During the regular course of business, an organization purchases and sells assets in an ongoing effort to strengthen its health.\u00a0\u00a0 These assets may consist of anything from a few systems and resources up to large business units and whole companies.\u00a0 The larger the asset, the greater the challenges of implementing the merger and acquisition (M&A) process to realize its benefits. Most immediately, the acquiring company must gain availability to critical network systems of the acquired company. The security requirements of each company must be considered. Using a combination of technologies, including VPNs, firewalls, intrusion prevention and remote SSL, the acquiring company can implement network solutions capable of rapidly extending networks while maintaining secure segmentation for legacy or newly acquired user populations and critical assets \u2013 generally without the need to overhaul existing infrastructure.Limited acquisitions, when the companies exchange only specific assets, present additional challenges when it comes to segmenting divested resources from the rest of the corporate network.\u00a0 Security precautions must permit access to divested resources but not compromise any peer resources or external integrity.\u00a0 Both the divesting and acquiring companies must take a number of factors into account:Divesting company-The geographic\/logical location of each resource to be divested-The potential consolidation of divested resources to a single, secured access point-The systems and network design of each location housing divested resources-The carrier(s) used to connect to and between each divested resource-The number of ingress and egress access points in each divested resource-The separation of traffic between the acquiring company and each divested resource-The need to restrict or block the acquiring company\u2019s access to non-divested resources-The speed of the overall divestmentAcquiring company-The geographic\/logical location of the users\/systems accessing acquired resources-The geographic\/logical placement of resources upon completion of acquisition-New access paths opened through connectivity to acquired resources-The carrier(s) used to connect to the acquired resources-The network performance of acquired resources-The need to restrict or block the divesting company\u2019s access to internal resources-The current security posture of the assets being acquired-The speed of the overall acquisitionIt is critical that both entities maintain secure access throughout M&A procedures. Even when a company is being wholly acquired, the acquiring company should carefully consider all new access paths and their associated reverse paths with regard to the users and resources that will employ those paths.\u00a0 The divesting company must ensure traffic can be opened to divested resources while unauthorized assets remain protected. The acquiring company must understand the purpose of each M&A link and ensure it does not open reverse exposures into its own network.\u00a0 If any resource will be shared during the M&A process, both companies should consider a comprehensive review of the security posture of each shared resource.Secure Network StrategiesStrategically deploying SSL concentrators is the fastest and most convenient method of offering connectivity to users with immediate access needs.\u00a0 SSL is particularly attractive due to authentication options that can enforce specific permissions against individual users.\u00a0 User access can be tightly controlled and monitored during the M&A period, yet no client-side installation or end-user configuration is needed.\u00a0 SSL has the additional benefit of performing integrity checks against end-user systems to verify compliance with accepted security standards prior to granting access.\u00a0 This, combined with the speed at which SSL can be deployed, helps mitigate the surprise when IT is informed of M&A activity and told to build access ASAP.IPsec and MPLS VPNs are the second step to creating permanent connections between systems and\/or whole networks.\u00a0 IPsec VPNs are highly versatile because they can be established over nearly any IP network, making them ideal when connecting incongruous or multi-provider networks.\u00a0 What IPsec lacks is the ability to assure network performance.\u00a0 MPLS fills that gap with secure circuits inclusive of network quality assurances.\u00a0 Unfortunately, MPLS can be difficult if not impossible to connect across multiple provider networks, unless IT works with a third-party specialist.\u00a0 In an M&A project, a mix of the two technologies is best to achieve the most effective connectivity between newly connected entities.\u00a0 Often the performance of these interim connections is strong enough that they can be maintained as permanent connections when circumstances require them.Security Precautions for M&A ActivityAfter defining general connectivity, it is time to consider security precautions.\u00a0 The first consideration should be vulnerability assessment, which most often applies to the acquiring company and pertains to the resources it is acquiring, since their state is initially unknown.\u00a0 A comprehensive vulnerability assessment yields a baseline for risk, identifying exposures that might otherwise be overlooked and quantifying the risk to connected assets as M&A resources are folded in.\u00a0 These assessments allow the acquiring company to correct or modify connectivity plans for assets that are not properly protected.\u00a0 Just as it is unwise to implement an unpatched Windows2000 server (especially among critical assets), it is unwise to blindly add acquired equipment.\u00a0 After evaluating the results of a vulnerability assessment, M&A participants can confidently proceed, since they know the risk levels of all assets (both existing and acquired) in question.Companies with frequent M&A activity should have standard procedures concerning network connectivity.\u00a0\u00a0 IT can define firewall rule templates that apply to most M&A activity and modify them as necessary to meet the needs of each specific instance.\u00a0 The acquiring companies should also introduce intrusion prevention systems (IPS) to all M&A circuits to mitigate the chances of transferring viruses or malware between M&A participants.\u00a0 Monitoring IDS\/IPS solutions to recognize and alert to malicious behavior becomes particularly important during M&A.\u00a0 Employees may feel threatened by announced or expected changes and attempt to sabotage resources to which they have legitimate access.\u00a0 With IPS in place, the damage wreaked by such a situation can be limited or prevented altogether.Critical to all M&A network activities is basic network design.\u00a0 Improper design accounts for the highest-impact errors in creating secure access.\u00a0 When protections can be bypassed by taking an unforeseen route, the strength of any protection is lost.\u00a0 After all the point-products have been chosen and the connectivity plan defined, a competent, and hopefully independent, third party should review the pending infrastructure of the merged entity to validate overall design integrity.\u00a0 Through the combination of connectivity, assessment, protection, and review, all participants gain assurances that not only will their resources remain intact, but also that they themselves will not be unwittingly responsible for an attack on partner resources.\u00a0 This process also ensures that M&A resources are rapidly made available, so both parties can realize the benefits of their M&A efforts. #Rob Pfrogner is a CISSP, MSCE, Linux LPI-1 and senior director of managed security services for Virtela, a global network solutions company.