I have spent 20+ years of my career working on acquisitions, and based on my experiences, they tend to go the same way. The acquiring company spends months expending critical resources across all business areas, building toward a single point in time, the day of completion. That’s when the Champagne corks are popped, high-fives are exchanged and everyone goes out to celebrate…well, not everyone.
There’s one group that’s usually absent during these celebrations, the IT team. For these folks, closing day is not the conclusion of the deal, but the starting point.
The Day 1 Reality
Like others involved in an acquisition, IT spends months leading up to Day 1 on due diligence, asking an endless array of questions to understand better what they are taking on and then planning as best they can to bring the two entities together. Regardless of how much work is done in advance, the ultimate Day 1 reality for IT is the following:
- IT could not have foreseen the IP conflicts that emerge when knitting together systems they have just taken ownership of and don’t fully understand. While IT faces a long and complex integration, executives and integration teams are calling on them to immediately provide the acquired company with corporate email addresses and access to applications supporting all corporate functions to ensure a fast start and get value from the acquisition.
With two conflicting priorities, a lengthy integration AND demands to give people instant cross-company access between the acquired site and the acquiring site and vice versa, a critical decision is made—IT chooses to connect users to systems using VPN. But there’s the issue. While solving the immediate need, VPNs are clunky, complex, time intensive and, most importantly, they present a huge security risk. A new group of employees, business partners, suppliers and contractors teams are now accessing your corporate network, free to roam.
Zero Trust to the Rescue
This is where Zero Trust Network Access (ZTNA) becomes IT’s M&A weapon. With ZTNA, teams can give all users access to just the application they are permitted to use. This can be done by either installing an agent on the acquired users’ computers or without. This depends on the level of access required. Agentless may be preferable in situations where the computers are owned by a third party or a contractor, which makes installing an agent difficult.
Whatever the case, ZTNA ensures that users are never placed on the network, the acquired company’s infrastructure is never exposed to the internet, and application segmentation replaces network segmentation. The bottom line: security is never an issue.
Zeroing In On ZTNA
It should be noted that there are many different ways ZTNA vendors can connect with users. Here are some things to consider.
First, pick one that connects users to only the application they need to access at a granular level and does not give access to the network. Any solution that still gives users access to the network is not true zero trust and presents significant risk.
Next, there should be no passthrough connections allowed, the user’s identity should be verified, and access should be constantly validated based on policy and context. This includes factors such as user identity, device health, application type and even the user’s location. From there, it should broker a 1:1 outbound connection between a specific resource and an authorized user. You will want this to be granular, and there should be no network access.
To be safe, ask vendors how users are connected to resources. If during this due diligence, you discover solutions that still put users directly on the network or require inbound connections, that is not zero trust. The bottom line is that all traffic should be inspected throughout the session, which means if anything changes, such as the user’s IP address, the user is removed from the IDP, or if the device posture fails, the access is revoked. Some ZTNA solutions do not constantly inspect traffic which means if anything changes, the session remains active.
I am sorry to say that the right ZTNA offering will not free the IT team to join all of the Day 1 festivities. But it will allow the team to address everyone’s Day 1 demands without putting the companies at risk, and if you ask me, that’s worth celebrating.