Mergers and acquisitions (M&As) are a messy time of great change and stress that increases your identity security risk.
We covered the most common M&A identity security gaps in depth in a previous blog post: Part 1: Navigating identity-related risks and safeguarding business continuity. Now, in part two of this series, you’ll see how Delinea customers mitigate M&A risks and enable users with seamless access across systems so that their newly combined entity is secure and productive.
Step 1: Gain control of admin accounts in the acquired company
Once an acquisition is closed, the first orders of business for an IT security team are securing all administrative accounts across an acquired organization and bringing them under central management.
Secret Server on the Delinea Platform enables you to do this by discovering and vaulting admin accounts.
Secret Server customers protect admin accounts, enforce identity policies, and minimize attack surfaces while ensuring authorized access. By placing one or more Distributed Engines within an acquired organization’s network, you can isolate internal servers from external threats and facilitate secure discovery and remote login sessions.
An Engine acts as a lightweight, scalable agent that avoids having to install complex and risky components to integrate the networks of the two organizations. This makes it quick and easy for an acquiring organization to manage accounts, secrets, and sessions without requiring direct access to the acquired company’s internal network
An outbound-only connection from the engine to Secret Server avoids opening inbound firewall ports, establishing a secure, persistent link without increasing the firewall attack surface. Configured to accept only inbound requests from the Distributed Engine, the server network ensures connections exclusively from the trusted source—Secret Server—reinforcing access control and reducing unauthorized access risks. This also enables network and Active Directory scanning to discover and vault admin accounts for secure management by Secret Server.
Then, you can ensure immediate control over privileged accounts.
Once privileged accounts are discovered and vaulted, the next step is controlling access to them. You’ll want to control which users (from the combined companies and third parties) can log into Secret Server and what they can see and do with the access they’re provided.
At login, authentication (ID and password or federated) plus MFA protects access to Secret Server. Once a user has access to Secret Server, role-based access controls, MFA, and access request and approval workflows control visibility and access to resources and Secrets.
With all admin credentials securely managed within Secret Server, acquiring organizations gain full visibility of all systems and identities within the acquired organization and full administrative control.
Step 2: Consolidate remote access for multiple identity sources
Administration of the newly acquired organization may be performed by either the acquiring organization or the acquired organization's IT departments or by third-party service providers. It can be challenging to support these various groups of user accounts accessing the platform.
Infrastructure, administrator accounts, Active Directory, and identity providers from both organizations must integrate, a process that can be complex and time-consuming. Integration is typically conducted in stages. Until full consolidation is achieved, Delinea provides a unified layer of transparency over disparate identity systems, ensuring administrators from one organization can access resources from the other.
Delinea makes this possible by:
- Connecting to existing identity sources such as Active Directory and IdPs such as Microsoft Entra ID, Okta, or Ping. Users and systems in the acquired organization can continue to use their existing accounts to gain access to the resources they need to do their jobs. Meanwhile, the IT and security teams can take the time to carefully transition accounts and consolidate identity forests.
- Securing remote access to critical resources. Delinea Privileged Remote Access (PRA) uses an inside-out network connection to enable authorized users to check out credentials vaulted in Secret Server and establish a remote admin session on systems regardless of location and without requiring workstation connectivity into the private network.
This enables the staff of the acquiring organization to access the new assets without requiring network connections or dedicated user accounts in the other IdP. Users simply access PRA via their browser and don’t need VPN connections or dedicated clients. Remote sessions are monitored and recorded automatically.
This setup ensures that new and existing users can continue working efficiently without network dependencies. At the same time, audit trails and session recordings, along with Delinea’s AI engine, can scan, detect, and alert on suspicious behavior, so if any insiders who are dissatisfied with the acquisition abuse their access, you’ll know about it and can shut them down.
Step 3: Enforce identity protection and least privilege access at the server level
Once admin accounts are secured in their Secret Server vault, Delinea customers generally switch focus to authorization controls for server access. The goal here is to protect all acquired servers at the system level as a crucial step to enforcing least privilege and mitigating the risk of lateral movement.
Delinea’s Privilege Control for Servers (PCS) and Cloud Suite support several common scenarios:
- Deploying Delinea clients onto each acquired server (on-premise or in the cloud) provides tighter governance and control of admin access and privileges. Granular access policies defined centrally in the Delinea Platform are enforced by the local clients, allowing users to perform discrete tasks on individual systems, rather than granting full admin access. This aligns with best practices like least privilege and zero trust.
- Enforcing MFA at the server level during login and when executing privileged applications or commands on servers. Whether or not the acquiring and acquired organizations are already using MFA, Delinea centralizes MFA policy management for consistent application across all servers, irrespective of authenticator type such as Yubikeys, Duo, RADIUS, Passkeys, or FIDO authenticators.
- Enabling acquiring staff to access acquired assets. Delinea Platform’s IdP broker functionality integrates with popular directories like AD, LDAP, Entra ID, Okta, and Ping. This eliminates the need to migrate users between IdPs, even when the acquiring and acquired organizations use different systems.
For acquisitions that rely on AD as their enterprise directory, Delinea integrates directly. Many customers prefer to use a one-way trust between Active Directory (AD) Forests. This allows the acquiring organization to access the acquired assets using their existing AD credentials, without the need to merge AD forests. By configuring the newly acquired AD to trust the acquiring organization's AD, the acquiring staff can easily access the acquired assets.
Step 4: Plan for identity integration with flexibility and ITDR support
M&A strategies vary between companies. Some opt to burn down the acquired company’s IAM/PAM systems once integration is complete. Others may need to maintain these systems for extended periods.
Some of our customers have opted to retain their acquired identity infrastructure and do an analysis and cleanup of identities. Some have also added Delinea’s Identity Threat Protection (ITP) to:
- Monitor user behavior and detect anomalies, unauthorized access across systems, and identity security misconfigurations.
- Identify potential threats early to prevent security breaches during and after integration, such as orphaned accounts or insider activity.
Seamless M&A identity security with Delinea
Delinea’s solutions can provide you with the flexibility to handle your M&A identity challenges to meet your integration timeline. Whether you need to manage temporary coexistence or prepare for full system transitions, Delinea solutions—including Secret Server, Privileged Remote Access, Privilege Control for Servers, and Identity Threat Protection—empower you to integrate securely and at your own pace.
If you’re preparing for an M&A, let’s talk about how we can help you overcome identity challenges and protect business operations during and after the transition.
Read part 1: Navigating identity-related risks and safeguarding business continuity
