Courion Corporation

Mergers and Acquisitions = Access Challenges

Tweet

 

Companies going through mergers and acquisitions have a big problem on their hands. As they bring new companies on board, they have to deal with the acquired company's infrastructure giving them multiple disparate systems, such as packaged enterprise applications (like SAP), custom or legacy applications, networks, servers, and directories. As they assess their situation, they have three choices on how to manage these systems from an identity and access management perspective.

One, they can leave them in place. This minimizes disruption to the acquired employees, but increases cost and complexity, since redundant systems must be managed separately.

Two, they can merge all user accounts into a single system of record. This cuts down on management overhead, but at the risk of business disruption as users and administrators get used to the new environment, not to mention the time, cost and effort required to migrate.

Three, they can adopt a hybrid strategy, leaving some systems in place, while merging others.

One global company, for example, had 140 separate ERP applications and processes that they wanted to consolidate into a single instance of SAP. Their strategy was to migrate to the new platform over time with minimal disruption to the business.

Whatever strategy you choose, your IAM platform should be able to accommodate it by delivering a flexible framework that will work in whichever scenario suits your organization and not force your business to fit into its framework.

A flexible infrastructure allows you to manage user identities and access rights in multiple, heterogeneous systems without requiring a centralized directory or extraneous infrastructure. At the same time, it should make certain you aren't compromising core security policies, such as segregation of duties checking or password strength requirements.

In the above example, the company chose a framework that enabled them to manage legacy system accounts while gradually migrating accounts to the new platform in phases. This enabled them to make the necessary changes with minimal end-user disruption. And as they decommissioned systems they were able to unplug the connectors to those systems from the framework without changing the underlying IAM architecture.

If they had adopted the hybrid approach, the same framework would have allowed the acquired company's systems to be brought online in the IAM platform....allowing disparate systems to coexist side-by-side, while ensuring that security policies are uniformly enforced across different native platforms.

The lesson learned by this company was that an inflexible, all-or-nothing approach that required a huge investment in a particular vendor's vertical infrastructure would not have met their business needs.