SIW Q&A: Keyfactor CSO Chris Hickman discusses identity management in an M&A world

April 11, 2022
Identity Management Day reminds security professionals the importance of effectively managing and securing digital credentials

According to the Identity Defined Security Alliance, more than 79% of organizations have experienced an identity-related security breach in the last two years and another 61% of all security breaches were a result of stolen credentials. In today’s cybersecurity landscape, there is no overestimating the importance of identity management and securing credentials. Recognizing the public and private risk issues, the Identity Defined Security Alliance and National Cybersecurity Alliance launched Identity Management Day in 2021 which aims to inform about the dangers of casually or improperly managing and securing digital identities by raising awareness and sharing best practices across the industry. 

Identity Management Day held on the second Tuesday of April, is a global day of awareness to educate business leaders, IT decision-makers, and the general public about the importance of managing and securing digital identities. The Identity Defined Security Alliance is a non-profit organization focused on providing free, vendor-neutral education and resources, combining identity and security strategies to reduce the rampant breaches of technical organizations.

Many organizations are particularly vulnerable to identity management security breaches during the merger and acquisitions process. As global business consolidation continues to grow, protecting corporate information assets has emerged as a critical business operations consideration during these M&A processes. SecurityInfoWatch.com’s (SIW) editorial director, Steve Lasky, recently discussed the landscape of identity management in real-world applications with Chris Hickman, the CSO of Keyfactor. As a member of the senior management team, Hickman is responsible for establishing and maintaining Keyfactor’s leadership position as a world-class, technical organization with deep security industry expertise. He leads client success initiatives and helps integrate the voice of the customer directly into Keyfactor’s platform and capability set.

Prior to joining Keyfactor, he worked on PKI projects for organizations and firms including NATO, both the U.S. and Canadian Departments of Defense, Fortune 100 banks and financial institutions, manufacturers, insurance companies, telecommunication providers and retailers.

SecurityInfoWatch: What are the most common identity security issues that companies face during an M&A? How can they be proactive?

Chris Hickman: There are a handful of identity security issues a company faces during an M&A. The process of integrating two enterprises, their employees, software, servers and applications can take up to a year. Data is the most vulnerable during this time as teams migrate data from parallel systems in the two companies into one. At the same time, these data migrations are occurring, and application access and digital identities from both organizations must somehow be integrated. Integrated servers and applications may have a lack of visibility, which puts sensitive data at risk of being forgotten, abandoned or infiltrated. Having the right identity management tools in place that can track changes and detect issues can provide security teams with the visibility to assess and respond to security issues in real-time. Without these tools, teams risk finding out about issues long after the integration is completed through an audit.

In addition, many applications will need to be moved or re-platformed, which requires re-installation. This process is often left to be completed manually by IT teams, which slows down the integration tasks and presents opportunities for human error. This can lead to reusing compromised keys or misconfiguration which allows an escalation of privileges, a major threat to identity security. To prevent these identity security threats from happening, enterprises can automate this process by implementing a certificate lifecycle automation tool, which deploys digital certificates to the appropriate location through the click of a button.

SIW: What challenges do companies face streamlining multiple PKI environments? 

Hickman: One of the challenges that companies face when streamlining organizations is integrating multiple sources of certificates and having a complete inventory and visibility of those certificates. To ensure that all certificates can be trusted, systems are required to trust new root of trust. Otherwise, the integrated company could face outages or critical errors, such as failures in application whitelisting on security devices, failure or inconsistency between SSL connections to enterprise applications and traffic blocks from untrusted entities issued through SSL interception technologies.

Furthermore, if there is a change in corporate naming, this can have a significant impact on the certificate and the PKI as naming is cryptographically embedded in the certificate and can not be changed without invalidation of the certificate or the PKI issuing them.  Knowing what certificates are deployed across both enterprises, knowing where they reside and by what CA they were issued is the only way to effectively prioritize and migrate certificates and PKIs

SIW: What areas of the business do companies need to focus on to secure their identities during an integration?

Hickman: During the integration process of an M&A, the company should focus on its tools and its people for optimal identity security. The right tools will make digital identity management more efficient, while the right people will ensure the organization is adequately staffed to address any issues that come up as they work on executing the integration strategy. If needed, organizations may want to consider bringing in consultants or additional staff during the M&A, who can help ensure that the organization’s data is secure. Additionally adding automation of certificate deployment will significantly reduce the human effort and involvement thus smoothing the transition.

In today’s world, digital identities are a common part of any modern enterprise organization. As such, digital identities should be a key piece of an organization’s overall security strategy. The integration process during an M&A provides companies with the opportunity to improve, rebuild and redesign their security so that digital identity is top of mind. As a rule of thumb, an organization’s environment should always be more secure after an M&A than it was before.

One way to improve digital identity security is to implement tools that can audit and report certificate use. Tools like these greatly improve an organization’s visibility for how certificates are being issued and deployed. In turn, this will greatly increase the organization’s ability to detect and respond to incidents quickly. As part of this, organizations might want to consider using automation to manage and deploy their certificates. Certificates contain data associated with a device and are used to ensure that it is legitimate. All certificates have an expiration date – and each is different. It is common for an enterprise to have 500,000 or more certificates in use, meaning a certificate can in theory expire every single day within one company. Automated tools can minimize outages by tracking expiration dates, automating enrollment, and sending teams automatic renewal alerts. Finally, signing internally developed code and scripts can greatly increase an organization’s security posture, as it ensures that the software has not been maliciously tampered with by a third-party distributor or download site.

SIW: During the start of the integration process, what are some key questions for the identity management team to ask both companies?

Hickman: When starting a merger or acquisition, the first step is always to assess what you really need to merge as a part of the project. This is true for all IT infrastructure – servers, networks, data and digital identities. In addition to identifying the servers that need migrating and what applications are in scope, identity management teams need to inventory certificates from all devices and CAs in both companies. This includes asking: How many and what certificate authorities are in use? How does each company issue certificates? Is there an approval process in place? Where are the certificates installed? 

This helps the team obtain a clear understanding of the overarching digital identity infrastructure, which is essential to maintaining the longer-term security of an organization.

SIW: What kind of complexities has the pandemic added to securing identities following an M&A deal?

Hickman: In today’s modern environment, M&As are much more complex. The shift to remote work has led to an exponential increase in the number of identities within one organization, making enterprise-wide visibility essential to secure identities quickly and at scale during the merging process. While securing identities, some applications or devices require in-person attention, with the need to access the “front panel” to make changes, this was difficult in the initial stages of the pandemic. Additionally in personal attention is required when Root CAs are offline, a team of people is needed to power them up for ongoing maintenance.

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]