• United States



by Rob Pfrogner

Industry View | How to Connect and Protect Networks during Mergers and Acquisitions

Feb 25, 20086 mins
CSO and CISONetwork Security

Whether you’re divesting or acquiring, Rob Pfrogner of Virtela has a checklist for you

During the regular course of business, an organization purchases and sells assets in an ongoing effort to strengthen its health.   These assets may consist of anything from a few systems and resources up to large business units and whole companies.  The larger the asset, the greater the challenges of implementing the merger and acquisition (M&A) process to realize its benefits.

Most immediately, the acquiring company must gain availability to critical network systems of the acquired company. The security requirements of each company must be considered. Using a combination of technologies, including VPNs, firewalls, intrusion prevention and remote SSL, the acquiring company can implement network solutions capable of rapidly extending networks while maintaining secure segmentation for legacy or newly acquired user populations and critical assets – generally without the need to overhaul existing infrastructure.

Limited acquisitions, when the companies exchange only specific assets, present additional challenges when it comes to segmenting divested resources from the rest of the corporate network.  Security precautions must permit access to divested resources but not compromise any peer resources or external integrity.  Both the divesting and acquiring companies must take a number of factors into account:

Divesting company

-The geographic/logical location of each resource to be divested

-The potential consolidation of divested resources to a single, secured access point

-The systems and network design of each location housing divested resources

-The carrier(s) used to connect to and between each divested resource

-The number of ingress and egress access points in each divested resource

-The separation of traffic between the acquiring company and each divested resource

-The need to restrict or block the acquiring company’s access to non-divested resources

-The speed of the overall divestment

Acquiring company

-The geographic/logical location of the users/systems accessing acquired resources

-The geographic/logical placement of resources upon completion of acquisition

-New access paths opened through connectivity to acquired resources

-The carrier(s) used to connect to the acquired resources

-The network performance of acquired resources

-The need to restrict or block the divesting company’s access to internal resources

-The current security posture of the assets being acquired

-The speed of the overall acquisition

It is critical that both entities maintain secure access throughout M&A procedures. Even when a company is being wholly acquired, the acquiring company should carefully consider all new access paths and their associated reverse paths with regard to the users and resources that will employ those paths.  The divesting company must ensure traffic can be opened to divested resources while unauthorized assets remain protected. The acquiring company must understand the purpose of each M&A link and ensure it does not open reverse exposures into its own network.  If any resource will be shared during the M&A process, both companies should consider a comprehensive review of the security posture of each shared resource.

Secure Network Strategies

Strategically deploying SSL concentrators is the fastest and most convenient method of offering connectivity to users with immediate access needs.  SSL is particularly attractive due to authentication options that can enforce specific permissions against individual users.  User access can be tightly controlled and monitored during the M&A period, yet no client-side installation or end-user configuration is needed.  SSL has the additional benefit of performing integrity checks against end-user systems to verify compliance with accepted security standards prior to granting access.  This, combined with the speed at which SSL can be deployed, helps mitigate the surprise when IT is informed of M&A activity and told to build access ASAP.

IPsec and MPLS VPNs are the second step to creating permanent connections between systems and/or whole networks.  IPsec VPNs are highly versatile because they can be established over nearly any IP network, making them ideal when connecting incongruous or multi-provider networks.  What IPsec lacks is the ability to assure network performance.  MPLS fills that gap with secure circuits inclusive of network quality assurances.  Unfortunately, MPLS can be difficult if not impossible to connect across multiple provider networks, unless IT works with a third-party specialist.  In an M&A project, a mix of the two technologies is best to achieve the most effective connectivity between newly connected entities.  Often the performance of these interim connections is strong enough that they can be maintained as permanent connections when circumstances require them.

Security Precautions for M&A Activity

After defining general connectivity, it is time to consider security precautions.  The first consideration should be vulnerability assessment, which most often applies to the acquiring company and pertains to the resources it is acquiring, since their state is initially unknown.  A comprehensive vulnerability assessment yields a baseline for risk, identifying exposures that might otherwise be overlooked and quantifying the risk to connected assets as M&A resources are folded in.  These assessments allow the acquiring company to correct or modify connectivity plans for assets that are not properly protected.  Just as it is unwise to implement an unpatched Windows2000 server (especially among critical assets), it is unwise to blindly add acquired equipment.  After evaluating the results of a vulnerability assessment, M&A participants can confidently proceed, since they know the risk levels of all assets (both existing and acquired) in question.

Companies with frequent M&A activity should have standard procedures concerning network connectivity.   IT can define firewall rule templates that apply to most M&A activity and modify them as necessary to meet the needs of each specific instance.  The acquiring companies should also introduce intrusion prevention systems (IPS) to all M&A circuits to mitigate the chances of transferring viruses or malware between M&A participants.  Monitoring IDS/IPS solutions to recognize and alert to malicious behavior becomes particularly important during M&A.  Employees may feel threatened by announced or expected changes and attempt to sabotage resources to which they have legitimate access.  With IPS in place, the damage wreaked by such a situation can be limited or prevented altogether.

Critical to all M&A network activities is basic network design.  Improper design accounts for the highest-impact errors in creating secure access.  When protections can be bypassed by taking an unforeseen route, the strength of any protection is lost.  After all the point-products have been chosen and the connectivity plan defined, a competent, and hopefully independent, third party should review the pending infrastructure of the merged entity to validate overall design integrity.  Through the combination of connectivity, assessment, protection, and review, all participants gain assurances that not only will their resources remain intact, but also that they themselves will not be unwittingly responsible for an attack on partner resources.  This process also ensures that M&A resources are rapidly made available, so both parties can realize the benefits of their M&A efforts. #

Rob Pfrogner is a CISSP, MSCE, Linux LPI-1 and senior director of managed security services for Virtela, a global network solutions company.