Cloud misconfigurations can cost you big. Every company should have in place the people, processes and tools to support day zero evaluation of cloud security during a mergers and acquisitions (M&A) event. Without this you leave yourself open to massive financial, regulatory, and reputational risk.
There is a misperception that if both organizations in an M&A event are operating within the cloud, it will ease the integration. This is far from reality, since even for organizations using the same cloud service provider may have widely different configurations, architectures, and approaches. The quantity of variables is significant, and the rate of change so rapid, no two organizations will be operating cloud environments the same. Because of this complexity, evaluating security risk during the M&A process can be very challenging, and too often isn’t performed, isn’t performed early enough, isn’t performed comprehensively enough, or a combination of these items.
The good news is, security evaluation related to cloud service providers like AWS, Azure, and GCP doesn’t have to be a black box. In fact, DivvyCloud can provide companies with the ability to perform comprehensive, non-invasive risk assessment and auditing on day zero of the integration process or during the M&A due diligence period. This capability radically changes how companies can minimize risk in M&A in a cloud-first world.
Security is one of the biggest concerns during M&A, from physical security to application security, and there are numerous security issues to consider. As part of any M&A process there will be a security audit, ideally during the due diligence phase, but also again on day zero of integration. As part of the audit it’s important to have the right tooling to identify issues, especially when it comes to cloud security posture.
According to CSO Online “compliance problems are one of the most common types of cyber security issues uncovered during due diligence, and a lack of comprehensive security architecture is another common issue.” So what else does the data say? According to Forbes, 40% of M&A deals discover a cybersecurity issue. This has the potential to tank a deal before it closes, or result in messy legal issues requiring the renegotiation of terms, adjustment of the payments, fines, etc.
Additionally, evidence of a previous data breach is only one possible issue. M&A means expanding your IT footprint to include infrastructure the acquired organization may not even be actively monitoring. It only takes one small misconfiguration to expose the entire larger organization to a security risk.
If an M&A deal identifies a security issue, the consequences can be significant. According to Information Commissioner Elizabeth Denham: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
For any organization, regardless of size, there are many devastating potential consequences:
With so many considerations to manage, security should be a primary concern during any M&A deal. This is not just because of the range of potential consequences during the deal, but because of the greater consequences to the integration of the businesses after the deal has been finalized. An important part of your M&A strategy should include review and planning to avoid common mistakes. Here are some of the most common mistakes:
First, by relying on a traditional IT security approach during M&A, where one or both of the organizations is operating in the cloud, you are inviting any number of security issues. Traditional IT simply doesn’t have the right approach or tooling to successfully navigate the unique security risks associated with cloud. As organizations move to the cloud to enable their developers the freedom and speed to experiment, innovate, and take advantage of all of the flexibility of infrastructure-as-code, the security considerations simply aren’t the same as those managed in a traditional IT setting. There are no longer data centers, virtual perimeters, or controls based exclusively in on-premises equipment. Cloud technologies have expanded access to the provisioning, management, and creation of resources so IT organizations are dealing with a population that possesses skill sets ranging from entry-level to administrative.
The complexity of resources also creates exponential variation in challenges because each resource or service has individual configuration elements and security requirements. CI/CD pipelines, permissions management, automation, and configuration drift require a strategy built on policies that can adapt quickly to the changes that cloud technologies introduce. The landscape has changed, so the overall strategy, security policies, and best practices have to evolve with this new landscape in order to succeed.
Second, there is often an assumption made that if both companies in the M&A are operating in the cloud, there is less risk. This is simply not the case, even in a scenario where both organizations may be operating within the same Cloud Service Provider (CSP). It’s far more likely that the organizations will be operating with different CSP. Challenges for system integration may include hybrid-cloud, multi-cloud, and container. Organizations are likely to be using different tools and third party integrations, and definitely operating with different policies. The resulting differences in the security approach, infrastructure, and the health of the respective IT networks mean that even in an ideal scenario with a lot of system overlap no two companies will be the same.
The only reliable approach is to assume that there are no known variables and analyze the entire operation as if the CSPs are different, the security postures are different, and each part of the M&A is a brand new component that has to be evaluated from the bottom up. A comprehensive security analysis, plus the right tools (which we'll get into a bit later) will make sure you’re protected from any misconfigurations or vulnerabilities
The final two common mistakes are procrastinating on due diligence and relying on in-house tools from one of the M&A organizations. Waiting to evaluate the technical status of either organization will leave any potential integration or security issues undiscovered. The results of procrastinating may end up just costing you time, which is still not a desirable outcome. Or worse, it could also potentially cause all sorts of trouble around your security posture through scenarios that may be vulnerable to exploit. It’s a simple game of statistics: the longer a misconfiguration, unsecured resource, or potential exploit is left undiscovered, the more opportunities there are for a hacker, malicious insider, or other type of breach to occur.
The easiest way to make sure you’re on top of this is to make the technical due diligence an item at the head of your list of actions. Get started on evaluating the technical assets as soon as you start your analysis of the business and financial assets. This way you can put together a strategy for dealing with any issues as soon as you find them and close the door on any vulnerabilities before someone else finds them.
