Home » Data Protection » Network Security

Industry View

Industry View | How to Connect and Protect Networks during Mergers and Acquisitions

Whether you’re divesting or acquiring, Rob Pfrogner of Virtela has a checklist for you

By Rob Pfrogner

Page 2

Secure Network Strategies
Strategically deploying SSL concentrators is the fastest and most convenient method of offering connectivity to users with immediate access needs. SSL is particularly attractive due to authentication options that can enforce specific permissions against individual users. User access can be tightly controlled and monitored during the M&A period, yet no client-side installation or end-user configuration is needed. SSL has the additional benefit of performing integrity checks against end-user systems to verify compliance with accepted security standards prior to granting access. This, combined with the speed at which SSL can be deployed, helps mitigate the surprise when IT is informed of M&A activity and told to build access ASAP.

IPsec and MPLS VPNs are the second step to creating permanent connections between systems and/or whole networks. IPsec VPNs are highly versatile because they can be established over nearly any IP network, making them ideal when connecting incongruous or multi-provider networks. What IPsec lacks is the ability to assure network performance. MPLS fills that gap with secure circuits inclusive of network quality assurances. Unfortunately, MPLS can be difficult if not impossible to connect across multiple provider networks, unless IT works with a third-party specialist. In an M&A project, a mix of the two technologies is best to achieve the most effective connectivity between newly connected entities. Often the performance of these interim connections is strong enough that they can be maintained as permanent connections when circumstances require them.

Security Precautions for M&A Activity
After defining general connectivity, it is time to consider security precautions. The first consideration should be vulnerability assessment, which most often applies to the acquiring company and pertains to the resources it is acquiring, since their state is initially unknown. A comprehensive vulnerability assessment yields a baseline for risk, identifying exposures that might otherwise be overlooked and quantifying the risk to connected assets as M&A resources are folded in. These assessments allow the acquiring company to correct or modify connectivity plans for assets that are not properly protected. Just as it is unwise to implement an unpatched Windows2000 server (especially among critical assets), it is unwise to blindly add acquired equipment. After evaluating the results of a vulnerability assessment, M&A participants can confidently proceed, since they know the risk levels of all assets (both existing and acquired) in question.

Companies with frequent M&A activity should have standard procedures concerning network connectivity. IT can define firewall rule templates that apply to most M&A activity and modify them as necessary to meet the needs of each specific instance. The acquiring companies should also introduce intrusion prevention systems (IPS) to all M&A circuits to mitigate the chances of transferring viruses or malware between M&A participants. Monitoring IDS/IPS solutions to recognize and alert to malicious behavior becomes particularly important during M&A. Employees may feel threatened by announced or expected changes and attempt to sabotage resources to which they have legitimate access. With IPS in place, the damage wreaked by such a situation can be limited or prevented altogether.