Why is cloud security a vital component of the M&A process?
Cloud misconfigurations can cost you big. Take a look at the example of Marriott. In 2016, there was a huge merger between Marriott and Starwood Hotels. In September 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. The ensuing investigation revealed that there had been unauthorized access to the Starwood network since 2014. Every company should have in place the people, processes and tools to support day zero evaluation of cloud security during a mergers and acquisitions (M&A) event. Without this you leave yourself open to massive financial, regulatory, and reputational risk. As more companies migrate to the cloud it means their IT environments are increasingly in cloud and containers. There is a misperception that if both organizations are operating within the cloud, it will ease the integration. This is far from reality, since even for organizations using the same cloud service provider may have widely different configurations, architectures, and approaches. The quantity of variables is significant, and the rate of change so rapid, no two organizations will be operating cloud environments the same. Because of this complexity, evaluating security risk during the M&A process can be very challenging, and too often isn’t performed, isn’t performed early enough, isn’t performed comprehensively enough, or a combination of these items. The good news is, security evaluation related to cloud service providers like AWS, Azure, and GCP doesn’t have to be a black box. In fact, DivvyCloud can provide companies with the ability to perform comprehensive, non-invasive, risk assessment and auditing on day zero of the integration process or during the M&A due diligence period. This capability radically changes how companies can minimize risk in M&A in a cloud-first world.
Security Deserves a Closer Look
Security is one of the biggest concerns during M&A, from physical security to application security; and there are numerous security issues to consider. As part of any M&A process there will be a security audit, ideally during the due diligence phase, but also again on day zero of integration, and as part of the audit it’s important to have the right tooling to identify issues especially when it comes to cloud security posture. According to CSO Online “compliance problems are one of the most common types of cyber security issues uncovered during due diligence, and a lack of comprehensive security architecture is another common issue.”So what else does the data say? According to Forbes, 40% of M&A deals discover a cybersecurity issue. In one example, Verizon purchased Yahoo and unleashed a last minute scramble when it was discovered that Yahoo had a prior data breach. A situation like the one discovered by Verizon has the potential to tank a deal before it closes, or result in messy legal issues requiring the renegotiation of terms, adjustment of the payments, fines, etc. Additionally, evidence of a previous data breach is only one possible issue. M&A means expanding your IT footprint to include infrastructure the acquired organization may not even be actively monitoring. It only takes one small misconfiguration to expose the entire larger organization to a security risk.
When & How Things Go Wrong
If an M&A deal identifies a security issue, the consequences can be significant. Let’s revisit the earlier mentioned Marriott breach. During the end of 2018, Marriott International experienced a database breach that resulted in the exposure of 500 million consumers’ data. This breach began in 2014 and lasted for years. The event, which the company said affected the Starwood guest reservation database, called into question how the company conducted cybersecurity due diligence prior to its merger with the rival chain. Unfortunately for Marriott it’s difficult to calculate the full impact because of the scope, yet according to law firm Debevoise and Plimpton, in July 2019, the UK Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott £99 million for apparent GDPR violations. Were Marriott to be fined, this would be the first major regulatory action to “call out a company for purportedly inadequate cyber due diligence in connection with an M&A deal.”
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
For any organization, regardless of size, the potential consequences can be devastating and include:
- Damage to brand and reputation
- Loss of revenue and other hidden costs
- Violations of laws and regulations, resulting in legal action
- Significant fines
- Loss of Intellectual Property
- Customer impact
With so many considerations to manage security should be a primary concern during any M&A deal. Not just because of the range of potential consequences during the deal, but because of the greater consequences to the integration of the businesses after the deal has been finalized.
An important part of your M&A strategy should include review and planning to avoid common mistakes. Some of the most common mistakes include:
- Relying on a traditional IT security approach
- Assuming there is less risk when both businesses are operating in the cloud
- Procrastinating on technical due diligence
- Relying on in-house tools from a single organization
First, by relying on a traditional IT security approach during M&A, where one or both of the organizations is operating in the cloud, you are inviting any number of security issues. Traditional IT simply doesn’t have the right approach or tooling to successfully navigate the unique security risks associated with cloud. As organizations move to the cloud to enable their developers the freedom and speed to experiment, innovate, and take advantage of all of the flexibility of infrastructure-as-code, the security considerations simply aren’t the same as those managed in a traditional IT setting. There are no longer data centers, virtual perimeters, or controls based exclusively in on-premises equipment. Cloud technologies have expanded access to the provisioning, management, and creation of resources so IT organizations are dealing with a population that possesses skill sets ranging from entry-level to administrative. The complexity of resources also creates exponential variation in challenges because each resource or service has individual configuration elements and security requirements. CI/CD pipelines, permissions management, automation, and configuration drift require a strategy built on policies that can adapt quickly to the changes that cloud technologies introduce. The landscape has changed, so the overall strategy, security policies and best practices have to evolve with this new landscape in order to succeed.
