How do you create cybersecurity for a company that doesn’t exist yet? - Ensunet

Blog

How do you create cybersecurity for a company that doesn’t exist yet?

How Ensunet came to the rescue of a global divestiture

Try and wrap your head around this: A massive global pharmaceutical enterprise spins off one of its divisions. This former division is slated to become its own company, with a clock ticking toward Legal Day One of operations.

So far, so good. Seems straightforward, right?

Now let’s add in some layers of complexity. This to-be company has absolutely no IT infrastructure of its own, let alone the crucial cybersecurity layer which must govern it from above. How do you create that, when all of the people at this to-be company’s dispersed operations (R&D, manufacturing, distribution) are relying on systems and data from the old parent company to do their work… a parent company that no longer owns them?

Wait, it gets better. During all this, the to-be company acquires yet another company. Not a little one. A big one. With yet another global footprint.

How on earth do you keep all this together? How do you design the infrastructure to support all of these people, operations, and the planned divestment track? How do you architect the cybersecurity to protect all of these assets? And by the way, how do you pull this off during a global pandemic lockdown?

You call Ensunet. That’s what this company did.

The ticking clock

Situations like this are stressful. Billions are at stake. And the deadlines are immutable: The new company must be spun up rapidly, based on existing assets, financial components, and SEC filings. Everything must be transitioned and secure so that this company hits the ground sprinting on Day One, fulfilling the expectations of the board, the C-suite, and shareholders.

On top of the carved-in-stone deadlines are all the moving parts. Consider:

  • The original parent company and its systems and data.
  • The newly acquired company and its systems and data.
  • The new entity—which needs the best of everything, and fast.

Ensunet provided the crucial senior-level security architect for this effort. The details of what he did on this project get really deep into the weeds (and we’ll do our best to explain that in plain English here), but the word “architect” will help you understand it. He needed to envision the different layers and access protocols for the new company’s security; downstream of his efforts, teams of engineers would build what he designed.

As our security architect put it: “It’s like building a house, digitally. You need to show where the light switches will go, so the people in the house can use the lights. But then you need to know where to put the panel and the wiring, and how that connects to the power from the city… so that when you turn on the lights, the house doesn’t burn down.”

It’s a good analogy for just how high the stakes are for cybersecurity for a global enterprise.

The team

Our security architect worked with a team of three project managers, two business analysts, and a half-dozen engineers. He needed to interface with his own counterparts and the information-security people on the customer side. Oh, and he also had to wrangle about a dozen different vendors and managed-services providers. 

All of these were sourced differently. The applications and the data from the original company were never configured to securely interface with the newly-acquired one. And all of this needed to be accomplished remotely, given the covid lockdown.

The components

Ensunet’s security architect specializes in what’s known as IAM, or “identity and access management.” (This is where—we warned you—we’re going to get into the weeds.) His sub-specialties for this project included:

  • Cloud security. Not all servers are “in a rack down the hall.” The cloud represents another layer of access that must be managed.
  • Privileged access. Here, you need to lay the groundwork for the people who will administer applications (whether on a server or desktop) for the end-users within the company. Those administrators must have the right access levels to do that—so the blueprint must include solutions that are administered by security policies and compliance requirements.
  • Directory services. This is all about governance of the permissions that are granted to different people, say, in Office 365: “You have access to A, B, and C, based on your job title, your manager, and other criteria that we have specified.” Just think of all the levels and permutations that must be defined and compliant.

Unique challenges, unique solution

Ensunet was tasked with creating all of this for a company that didn’t yet exist. It’s what’s known as a “greenfield environment.” This makes it especially challenging: You need to create things, and present them, and get approval on them, when they’re still purely conceptual. There’s no “system” to test; it hasn’t been built yet. Everything here is way upstream of what eventually will get built by the engineers. So that makes it extra challenging to simply explain it to everyone involved, so they can all understand, and sign  off on, the various benefits and risk levels that are baked into the architecture.

Ensunet delivered. While the challenge was conceptual, the deliverables were concrete. They included an architectural handbook with solution summaries and proposals that feed into the architectural plan operations, with high- and low-level designs, as-built documentation, and configuration solutions. It may sound complicated—because it is!—but it’s helping this new company to meet their divestment-thesis goals, quickly and securely.

Ensunet has supported IT for more than $11 billion in pre- and post-merger activity. (And once this new company goes live, shortly, that “$11 billion” number is going to go up by quite a bit.) If you need help with this crucial challenge, download our free pre-/post-merger integration IT checklist. Or contact us today for a no-obligation consultation with one of our friendly subject-matter experts.