Merger and acquisition (M&A) activity can bring opportunities for growth and innovation, but it can also increase cybersecurity risks. M&A announcements often draw the attention of threat actors making the organization a prime target for attacks. In some cases, acquired companies have reported phishing attempt increases as high as 400% after releasing news of a deal.

Many businesses have complex, customized IT infrastructures. Combining them brings up issues like incompatible systems, legacy technology, differences in security maturity, and varying regulatory requirements. Compounding the cybersecurity challenge is the tight timeframes that IT and cybersecurity teams must work within to help the business rapidly realize investment returns. Existing vulnerabilities can be exposed while the risk of introducing new attacker entry points rises. Cybercriminals often seek to capitalize on these security weaknesses during an M&A transition. 

Network Perimeter Security Falls Short

At the center of this heightened risk dynamic are two main elements - digital identities and API connections. Cyber threat actors typically gain access to systems and data by compromising employee and customer accounts, including accounts in apps connected to the network via APIs. 

When companies rely on traditional network perimeter security methods, identities and API connections are indirectly protected behind broad security measures like network firewalls and system-level permissions and controls. This broad approach to security breaks down during an M&A transition when data is decoupled from network-level security controls and migrated into a new network.

It can be difficult to consistently implement network-level security measures across all entry points and possible use case scenarios during a migration. The result is that developer and cybersecurity teams find themselves executing security tactics for each use case, regulation, department, tool, app or service. Replicating these controls can take immense amounts of time and tie up resources. Plus, the scope of this manual effort makes it easy to make mistakes that can open up more opportunities for attackers.

Perimeter Security vs Zero Trust

Zero Trust Architectures (ZTA) can help circumvent the weaknesses of traditional security in M&A scenarios by focusing on access authorization at the identity and API level. Zero Trust Security assumes that no user, device or app can be trusted until its identity can be verified. It relies on authentication and authorization controls applied directly to identity data and APIs. This approach results in several advantages for M&A transitions.

Benefits of Zero Trust Security

Reduce Security Risks

A hallmark feature of Zero Trust Architecture is network microsegmentation. If an attacker does gain access, they are restricted to one area instead of moving freely throughout the network. The practice of least privilege access further helps to confine an attacker’s movement by ensuring users, APIs, and devices obtain only the access and permissions needed to perform relevant tasks. Additionally, systems and devices are not automatically trusted in Zero Trust Architectures. This can help teams identify potential security vulnerabilities before they become part of the network. ZTA also centralizes infrastructure management so teams can uniformly apply security controls across the network and correctly allocate security measures limited to specific regions or use cases.

Simplify Integration

Identity and access management (IAM) sits at the core of successful Zero Trust Architectures. IAM centralizes access management making it possible to easily onboard employees and customers from the acquired organization. Fine-grained access level permissions can also be applied to each account and correctly enforced. Plus, developers can uniformly apply security controls across the network and correctly allocate security measures limited to specific regions or use cases.  

Maximize Deal Value

A zero trust approach to security can help organizations realize a return on acquisition investment sooner. By simplifying integration, ZTA enables developer and security teams to complete the IT transition more efficiently and quickly. It can also help minimize data and service access disruptions for employees and customers so the business continues to operate effectively. What’s more, it reduces security risks and the likelihood of a costly data breach triggered by the merger.

How to Implement Identity-level Security in ZTA

Establishing security around identities and APIs is a key aspect of Zero Trust Architecture. With the right systems in place, including an advanced identity server and a reverse proxy, such as an API gateway, developers can configure highly secure identity and access management capabilities. They can customize authentication to the newly merged business use cases. Here are some best practices to consider when designing an identity infrastructure capable of handling an M&A scenario.

Strengthen Authentication Methods

When merging systems, identities and APIs, single or weak authentication methods can become a security liability. Layer additional authentication requirements using Multi-factor Authentication (MFA) and introduce stronger authentication methods, such as biometric and passwordless authentication.

Use the Token Handler Pattern

Implement the Token Handler Pattern to maintain security in an omnichannel environment that manages access from multiple device types, including single-page applications, mobile and web browsers. This pattern leverages OAuth and OpenID protocols to create a backend-for-frontend authentication flow that keeps sensitive token data out of browsers where it can be stolen.   

Limit Authorization

Carefully consider the context for each use case and user type. Then limit authorization to only the permissions that are necessary for the scenario. If an attacker is able to breach the network, this can significantly reduce the damage.

Leverage Industry Standards

Look to industry standards, like OAuth and OpenID Connect, as much as possible to lean on already established best practices and protocols. Similarly, use certified security profiles, like OpenID’s Financial-grade API (FAPI) profile. Not only will this simplify regulatory compliance, but it also provides additional assurance that the most-up-to-date and effective security measures are in place. Plus, it lays a foundation for future regulations and technology innovation.

Build a Path to More Secure M&A IT Integrations

Whether an organization is acquiring or being acquired, investing in Zero Trust Architecture can help make the M&A process easier and more profitable for both entities. What’s more, ZTA’s benefits, including stronger security and faster time to market for new products and services, will continue well into the future.