Second, there is often an assumption made that if both companies in the M&A are operating in the cloud, there is less risk. This is simply not the case, even in a scenario where both organizations may be operating within the same Cloud Service Provider (CSP). It’s far more likely that the organizations will be operating with different CSP. Challenges for system integration may include hybrid-cloud, multi-cloud, and container. Organizations are likely to be using different tools and third party integrations, and definitely operating with different policies. The resulting differences in the security approach, infrastructure, and the health of the respective IT networks mean that even is an ideal scenario with a lot of system overlap no two companies will be the same. The only sane approach is to assume that there are no known variables and analyze the entire operation as if the CSPs are different, the security postures are different, and that each part of the M&A is a brand new component that has to be evaluated from the bottom up. A comprehensive security analysis, and the right tools (that we get in to a bit later) will make sure you’re protected from any misconfigurations or vulnerabilities
The final two common mistakes are procrastinating on due diligence and relying on in-house tools from one of the M&A organizations. Waiting to evaluate the technical status of either organization will leave any potential integration or security issues undiscovered. The results of procrastinating may end up just costing you time, which is still not a desirable outcome. Or worse, it could also potentially cause all sorts of troubles around your security posture through scenarios that may be vulnerable to exploit. It’s a simple game of statistics, the longer a misconfiguration, unsecured resource, or potential exploit is left undiscovered gives a better opportunity for a hacker, malicious insider, or other type of breach to occur. The easiest way to make sure you’re on top of this is to make the technical due diligence an item at the head of your list of actions. Get started on evaluating the technical assets as soon as you start your analysis of the business and financial assets, this way you can put together a strategy for dealing with any issues as soon as you find them and close the door on any vulnerabilities before someone else finds them.
Finally, for organizations that anticipate relying on in-house tools, this approach has the same pitfalls as the reliance on a traditional IT security approach. It’s not a solution for a complex cloud environment. The pace of innovation within a single CSP is so rapid that most in-house tools struggle to maintain parity. Now imagine this situation, where an in house tool can barely keep pace with a single cloud and the growth of resources and service coverage and add a bunch of other variables. During M&A you may find that you are contending with due diligence on multi-cloud configurations, differing policies around configurations, undiscovered or orphaned resources. There are a huge number of variables that one in-house set of tools would have to contend with. It’s unreasonable to expect home-grown tooling to be able to scale to accommodate the type of technical due diligence that is required. As you keep reading we’ll explore some of the features that make an external tool a good choice.
Useful Features to Support a Successful M&A
We’ve provided an overview of how cloud security is relevant to M&A. We’ve described the potential fallout of a worst case scenario, and explored some of the mistakes that often lead to issues. Let’s switch gears to talk a bit about what features or capabilities you should look for and leverage in a cloud security tool to help support the M&A process. There are four key areas that will help ensure successful management of your cloud security concerns during M&A, they are:
- Capabilities to map cloud infrastructure
- Efficiency at scale
- Unified visibility
- Extensibility and automation
The ability to map infrastructure, before an M&A deal is complete, is something that can’t be undervalued. Having a complete picture of every piece of infrastructure is one of the only ways you can safely identify all of the security considerations. DivvyCloud includes capabilities for automated discovery and inventory assessment across CSPs and containers including:
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Serverless / Function as a Service (FaaS) Support
- Amazon Web Services, including AWS GovCloud and AWS China
- Microsoft Azure, including Azure GovCloud and Azure China
- Google Cloud Platform
- Alibaba Cloud
Containers as a Service (CaaS)
- Amazon Elastic Container Service for Kubernetes (Amazon EKS)
- Azure Kubernetes Service (AKS)
- Google Kubernetes Engine (GKE)
With support for a range of platforms DivvyCloud can help identify gaps and issues across all the assets that are part of M&A regardless of where the inventory lives. Armed with this information companies can ensure the right policies are in place to establish and maintain their security posture.
