SaaS Security After the M&A

Eliana Vuijsje, Marketing Director

Mergers and acquisitions (M&A) are exciting times for organizations. Initially, most of the attention is focused on integrating two companies into a single entity, and exploring the new capabilities brought on due to the merger. In this environment, surrounded by organizational changes and amid swirling questions surrounding responsibility, SaaS security is often nothing more than an afterthought that falls through the cracks.

While that attitude is understandable, it exposes companies to risk. Additional applications mean a larger attack surface, and delays in reviewing and upgrading SaaS security may expose newly acquired secrets to threat actors.

While there are a myriad of benefits to securing your new SaaS stack, here are three that demand your immediate attention.

Benchmark Different Instances of SaaS Apps

During M&A, companies typically find they have multiple versions of the same applications in their SaaS stack. It can take years before all the applications are seamlessly integrated into a single instance, and some applications are never reconciled.

If the two companies originated in different industries, their configurations may be set to meet different compliance standards. Now that they are under the same corporate umbrella, those standards must be aligned.

Furthermore, different companies have different policies. With the two companies under a single roof, security teams must be able to automatically compare the differences to identify best practices and align the different instances under a single policy.

Not All Redundant Assets are Fully Deprovisioned

Employees are a common casualty in an M&A. When let go, they are removed from the Identity Provider (IdP) and automatically deprovisioned from any SaaS app connected to the company’s IdP.

While this would seem to solve the problem of former employees logging into corporate SaaS applications, it is only a partial solution. Applications connected to the company’s SSO will automatically deprovision the user’s SSO account. However, users will retain their access rights to any application that is not connected to the SSO. These users must be removed manually.

App admins introduce another challenge to security teams. While their SSO access may be deprovisioned, these users typically have local access as well. The combination of admin rights and local access means that employees in this category can inflict significant damage to their former employer. This includes the ability to change settings to make data public, add new user accounts to exploit at a later date, download and expose PII or corporate secrets, and delete all assets saved within the application.

Gaining a full picture of your users and their access is essential from the moment the acquisition is complete.

Compliance Requirements Won’t Wait

Companies in different countries and industries are held to different standards by regulatory agencies. These requirements apply to all company assets, including ones that are newly purchased.

While all companies do some form of due diligence on the security standards being maintained by the target company, the first time they can actually apply their standards to purchased SaaS applications is post-merger.

Public breaches following an M&A are a PR nightmare; ones that occur because newly acquired applications are non-compliant are a disaster. Customers and partners question the entire merger, and tend to look for other providers they can trust.

Rapid SaaS Monitoring

To avoid these issues and others, it’s vital that security teams rapidly review and monitor their newly acquired applications. An SSPM platform can be connected to applications over API in minutes, and begin sharing its findings quickly.

In addition to a posture score for each connected app, security teams can export app user lists for the entire SaaS stack. With that information in hand, they can run reports to identify users who must be deprovisioned, and have their SOAR automatically remove access to former employees.

SSPM-based ITDRs monitor the entire SaaS stack and will recognize the techniques, tactics, and processes of threat actors. Furthermore, it can identify anomalous user behavior, and prevent application breaches from turning into data breaches.

SSPMs can also show which misconfigured settings are hurting compliance scores, and help your organization meet required regulatory standards.

As time moves on, SSPMs will enable security teams to compare security settings from different instances of the same application. App owners and security teams can create benchmarks that derive from the best practices of both organizations, as they move forward in integrating the two SaaS stacks.

After a merger is an interesting time in every part of the organization. For SaaS security, it’s an important opportunity to secure the SaaS stack and allow business to proceed as usual.

About the writer

Eliana Vuijsje, Marketing Director

Eliana is a marketing strategist with a passion for technology and storytelling. With an MA in conflict management and negotiation and a BA in Communications, Eliana hit the ground running after moving to Israel. Eliana’s work has been featured in places like Slashdot, the RSA conference and Facebook’s PyTorch publications. Since joining Adaptive Shield, Eliana has grown into a SaaS app security lobbyist telling everyone to secure their SaaS app estate. Oh, and she loves steak.