Connect with us


The complexity of managing identity data and privileged access during M&A

The complexity of managing identity data and privileged access during M&A 3

The complexity of managing identity data and privileged access during M&A 4By Chad McDonald, CISO at Radiant Logic

When it comes to fast business growth, few strategies are as critical as mergers and acquisitions (M&A). 2021 was a record-breaking year for M&A, with 62,000 deals announced globally – a 24% growth from 2020. In fact, the overall value of M&A reached $5.8 trillion last year, and it’s expected to remain robust in 2022.

Successful M&A is critical for businesses as it results in greater opportunities to enter new markets and access wider resources. However, effective M&A is hard to achieve, as it requires a complex integration of technical and network infrastructures between enterprises. For example, the failure rate of mergers and acquisitions is between 70% and 90%. When multiple companies plan on coming together, they bring their own policies and infrastructure. It’s like having several different jigsaw puzzles and attempting to combine them into a single meaningful piece.

From an IT perspective, it is an even more difficult task. Modern businesses are built around digital identities and interconnected networks. So, when it comes to merging departments or businesses, most of the responsibility gets dumped on IT and security leaders. Imagine you’re the CISO for a large enterprise that just acquired two other companies. Each company is in a different location, they have thousands of employees, and their own unique platforms for managing identity data and system access.

So how do you manage this complexity? How do you ensure that all of these separate systems and platforms are constantly monitored and administered from a single hub? More importantly, how do you make sure that threat actors do not slip in through the haystack of access points?

Why identity data management is a critical challenge during M&As  

One of the biggest aspects of M&A is syncing and collaboration, which needs to be actioned almost immediately after a deal goes through. Employees across both organisations and different departments need to be able to communicate and access resources efficiently without any disruption to the business.

However, it can be a complex and painfully slow process, and the larger the M&A the bigger this problem becomes. CISOs often wonder where to start due to the large volume of data scattered across several applications that need to be synced.

Research by Radiant Logic found that 44% of the companies that went through M&A took at least 7-12 months to synchronise application access across all involved entities, and 35% of the companies took even longer.

But where is this complexity coming from? Firstly, when two companies merge, similar departments also need to be merged. It means syncing two finance departments, two production departments, and so on. Then there is the challenge of managing duplicate roles and responsibilities. For instance, there will be two finance managers and multiple payroll officers, who have almost identical responsibilities.

While dividing the workforce into regional teams might solve the problem of financial decision making and operations management, there’s still the massive issue of managing duplicate identities across different systems. For example, if an employee leaves the company or switches departments, their records and privileged access will be deleted from the central database, but it will still remain in their accessed systems and several different communication channels. In fact, our research found that 52% of all tech executives find the manual provisioning and deprovisioning of user access to be the most stressful challenge.

The lack of control over the provisioning and deprovisioning of user access also increases the potential risk of suffering a cyberattack. According to reports, 47% of ex-employees still have access to business data months after their exit. Threat actors can use these identity credentials to access restricted areas of the network and cause significant damage to an organisation. Disconnected systems help increase the attack surface and create gaps, allowing threat actors to move laterally across the network and remain virtually undetected.

From an IT perspective, it becomes an excruciatingly painful process to find, modify or change this data, and change access privileges. To manage this complexity, CISO’s and security admins need to develop a clear understanding of which accounts belong to who, and which systems each account should have specific access to. Then again, it’s also not a fast and easy process. That’s why we see that big 7-12 month gap (or more!) in achieving synergies and integration between all systems after an M&A.

Financial companies face the biggest challenge 

The complexity of M&A is often greater for financial organisations and institutes such as banks. This is because financial companies are very distinct from each other, especially when they are operating in different regions. For example, a US Bank would have very different policies and a network infrastructure compared to a bank in Asia or Europe.

When such organisations merge, it’s often difficult to find common digital resources. For instance, one company might be using Salesforce and another might be using Oracle solutions. The digital identities of these companies will be scattered across multiple different platforms that offer almost identical services.

There is also the fact that financial companies tend to have a bigger workforce compared to other industries. A bigger workforce means more digital identities and privileged access, leading to more management complexity during M&As.

Unifying all sources of identity data with Identity Data Fabric 

The first step to achieving successful integration after a M&A is to clarify the identities across all the organisations involved. This means separating real accounts from ghosts or duplicates. There needs to be an accurate projection of identities, meaning that HR departments and managers need to come together to produce a correct headcount. Once this accurate projection has been achieved, automated tools can be used to detect and delete the duplicate accounts.

Once all duplicate and stale accounts have been removed from the network, it’s time to implement an effective IAM framework. The current IAM solutions in the industry often fail to manage the sheer complexity and volume of M&As. Radiant Logic found that 67% of organisations have a modern access control and governance solution, but a lot of apps and users are left out. This is because the majority of the current IAM solutions work at the application layer – meaning they focus on unifying applications and systems instead of unifying identity data. This is a particularly negative approach for integrating cross-organisational systems, as most applications have very different protocols and are often tailored to the specific needs of a department.

Thus, the most effective solution is to create an unified single source for all identities using an Identity Data Fabric.

An Identity Data Fabric is an approach that unifies every identity data across the entire organisational network from all sources, regardless of where the data is stored, whether on-premise or in the cloud. It collects all identities scattered throughout the network, maps similar identities to an abstraction layer, and merges them into a single user profile. So, now all identities within the network are unique, and one profile links to multiple systems and applications.

It also works at the data layer instead of the application layer, meaning that unifying allsource identity data will not impact how existing applications work, rather it will provide a better way to access, present, and manage identity data across all organisations.

Implementing this framework allows security teams to have complete visibility over the entire network. They can easily identify the true level of access associated with each unique user across multiple systems and applications, whether it is on the cloud or on-premise, leaving no gaps for cyberattacks to exploit.

For example, with an Identity Data Fabric, ‘John Doe’ from Active Directory can be linked to his various digital identities and access points. In one single view, admins can identify which systems and platforms John Doe has access to and which he doesn’t. Once the employee exits the company, only deleting his data from the Identity Data Fabric can remove all his digital identities and access privileges across the system.

Establishing a single source for all identity data can help IT and security teams to have a clear picture of access and administration privileges across thousands of employees, thus eliminating the stress of identity and access management (IAM). It allows security teams to easily monitor access points and address vulnerabilities quickly before cybercriminals can act.

Using anIdentity Data Fabric can radically simplify the complex process of identity management and governance, as well as boost the speed and agility of mergers and acquisitions.

Editorial & Advertiser disclosure
Our website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.
Global Banking and Finance Review Awards Nominations 2022
2022 Awards now open. Click Here to Nominate


Newsletters with Secrets & Analysis. Subscribe Now