs.
Verify, standardize, automate
This will give you with an accurate picture of your current IT topology and its business risk, but of course, this is only the first half of the story. Now you need to update the security policy to support changes to business applications.
However, unlike an internal firewall change management project, a merger or acquisition almost certainly involves two companies that have different types of firewalls in place, such as a mix of traditional and next-gen firewalls from firewalls from multiple vendors, as well as cloud-based security controls.
As Gartner underlined, a huge majority of data breaches are caused by firewall misconfigurations, therefore attempting to change firewall policies manually – especially in such a complex environment – is a fool’s errand.
So to ensure that the firewall change management process is handled efficiently and with minimal risk of misconfiguration, automation is essential. Automated security policy management solutions should provide visibility of the entire firewall estate (traditional, NGFW and cloud-based security controls, Software Defined Networks (SDN), Cisco ACI, etc.) and be able to support all firewalls holistically from a single point of control. Moreover, the solution should be able to assess risk, translate and apply policies across all devices, to close any potential security gaps and minimizes the risk of any misconfigurations occurring.
What about security maturity?
Another thing to consider is that the two companies may not be at the same stage on the security policy management maturity model – something we’ve written a series of blogs about in the past. The likelihood is that one company may be more mature from a security policy management perspective than the other. Therefore, when two companies become one, it is vital that they get on the same page.
Maintaining security throughout the transition
A merger or acquisition presents a range of IT challenges but ensuring business applications can continue to run securely throughout the transition is critical. If you take an application centric approach and utilize automation, you will be in the best position for the merger/migration and will ultimately drive long term success.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.