A couple weeks back, Microsoft announced the largest acquisition in company history, with the all-cash, $68.7 billion purchase of Activision Blizzard, a leader in game development and interactive entertainment content publisher. While the move sparked intrigue about the future of gaming, the metaverse, and more, any merger brings about questions about how technology will be folded in, how the culture comes together between two previously disparate units, and critically for IAM teams, how the new digital identities will be managed.
In the case of Activision Blizzard, the company has studios around the world with nearly 10,000 employees, which for a company of Microsoft’s size, is likely but a blip. However, for any organizations that are being merged, or acquired, the burden still largely falls to the new team of IAM practitioners to stitch together roles, entitlements, access workflows, and audit capabilities to ensure the new joint organization is efficient, secure, and compliant. Each organization varies dramatically in terms of how they create roles, groups, contexts, and the approach for how they manage and control digital identities, and there are many factors at play.
Common Hurdles
1. Merging on-premises, hybrid, and cloud. Essentially every business today is undergoing some form of digital transformation, whether it’s deploying new applications as a Service, infrastructure as code, or simply modernizing their business by leveraging the cloud in any capacity. However, depending on where each organization is in a merger or acquisition, there can be friction for how users access applications based on where they are hosted.
2. Rapid increase in identities to manage. Overnight, it seems, after an acquisition or merger occurs, IAM teams are faced with the prospect of hundreds, or thousands of new digital identities that are now under their purview. It can be a massive burden for teams to onboard all the new employees, vendors, auditors, and more that come with a new company being brought onboard. Additionally, due to complications outlined in reason #1 above, multiple identities may be required for certain applications, causing even more confusion.
3. Weaving together security and IAM tools. Not only are new identities and applications introduced, but a merger also means merging disparate IAM programs. That could mean multiple authentication systems, multiple Azure AD forests, different ITSM tools and workflows, and more. The organizations also may not be perfectly aligned as to how they validate users, how they enforce security, and more, and unifying them under the new organizational workflows is key to solve.
Solving the Problems
1. Merging on-premises, hybrid, and cloud. This can be a long-winded hurdle, because it’s not an overnight task to move all applications to the cloud, or standardize all infrastructure on Terraform, or AWS, or other. The real way of overcoming this hurdle is identifying which applications are in production across the different stacks and finding places for overlap or potential consolidations. A neat example might be leveraging and setting up Exchange Hybrid as mailboxes are migrated from Exchange On-Premises to Exchange Online. Eventually, the goal might be to standardize all on the SaaS version, but until that happens, having a solution to accommodate both cloud and on-premises is tailormade for acquisitions and mergers.
2. Rapid increase in identities to manage. As a foundational control, ensuring that provisioning is set up to allow for productivity on day 1 is very critical. However, also making sure that having deprovisioning processes set up is also important so that if people are leaving the organization, they don’t have lingering access that can be easily exploited; either by them or malicious attackers. Further, having a plan in place to decrease the attack surface that’s caused by multiple identities that aren’t easily mapped back to one person can help prevent phishing, ransomware, and other types of attacks that increasingly target digital identities.
3. Weaving together security and IAM tools. Standardizing under one flag is really the make or break for a successful merger or acquisition from an IAM perspective. Defining goals and strategies and aligning under which solutions to use for best-of-breed capabilities in critical IAM functions, and which ones to leverage as point solutions that can be expanded across multiple use cases can be a good start. Better is to streamline identity processes and consolidate identities, and tools down to single applications for single use cases and making for consistent workflows for administrators and business users alike.
A merger or acquisition provides the perfect opportunity to introduce and accentuate strong IAM policies and programs to elevate security capabilities, improve business efficiencies, and meet compliance mandates. However, in order to ensure success, having a plan in place continues to be important, particularly for complex IAM programs. For implementing strong governance and identity management, Omada has Omada IdentityPROCESS+, a comprehensive, best practice process framework, which describes the most important processes needed to ensure a successful IGA deployment and can really come in handy during an ongoing merger, acquisition, or really any other compelling event where IAM policies are being evaluated.