Your identity environment holds the keys to your most critical data in the form of privileged accounts. Industry consolidation and a desire for company growth both often lead to mergers or acquisitions which, if not managed closely, can wreak havoc on an identity landscape.

Mergers of identity environments create a glut of identities and identity accounts to manage, some of which may be redundant. They also introduce new 3rd parties, contractors and non-human identities like service accounts, bots etc.... into the equation.

In addition, a merger or acquisition could hybridize the identity landscape, adding Cloud applications to on-prem resources, and vice versa. All of this increases the attack surface if not managed properly.
As the two companies determine how to best work together, there is a level of uncertainty that can result in temporary measures as a stop-gap.

Temporary access is often granted to provide employee, contractor and third party access to applications and privileged accounts. This adds to the complexity by increasing the number of identity accounts, proliferating access rights and privileges, creating additional risk if these privileged accounts are not tracked.

The complexity of the identity landscape is not the only risk involved in managing the combined identity environment after a merger or acquisition – organizational and systemic misalignment can hinder the forward progress of business after a merger or acquisition. Several types of misalignments can result in a tremendous amount of risk, including:

• Policy misalignment
• Infrastructure security policies that are not consistent across the organization create exposure.
• Data retention protocols and policies
• Identity security protocols such as the creation, assignment and decommissioning of privileged accounts

Compliance and audit misalignment

Misalignment of compliance and audit details can be very complex, especially for a highly distributed environment that is impacted by various country- or continent-specific regulations and policies. This could be expensive and damaging if not addressed quickly, as the companies could be faced with costly audit failures and reputational damage.

Many other inefficiencies impact your identity environment, including general operational efficiencies as both companies work to determine which applications will be used and in what manner. In the meantime, role creep can add to the complexity of the environment and the identity management effort as employees and contractors take on additional responsibilities or move from one area of the business to another to eliminate redundancies and close gaps.

In some cases, there may be as many as 25 different siloed identity systems being used to manage users and groups, API keys, computers, and more - anything with an identity account. Without a strong foundation, this chaos can be resource-intensive and dangerous, as it becomes more difficult to identify gaps and track privileged accounts.

The foundation is most often Active Directory. While some organizations' identity environments are cloud-only, the majority are hybrid or on-prem, utilizing Active Directory at the core. In fact, some reports estimate that over 90% of all Fortune 1000 companies utilize Active Directory.

To ensure a smooth identity transition following a merger or acquisition, an organization should ensure authentication and access requests are occurring consistently, and privileged accounts are kept in check. Adding visibility and control as part of an identity security posture management (ISPM) strategy ensures the identity landscape is being managed effectively. This approach to identity security and management can help companies see and understand what is in place and address their environment with consistency. This will not only reduce the attack surface but also help drive alignment of compliance with regulations and dramatically improve the efficiency of the organization overall.

A merger or acquisition can be achieved without incurring chaos and risk to your identity environment. Take the time in the early stages of the relationship to develop an ISPM plan with remediation strategies that can mitigate risk and bring order to the impending chaos.

About the Author: Reto Bachmann is Technical Regional Manager covering Austria, Switzerland and Middle East at One Identity. With over 25 years of experience in IT, and over 15 years in IAM and cyber security, Reto has been instrumental in numerous implementation projects for well-known companies across the EMEA region, and has developed a comprehensive knowledge of the region's business, IT, risk and compliance environments. Prior to joining One Identity, Bachmann has held various positions, including Head of IT, across different organizations such as the world-leading industrial company Alcan Mass Transportation. He holds a Swiss Federal diploma in Business Informatics as well a diploma in higher education in Information technology from the technical vocational School of Zurich.