Framing an Acquisition

Networks need to be integrated on Day One. But how much integration is really necessary?

Mergers and acquisitions can be tricky from a security standpoint. In a way, that's because they tend to be rare, and so they present us with situations we don't encounter week to week in our work as security managers.

Then there's my job.

Acquisitions are fairly common at my company. In our industry, it's often easier to acquire a company that has a product we're interested in than it is to develop something ourselves. Sometimes we want to capture a customer base or increase our competitiveness in a market.

One thing all these acquisitions have in common is that I find out about them the same time as the rest of the world, during the public announcement. There was one the other day. This time, we're acquiring a company whose headquarters and data center are in Europe. It also has major operations in China and Hong Kong.

I've been told that the employees of the acquired company need to be connected to our network on Day One -- the day both companies sign all binding agreements. But it's the joining of networks, of course, that's perilous.

Full integration of our networks would require careful study of the target company's environment. Unfortunately, the target has been reluctant to provide information, and it won't let anyone from our IT department do an on-site assessment. This is somewhat understandable, since we haven't inked the deal yet. But if we're going to provide access on Day One, something's got to give.

I always start off with a security questionnaire. The responses help focus my efforts during the security assessment, but they aren't a replacement for a thorough review. In fact, the one time I let a network integration go ahead based entirely on the answers to a questionnaire, we ended up with a major virus and worm outbreak that affected several thousand desktops and dozens of servers. I'll never do that again.

The questionnaire primarily focuses on things like patch management, antivirus efforts, firewalls, remote access, third-party relationships, security policies, wireless practices, history of security incidents and intellectual property protection. There are more than 50 questions -- enough to give me a feel for how serious a company is when it comes to security.

No Go

This target's responses, though, didn't give me any real sense of its security posture. So I can't approve Day One integration.

Now the question becomes, just what kind of connectivity are we talking about? Will the new employees need access to engineering labs and source-code repositories? Or are we talking about e-ail and human resources materials? As it turns out, what is actually needed on Day One is access to e-mail accounts and our intranet page with benefits information.

That limited integration gave me an option that should help us maintain our network's integrity. I will provide the 400 new employees with SecurID tokens and then let them access our infrastructure through a Citrix WinFrame. That way, they will be able to execute applications within a frame rather than on the local computer.

The frame is really just a Windows desktop environment. We can create policies that restrict access to certain applications and network resources. This approach will make it very difficult for viruses that might be lurking in the acquired network to infect our network.

Of course, once the deal is signed, I should be free to conduct a real audit and complete all necessary remediation. After that, the Citrix tool can go away, and our new users will enjoy the same access as everyone else in the company.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

To join in the discussions about security, go to


Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon