Mergers and acquisitions are a common growth strategy for many multinational organizations. In fact, 81% of CEOs who made a significant acquisition in the past three years plan to make one or more acquisitions in the next three years. But no matter what the driving force is behind the M&A activity, there are a myriad of considerations that need to be taken into account to ensure a smooth transition. For CISOs, CIOs and their teams, a primary concern is often how they are going to securely and efficiently integrate new systems, users, and resources. This pre-planning is important, especially as the acquired company is a fresh target for threat actors, some seeing as much as a 400% increase in phishing attempts after the deal is announced. Below, we will explore how Okta is uniquely positioned to keep our customers secure, agile, and adaptable through each stage of an M&A project, no matter how complex the scenario.
Pre-integration due diligence
The success of any merger starts long before the deal closes with meticulous planning and risk assessment. By performing thorough security assessments of both organizations’ IT environments, IT teams can establish a resilient, security-focused architecture that guides the entire process.
- Conduct pre-M&A security reviews to ensure strong posture among each organization: Before the integration of the new company even occurs, Identity Security Posture Management (ISPM) can help automate discovery of accounts, systems, and applications in both environments and assess compliance with security policies. By making these discoveries before integration, weak policies can be flagged and security gaps can be remediated to ensure the security of each organization.
Day 1 access
Day One is the moment of truth where employee productivity and deal value are either realized or jeopardized. Okta ensures a seamless and secure transition, making sure every new employee and system is onboarded and secured from the very first minute.
- Manage and secure new and existing identities from a single platform: Managing identities becomes easier when you can view them from a single location. Universal Directory and Lifecycle Management work together to consolidate user profiles from disparate sources (AD, LDAP, HR systems) and various tenants into a single, unified view for easier management. Automating provisioning of accounts and access based on roles and organizational policies not only removes manual, error-prone tasks but gets newly acquired employees off the ground quickly and existing employees access to new resources for immediate collaboration and success.
- Provide the right access at the right time: Inevitably, employees will need new or elevated access to resources as projects get off the ground. Okta Identity Governance (OIG) provides time-bound access to users when required so that they have access long enough to be productive but so long that it becomes a security concern. OIG ensures that users get access to resources when they need it, without over permissioning from the start.
- Protect newly acquired critical assets: Privileged resources – whether on-prem or cloud need an added layer of control. Okta Privileged Access (OPA) can vault privileged accounts for admins, local servers, and SaaS service accounts. Additional passwordless Zero Trust access policies can be quickly deployed for server infrastructure inherited from the acquired company.
Ongoing policy enforcement and monitoring
Once the initial integration rush is over, it is imperative to continue monitoring the organization and its subsidiaries’ security posture. Okta enables continuous optimization by centralizing security policies for shared resources, automating identity governance, and rotating passwords regularly.
- Monitor your security posture with real time alerts: While pre-M&A security reviews were completed, the job doesn’t stop there. ISPM can identify accounts or systems that lack MFA or are out of compliance and automate enforcement of access policies while also providing real-time alerts for unusual activity like login attempts from unauthorized devices or geographies.
- Enforce compliance requirements for identities and privileged resources: Ensuring alignment with compliance requirements and reporting can be a time-consuming, manual effort. For your critical assets, Okta Privileged Access provides crucial best practices to protect service accounts, such as vaulting and enforcing regular password rotations. OIG offers automated certification campaigns to ensure the right users have access to the right resources across the entire organization.
Divesting subsidiaries
Identity is equally critical when separating a business unit, requiring a clean break by a specific deadline. Okta provides an elevated security process that ensures the right identities and resources get offboarded without any lingering security gaps.
- Spin off users and resources easily: When a business unit spins off, the separation must be as clean and painless as possible, especially for security and access. Okta’s hub-and-spoke architecture gives organizations the agility needed to cut off access to centralized resources easily. This model allows for continuous access to centralized resources during migrations of users and applications reducing the chance of business interruption and any need to cram the work in over a weekend. By implementing a hub-and-spoke architecture, the parent company can make a clean break with its subsidiary without impacting the end user experience.
Okta for mergers and acquisitions provides our customers with the ability to be flexible and adaptable to their organization’s most complex business transformations. Whether there is a balance of centralization between the parent and new company or a decentralization of teams, resources, and governance models, Okta’s solution can meet you where you are. Companies like Mars, NTT Data, and Hitachi have first hand experience in working with Okta to ensure their M&A activity is secured and streamlined. To learn more about how Okta can help your organization through mergers and acquisitions, talk to our team.
These materials are intended for general informational purposes only and are not intended to be legal, privacy, security, compliance, or business advice. © Okta, Inc. and/or its affiliates. All rights reserved.