Another critical element to evaluate for any tool that you may select to handle your cloud security during M&A is the ability to provide efficiency at scale. In the cloud, the communication requirements are far more diverse because the scope of user and user ability. With web-based technology like the cloud most tools are accessible to users regardless of their skill level. Having the correct cloud tools, particularly when dealing with security, can help empower task owners, regardless of their skill level. With a tool like DivvyCloud you can provide guardrails for cloud infrastructure, ensuring that your teams can provision within the limits of the policies you’ve defined. In addition, with automation, you can achieve both security and speed at scale. With API polling and an event-driven approach to identify risk and trigger remediation, DivvyCloud provides fast detection of changes that enables automated remediation to occur in real-time.
Establishing unified visibility as part of M&A has a number of significant advantages. It’s a great way to cut down on the time spent cataloging resources, and more importantly, to ensure a complete and accurate picture of the assets that need to be evaluated. With a tool like DivvyCloud, an organization navigating M&A has a single interface to view data and make decisions based on a complete understanding of the IT systems, resources, and configurations regardless of CSP or resource type. Unified visibility will also allow you to understand the security and compliance posture across the entire scope of cloud and containers through a standardized asset inventory.
For example, DivvyCloud has developed standard terminology to describe cloud services across cloud environments. In DivvyCloud, you will not see provider-specific resource names like S3 Bucket (AWS), Blob Storage Container (Microsoft Azure), Cloud Storage (Azure), or Swift (OpenStack). Instead, DivvyCloud uses the normalized terminology “Storage Container” for all of these. By offering this standardized asset inventory, an organization can apply a unified policy and automated real-time remediation across all of the environments, both existing and future. Unified visibility and monitoring is particularly useful in an M&A scenario because of the challenges of integration different tools, systems, and potentially different CSPs.
Solutions that Scale
Assuming the best possible outcome — the successful completion of your M&A — a cloud scalable cloud security solution is a great asset to bring into your new organization. The quantity of resources that most organizations have are already difficult to maintain visibility and security over, doing so without the appropriate tooling can lead to a host of issues, from misconfigurations to orphaned infrastructure. In any of these situations, the worst case scenario is always the looming threat of a security breach.
By investing in an enterprise cloud security tool, like DivvyCloud, a company can protect themselves through the challenges around transitions, integrations, and adapt to the future challenges of cloud security in an evolving organization. Features like:
- An extensible platform with API integration capabilities for third-party tooling
- Support for hybrid-cloud, multi-cloud, and containers
- Reporting and export capabilities
- Visibility based on a variety of user types from view-only monitoring to complex administration
- Built-in policies and compliance tools along with limitless customization capabilities
- Proof of compliance for numerous compliance standards
The ability to leverage smart, adaptable enterprise capabilities can help an organization face all of the challenges we’ve outlined throughout this paper. Tools that scale mean success not just before and during the challenges of M&A but the ability to move forward once the deal is complete knowing that you have the right pieces in place to continue to support your security posture regardless of the CSP, organization size, or type of challenges.
An M&A deal is a stressful and complex process. The quantity of moving parts that have to be accounted for, evaluated, and reviewed to complete a standard M&A deal are huge. In the increasing landscape of cloud technology every organization has to sort out how they will deal with the IT portion of the M&A process. The high profile nature of cloud, security, and the scope of data that is managed, and as a result, vulnerable to misuse, mismanagement, or exposure is a critical component to get right as part of your M&A. Whether you’re a cloud security professional, responsible for technical due diligence, or an executive in an organization that is looking at a possible M&A — being aware of the challenges around cloud security is just a smart topic to invest in understanding. The best approach to managing cloud security during M&A is built around not just understanding the risks but acting appropriately. Educating yourself about the landscape of cloud, the technologies it includes, and the security risks that are unique to this new set of technologies will all be key differentiators for your M&A security strategy. With an eye on the unique challenges, the common mistakes, and the possible consequences you’re trying to avoid — you will immediately recognize the advantages of tackling your M&A armed with the right cloud security tools and knowledge.