Resolving Key Post-Merger
IT Integration Challenges
with a Digital Twin

According to Bain & Company, 2023 M&A activity will be on par with or exceed the level of activity in 2022. Even in the face of an uncertain economic outlook, savvy executives will continue to use M&A activity to bolster their companies. As the report stated, companies that made at least one merger or acquisition during the 2008-2009 downturn earned 120 basis points more in total shareholder returns than companies that were inactive in M&A. Downturns also present a substantial opportunity for industry re-defining deals.

IT is the underpinning of successful mergers. When IT acquisition integration is incomplete, workers suffer from a lack of access to information and reduced collaboration. There’s no shortage of consulting firms offering extensive integration team services to integrate IT organizations and ensure business continuity. They exist because the IT integration process is complex; if done incorrectly, it can strain a merger’s successful integration.

Network Complexity

On-premises enterprise networks have grown organically over the decades; they can comprise tens of thousands of devices from dozens of vendors running billions of lines of code. According to a 451 Group Pathfinder Report (See It, Fix It, Manage It), cloud complexity is also growing. 59% of enterprises said they are moving toward an integrated multi-cloud IT architecture, while another 20% are moving entirely to the cloud.

Even if the task at hand is integrating a relatively small network into an enterprise environment, It’s still a gargantuan task. Almost every enterprise has documented its on-premises and cloud architecture, but only at a high level. Very few have current documentation of their global topology down to a single device or instance. According to a report on cybersecurity in mergers and acquisitions, over half (53%) of technology leaders say they find unaccounted-for devices after completing the integration of a new acquisition.

Unless you accurately understand the devices on the networks and how those devices are configured, it is impossible to understand the ramifications of connecting them.

Security Risks

According to the above-referenced study, 62% of respondents believe their company faces significant cybersecurity risk when acquiring new companies. The IT team protects the company’s digital assets, manages risk, and ensures regulatory compliance. During an M&A event, this requires assessing the vulnerabilities and ensuring the newly acquired network adheres to the parent company’s security policies.

The lack of accurate data is the common thread that ties all network-related M&A challenges together. Forward Enterprise, the most sophisticated network digital twin available, provides engineers with the current and detailed information they need to quickly and safely merge networks.

STEP 1: Understanding network inventory

Before contemplating joining networks, knowing what devices are in use and their configuration is critical. Unfortunately, most IT departments don’t have a dynamic network inventory; instead, they work from high-level architecture diagrams or out-of-date spreadsheets. 

Companies using Forward Enterprise can easily address this challenge using the Network Query Engine (NQE) dynamic inventory tool (see figure 1). NQE’s dynamic inventory enables users to see the network’s granular details (e.g., configurations, state, interfaces, power supply serial number, module firmware rev, etc.). One of the many benefits of NQE is that data collected from multiple vendor devices is normalized so that anyone can interpret it – no need for vendor-specific expertise. 

The data collected by Forward effectively creates “Google for your network”; a simple search can locate an IP address, circuit ID, or piece of equipment in seconds.

STEP 2: Understanding network topology

Enterprise topology is rarely understood at a granular level. Most NetOps teams have current architecture diagrams and have a high-level understanding of physical and logical network topology. Details often reside in the organizational wisdom (AKA inside the heads of people who’ve been with the organization for some time). 

The notion of interconnecting networks with only high-level topological knowledge is disconcerting. Out of an abundance of caution, the networks are often maintained separately rather than integrated as a security mechanism. This can lead to inefficiency and higher operating costs.

Forward Enterprise provides a visualization of your organization’s entire (L2-L4) hybrid, multi-cloud estate in a single normalized view (see figures 2-4). We collect config and state data from all your on-premises devices, such as routers, switches, load balancers, firewalls, SD-WAN, and virtualization platforms (e.g., VMware NSX and Cisco ACI). And we use publicly available APIs to gather similar read-only information for your various cloud accounts to create a network digital twin.

STEP 3: Understand all possible paths in the network

Connectivity is the cornerstone of network reliability and security. Using an advanced mathematical model, Forward Enterprise can compute all possible paths in the network within a single-pane view for on-premises, Cloud (AWS, Microsoft Azure, and Google Cloud Platform), and virtualized environments. This detailed information helps NetOps engineers ensure the network will behave as expected. Forward Enterprise is the only digital twin that can deliver insights into end-to-end paths that traverse multiple legacy networks, i.e., in situations where two networks have overlapping subnets and require NAT translation (see figure 3).

STEP 4: Validate security policies

Maintaining regulatory and security compliance is critical to NetOps and SecOps teams alike. During a merger or acquisition, they are asked to integrate networks that they cannot prove comply with their security policies or mandated regulations. Forward Enterprise can mitigate the risk during this process by enabling your team to verify that the new organization’s network behavior conforms with corporate policy. Using pre-built or custom intent checks, Forward Enterprise can evaluate the configurations of the new network and identify any non-compliant configurations. This information can be transferred into ServiceNow for immediate resolution.

STEP 5: Check for vulnerabilities

It’s essential to verify that there are no critical vulnerabilities on devices in the new network before integration. Forward Enterprise integrates with the NIST database and vendor databases to identify Common Vulnerabilities and Exposures (CVEs) and compare them against the devices, operating systems, CVE specific configurations, and features in use. This will identify any issues in the new network and provide a prioritized remediation plan. This check runs continuously across the entire network, so SecOps and NetOps teams will always know their risks (see figure 5).

Additionally, integration with vulnerability scanning tools like Rapid7 and Tenable will identify within seconds which end-hosts impacted by critical vulnerabilities can be accessed from the internet or from any user-defined exposure point like a contractor’s VPN and which compromised end-hosts can access internal critical infrastructure, adding another layer of assurance that the new network is not introducing risk (see figures 6 and 7).

STEP 6: Verify zone-to-zone security posture

Network segmentation is the backbone of a security policy. Before merging networks, engineering teams should evaluate the security posture of the new network and ensure that connectivity is as they desire. Doing this manually is time-consuming and labor-intensive. Using the Forward Enterprise platform, they can get a current view of the complex zone-to-zone interactions occurring in the on-prem or multi-cloud network presented in one easy-to-understand visualization. It only takes a glance to see which zones have full, partial, or zero connectivity with color-coded status indicators to represent flow outcomes so that teams can confirm compliance at a glance (see figure 8).

The zone-to-zone connectivity matrix uses color-coded status indicators to represent flow outcomes, enabling teams to confirm compliance at a glance.

GREEN: openly connected | ORANGE: partially connected | GREY: no routing | RED: fully isolated

A merger would never happen without due diligence on the financial side; empowering IT teams with the same level of detailed data is critical to ensure their success.