Unmasking security concerns amid Australia's M&A boom

A combination of COVID-induced digital investment and a rapid rise in merger and acquisition (M&A) activity — both in Australia and internationally — is creating an increasing need for organisations to manage multiple cloud environments.

Within the last year alone, we have seen two of the largest corporate takeovers in Australia’s history — Australian fintech company Afterpay being bought by US payment platform Square and IFM Investors’ $23.6 billion bid to acquire Sydney Airport.

With predictions indicating the M&A trend will continue, security issues will rise as the number of components to be evaluated, secured and monitored effectively doubles when two become one.

Within this pace of change and new multi-cloud world, security has been lagging. In many cases, we’re seeing the M&A process being undertaken without security input at all.

Gone are the days of physical and singular enterprise architecture, conveniently located in one place, easily managed and secured. The transition of previously monolithic applications into microservices architectures through rapid migration to cloud environments, though greatly enhancing convenience for organisations and their end users, presents significant security concerns.

A comprehensive understanding of risks as well as the capabilities in place to respond appropriately are essential in managing multi-cloud security during business transition.

So, what is the best way forward to ease the strain on security teams and preventing breaches without creating user friction as we prepare for a sustained boom in M&A?

Identifying security concerns across the M&A process

The misconception that both organisations operating within the same clouds will ease the integration is in stark contrast to reality, as no two organisations likely operate cloud environments the same way. This means even a singular cloud environment becomes multi-cloud to a degree in the context of M&A.

Of the three main stages of M&A — before, during and post — the due diligence most necessary to ensure multi-cloud security is in the initial phase.

Taking a proactive defensive posture in the first phase, identifying the highest-impact security risks and putting adequate measures in place to protect the sensitive information held within the organisation’s cloud storage is the first, and arguably most crucial, step.

Minimising the vulnerabilities during the initial stages of the acquisition allows for the focus to broaden comfortably moving into the acquisition itself.

Once the new company is operational, continued vigilance is needed as the enterprise grows and managing it becomes more complicated. The risk of newer attack surfaces open to exploitation grows as employees adjust to the growing scope.

Moving away from centralised security

As we’ve moved out and away from our traditional centralised security controls, the distributed controls we have at hand aren’t sufficient.

Because centralised environments were well known and quantified, it was relatively easy to achieve uniformity of security controls, operations, reporting and alerting. Changes to adopted technologies happened infrequently because of heavy investment, accumulated intellectual property and high costs.

Supporting M&A-generated multiple new environments brings a raft of challenges and considerations, such as a lack of capability, disparate cloud environments, a medley of technologies, unclear operations, poor visibility, difficult reporting and often low maturity.

In response to these challenges, public cloud vendors gave us transit gateways — a central point of control where all traffic to and from traverses.

In modern environments, with applications distributed across clouds, tenants and data centres, it makes sense to shift security to the application layer. This ensures security is inherent, ie, it cannot be forgotten, removed or bypassed. It also means security is in place when and where it’s needed and removed when apps are decommissioned.

Shifting and distributing security

This model also presents the opportunity for security to ‘shift left’ in terms of being in place at all life cycle stages and in all environments. It means security controls aren’t encountered for the first time at deploy and run, pre-production or production. Security ‘shifting left’ means implementing security controls in earlier stages of the development lifecycle, eg, threat modelling, static application security testing, software composition analysis; and making later-stage security controls available in earlier stage environments, eg, web application firewalls, and dynamic app security testing, into dev/test environments.

Of course, distributed security also brings challenges. To achieve distributed security, it has traditionally meant different technologies, stacks and controls for different environments. This gives no economy of scale, and it becomes exponentially more difficult to support each new disparate environment and set of controls.

It also means little consistency of security across different environments, which can lead to issues including varied alerting, reporting and logging from each environment. This makes it nearly impossible to manage or predict environments.

Where to next?

In an ideal world, how does security work across a decentralised environment with multiple users, apps and clouds?

The answer is a uniform stack that can be deployed anywhere it is needed. The stack is small form factor, suitable for modern environments and supports rapid deploy and decommission. It also includes comprehensive security controls that are mature and enterprise grade.

There is a central control point; a single point to define policy once and deploy globally. Policy definition is flexible and can be network, identity, security and application defined. The central point also provides uniform visibility, logging and reporting.

Understanding that you may move forward in a multi-cloud environment post M&A, continued vigilance will ensure an effective security posture. Cloud security considerations must be viewed as a top priority as fewer, larger businesses give way to a more complex — and more valuable — cloud landscape.

Image credit: ©stock.adobe.com/au/Andrey