Zero Trust

Merger & acquisition integration: How a zero trust exchange accelerates time to value

Feb 16, 2022
Accelerate M&A TTV with ZTA

Author’s note: There isn’t a day that goes by that I don’t speak to an organization that’s looking to integrate an acquisition quicker and easier than ever before. Some admit that their years-old acquisitions are still standalone islands despite valiant, honest efforts to combine them. The burden and heavy lifting can be daunting. But given today’s economic climate, it’s prime time for mergers and acquisitions as they’re a lifeline to those struggling and an opportunity for those with buying power to expand. For this reason, I recently revisited and updated an article about M&A and zero trust that I published over a year and a half ago on LinkedIn. Organizations have been using zero trust architectures to rapidly integrate acquisitions by simplifying the end-user experience with ubiquitous connectivity to authorized applications with minimal change management requirements. This also works in reverse for divestitures. Here’s why it works:

After all the effort and long legal hassle, the mission is accomplished: Your merger or acquisition is complete! Two companies are now one. The hard work is done! Well, not so fast . . .

Now begins a structural process dreaded by many IT teams: connecting two disparate company infrastructures into a cohesive unit. This means long hours, costly process creation, and complex patchwork to provide both sets of users with cross-company connectivity. If only there were a simpler and more efficient way to accomplish these goals. There is the Zero Trust Exchange (ZTE).

Merging legacy systems? Complex, expensive, risky, slow...I could keep going

The purpose of M&A is to combine resources for two (or more) companies to advance defined business goals. What often gets in the way of resource availability is access. Different companies use different networks, architectures, and systems to house and distribute resources to their workforce. One of the first CIO priorities during and after a merger is providing easy and—more importantly—secure access to newly acquired or merged data, infrastructure, and applications to people in both companies.

In a perfect world, all acquired companies would come with a straightforward and complete integration plan. Flip a switch, and employees, systems, applications, networks, data centers, and facilities synchronize automatically, with no hassles. If only it were ever that simple. Some enterprises create dedicated teams and draft playbooks to standardize integration activities, all in an effort to realize the strategic and financial benefits of acquisitions sooner. 

Full system integrations can be extraordinarily complex and—thanks to unanticipated scope creep—more expensive than initial assessment. Cost-constrained parent companies stretch integration out over an extended timeline, ranking system importance and prioritizing the integration process in phases. In the meantime, employees are left to fend with disparate, isolated systems that don’t necessarily enable cross-communication between users. And the integration phases that do move forward have to fight for resources with competing priorities and initiatives.

This ad-hoc integration approach rarely yields an acceptable outcome. The costs of integrating legacy technologies into a cohesive network are a nightmare to estimate and contain. Yearly budget refresh cycles often don’t take this integration into account, and the money allocated for updating hardware, systems, and applications isn’t sufficient for one company (let alone two). This leads to ongoing maintenance and security efforts for multiple disparate networks—which is its own cost and resource nightmare. 

Companies attempting to integrate legacy network and security infrastructures after an acquisition or merger often resort to “creative” ways to get users access to resources in disparate networks—jury-rigged efforts that could poke holes in firewalls and secure access protocols.  And with these jury-rigged solutions come increased security concerns, user issues, and troubleshooting nightmares for IT. Operation teams spend countless hours trying to identify and resolve issues due to the network address translations (NAT), routing, and firewall rule manipulations.

ZTE: Rapid asset access 

Fully integrating two legacy networks can be a costly and time-consuming process. Newly-acquired infrastructure may not natively offer employees access to parent-company applications. And parent-company employees may not have access to newly-acquired resources. So, IT outfits employees with either Virtual Desktop Infrastructure (VDI) farms or Virtual Private Network (VPN) connectivity. Each requires a user to determine how to get to an application and doesn’t create a great user experience. In addition to the increased cost and complexity, VPN connections extend both networks’ attack surfaces and increase risk. 

VPN access is a poor substitute for direct connectivity. And of course, dealing with more than one acquisition at a time further complicates these issues. 

ZTE provides a simple solution: Add connectors in front of application environments on both networks, add a software agent to each users’ device, and set policies that allow users connectivity to the applications they need, accessible from either network (or from wherever users connect). 

ZTE uses policies to authorize user access to applications and networks. ZTE accelerates M&A time to value, cross-company connectivity for users in weeks rather than months or years (or never!). 

ZTE simplifies M&A-related systems integration

ZTE operates on an adaptive trust model: Trust is never implicit, and access is granted on a “need-to-know,” least-privileged basis as defined by granular policies. ZTE gives users seamless and secure connectivity to private applications without ever exposing the network, applications, or data to the internet. Connectivity is direct, delivered via nearby computing-edge cloud services, and accessible from anywhere. (In this way, ZTE can ultimately supplant a corporate network with outdated perimeter security.)

Unlike network-centric solutions like VPNs or firewalls, ZTE takes a fundamentally different approach to secure access to internal applications based on four core principles:

  1. ZTE completely isolates the provisioning of application access from any requirement for network access. This isolation reduces risks to the network, such as infection by compromised devices, and only grants application access to authorized users.
  2. Cloud-enabled ZTE offers outbound-only connections, ensuring both network and application infrastructure are made invisible to unauthorized users. IP addresses are never exposed to the internet, creating a “darknet” that obscures internal resources from unauthorized view.
  3. ZTE’s native application segmentation ensures that once users are authorized, application access is granted on a one-to-one basis. Authorized users have access only to specific applications, rather than unfettered access to the full network in a legacy environment.
  4. ZTE takes a user-to-application approach rather than a network-centric approach to security. The network becomes de-emphasized, and the internet becomes the new corporate network, leveraging end-to-end encrypted TLS micro-tunnels instead of MPLS.

With ZTE in place, IT may never need to proceed with full acquired-company-infrastructure integration. Managing user access to authorized applications (governed by user- and app-centric policies) provides application segmentation without requiring network segmentation. Once a user is added to a policy and application authorization is granted, a user can gain access to an application on either network without requiring the networks to be connected.

Managing integration complexities like IP remediation and circuit overlaps isn’t trivial: Merging networks is complicated, time-consuming, prone to error, and expensive. ZTE provides immediate access to internal resources for joined organizations. And—for whatever reason—if a parent company still wants to integrate acquired infrastructure, that work can be conducted behind the scenes and without the same urgency, since users already have access to necessary resources/applications. With the proper planning, systems can be included in the budget planning cycle and then migrated during a refresh either to an enterprise data center or the cloud. 

Access is better today than tomorrow (or next year)

ZTE never inherently trusts anyone from inside or outside the network until verified. (ZTE removes the distinction between “inside” and “outside” since connectivity is secured between the user and application. Security is not based on gateway access through a secured network perimeter.) Access to internal business systems or applications can be granted only after authorization. Network access is not required, and applications are masked from the open internet.

After M&A activity, ZTE allows IT teams to focus on integrating data, systems, and applications on their terms, where and however it best meets the business’ needs. In the meantime, workforces from each company can access whatever resource they need, wherever it may be, and from wherever they may connect without complex network integrations, without VPN security exposure and resource use, and without expensive retooling of network architectures. As part of a ZTE deployment, enterprises intrinsically benefit from the ability to measure user experience, drive out technical debt/cost, and accelerate future M&A integrations through a modern playbook. 

What to read next 

White paper: The network architect’s guide to accelerating mergers & acquisitions with a zero trust network access service