Identity Access Management and M&A: What You Need To Know

Any good acquirer wants to not only find, but preserve, and then enhance value through the deal.

You know that you’ll need to protect that new asset’s people and systems—as well as those of the acquiring company. So while you’ll certainly want to maintain the proper security posture, you’ll also want to speed post-merger integration and reduce productivity friction among your employees, customers, and partners.

We just said “post-merger.” But all of this applies to pre-merger, too, as in “due diligence.”

So. What do all of these challenges have in common?

Identity access management, that’s what.

This is a big and important topic. It pertains to everything you do. In this article, we’re going to give you a quick overview of identity access management or IAM, and show you how it pertains to M&A.

Lots of players, lots of buzzwords

You don’t need to look at a Gartner Magic Quadrant to see all the players in the IAM space these days. There’s Microsoft, Okta, IBM, SailPoint, Forge Rock, Oracle, and plenty of other competitors. (As a vendor-agnostic specialist, by the way, Ensunet can work with any of them.)

And then there are all of the buzzwords you’ve probably heard about—and may not fully recognize. You’re probably familiar with MFA or multi-factor authentication: Think of the last time you logged into a new website, only to be told to “Wait for the text or email we just sent you, so that you can complete the log-on process.” That’s MFA.

And then there are hot—albeit important—buzzwords like “Zero Trust Security” and “conditional access” and SSO or single sign-on. We’ll get to those in a minute. But first, let’s answer a basic question:

What the heck is IAM?

We’re so glad you asked.

Who’s who for the enterprise environment

As its name implies, IAM is the process of managing (and verifying) all of an enterprise’s employees, customers, and resources, and what each one is allowed to access, at any given time. In the old “legacy” days, this would all be about on-premises hardware, with log-in’s and passwords.

No more. Given the ubiquity of mobile access and the cloud—compounded by the dispersion of employees, customers, and partners due to the Covid-19 pandemic—you need to control that access from anywhere and everywhere, all the time.

And of course it’s dynamic. Customers and employees come and go, so you need to add and subtract (technically, “provision” and “de-provision”) them accordingly. Ditto for systems, applications, and hardware. It can quickly become a spaghetti mess of overlapping roles and responsibilities, which will hamper productivity, compromise compliance and security, and damage the user experience. So much for post-merger integration, if you can’t nail down your IAM challenges.

Put it this way: We’ve read about one enterprise in which their sales reps would need to enter their individual passwords half a dozen times each morning, just before they could begin their workday. That’s what we call “friction.”

Zero Trust security

In the not-so-old days, you would want to lock down your enterprise at its perimeter. Makes sense. But nowadays, there effectively is no perimeter. So while the old adage was “trust but verify,” the new thinking is “trust no one.” It’s a healthy dose of corporate paranoia which is the basis of what’s called the Zero Trust security model. In this approach, all network traffic, both internal and external, is treated as untrusted activity.

But how do you deal with the trusted employee who needs access to a half-dozen different systems? That’s the million-dollar question, and it speaks to Ensunet’s area of expertise.

Dynamic provisioning

As we’d mentioned above, there are a lot of different players in the IAM space these days. All of them make similar claims: Use their system, and all of these access-management problems will magically go away.

If it were only so simple. These systems are basically software, which needs to be configured, based on your specific needs. Who are the people who will need access? What are their roles? What groups are they in? What will they need access to? None of these questions are “pre-answered” by any of these systems. You need to architect them.

This requires detailed—and sometimes energetic!—conversations with stakeholders at all levels of the organization, especially the line managers responsible for large teams. And this is where we really get into the weeds, creating the context and rules for conditional access, and enabling features such as “single sign-on” or SSO for those people (like those sales reps we mentioned) whose roles and contextual activity allow for the system to be configured that way for them.

As one of Ensunet’s IAM subject-matter experts put it: “Figuring out the requirements is the hard part. Once we know those, the implementation is relatively straightforward.”

If you’re getting the feeling that IAM is as complicated as it is important to the fast-paced M&A environment, you’re right. This isn’t something you can “consider in the future”; it’s an issue you need to address, the sooner the better.

Ensunet has supported IT for billions in pre- and post-merger activity. If you need help with this crucial challenge, download our free M&A IT Playbook & Integration Checklist. Or contact us today for a no-obligation consultation with one of our friendly subject—matter experts.