Finally, for organizations that anticipate relying on in-house tools, this approach has the same pitfalls as the reliance on a traditional IT security approach. It’s not a solution for a complex cloud environment. The pace of innovation within a single CSP is so rapid that most in-house tools struggle to maintain parity.
Now imagine this situation, where an in-house tool can barely keep pace with a single cloud and the growth of resources and service coverage, and then add a bunch of other variables. During M&A you may find that you are contending with due diligence on multi-cloud configurations, differing policies around configurations, or undiscovered or orphaned resources. There are a huge number of variables that one in-house set of tools would have to contend with. It’s unreasonable to expect home-grown tooling to be able to scale to accommodate the type of technical due diligence that is required. As you keep reading we’ll explore some of the features that make an external tool a good choice.
We’ve provided an overview of how cloud security is relevant to M&A. We’ve described the potential fallout of a worst case scenario, and explored some of the mistakes that often lead to issues. Let’s switch gears to talk a bit about what features or capabilities you should look for and leverage in a cloud security tool to help support the M&A process. There are 4 key areas that will help ensure successful management of your cloud security concerns during M&A:
The ability to map infrastructure before an M&A deal is complete is extremely valuable. Having a complete picture of every piece of infrastructure is one of the only ways you can safely identify all of the security considerations. DivvyCloud includes capabilities for automated discovery and inventory assessment across CSPs and containers:
Containers as a Service (CaaS)
With support for a range of platforms, DivvyCloud can help identify gaps and issues across all the assets that are part of M&A, regardless of where the inventory lives. Armed with this information, companies can ensure the right policies are in place to establish and maintain their security posture.
Another critical element to evaluate for any tool that you may select to handle your cloud security during M&A is the ability to provide efficiency at scale. In the cloud, the communication requirements are far more diverse because the scope of user and user ability. With web-based technology like the cloud, most tools are accessible to users regardless of their skill level. Having the correct cloud tools, particularly when dealing with security, can help empower task owners regardless of their skill level.
With a tool like DivvyCloud you can provide guardrails for cloud infrastructure, ensuring that your teams can provision within the limits of the policies you’ve defined. In addition, with automation, you can achieve both security and speed at scale. With API polling and an event-driven approach to identify risk and trigger remediation, DivvyCloud provides fast detection of changes that enables automated remediation to occur in real-time.
Establishing unified visibility as part of M&A has a number of significant advantages. It’s a great way to cut down on the time spent cataloging resources, and more importantly, to ensure a complete and accurate picture of the assets that need to be evaluated. With a tool like DivvyCloud, an organization navigating M&A has a single interface to view data and make decisions based on a complete understanding of the IT systems, resources, and configurations regardless of CSP or resource type. Unified visibility will also allow you to understand the security and compliance posture across the entire scope of cloud and containers through a standardized asset inventory.
For example, DivvyCloud has developed standard terminology to describe cloud services across cloud environments. In DivvyCloud, you will not see provider-specific resource names like S3 Bucket (AWS), Blob Storage Container (Microsoft Azure), Cloud Storage (Azure), or Swift (OpenStack). Instead, DivvyCloud uses the normalized terminology “Storage Container” for all of these. By offering this standardized asset inventory, an organization can apply a unified policy and automated real-time remediation across all of the environments, both existing and future. Unified visibility and monitoring is particularly useful in an M&A scenario because of the challenges of integration different tools, systems, and potentially different CSPs.
Assuming the best possible outcome—the successful completion of your M&A—a scalable cloud security solution is a great asset to bring into your new organization. The quantity of resources that most organizations have are already difficult to maintain visibility and security over. Doing so without the appropriate tooling can lead to a host of issues, from misconfigurations to orphaned infrastructure. In any of these situations, the worst case scenario is always the looming threat of a security breach.
By investing in an enterprise cloud security tool like DivvyCloud, a company can protect themselves through the challenges around transitions and integrations, and adapt to the future challenges of cloud security in an evolving organization through a variety of features:
The ability to leverage smart, adaptable enterprise capabilities can help an organization face all of the challenges we’ve outlined throughout this paper. Tools that scale don't just mean success before and during the challenges of M&A, but the ability to move forward once the deal is complete, knowing that you have the right pieces in place to continue to support your security posture regardless of the CSP, organization size, or type of challenges.
An M&A deal is a stressful and complex process. The quantity of moving parts that have to be accounted for, evaluated, and reviewed to complete a standard M&A deal are huge. In the growing landscape of cloud technology every organization has to sort out how they will deal with the IT portion of the M&A process. Whether you’re a cloud security professional, responsible for technical due diligence, or an executive in an organization that is looking at a possible M&A, it's critical to be aware of the challenges around cloud security.
The best approach to managing cloud security during M&A is built around not just understanding the risks but acting appropriately. Educating yourself about the landscape of cloud, the technologies it includes, and the security risks that are unique to this new set of technologies will all be key differentiators for your M&A security strategy. With an eye on the unique challenges, the common mistakes, and the possible consequences you’re trying to avoid, you will immediately recognize the advantages of tackling your M&A armed with the right cloud security tools and knowledge.