How can IAM (Identity & Access Management) help enable a smooth post M&A integration

Are you going through M&A (mergers and acquisitions)? Has your company been acquired? Are you acquiring another company? If you answered yes to any of these, you’ll have your own questions that need answering: how will both companies’ digital service users continue to access both companies’ systems? How will you manage the digital identities (IAM) of those users?

This is a particularly important question for external users, such as customers, given that they will not tolerate friction in the user experience as workflows are updated. Internal users will understand the situation and be trained on new systems resulting from M&A. For customers, you need minimum disruption to service access or risk losing their business to your competitors.

To achieve this, Customer Identity and Access Management (CIAM) solutions in particular will need to be consolidated, and/or upgraded. Let’s look at how CIAM plays a critical role in mergers and acquisitions, and the options that are available to you in this process.

 

The benefits of CIAM solutions consolidation post M&A

The business case of many M&A transactions lies in improved efficiency, i.e. reduced costs by integrating systems and processes across the combined organisation. IT (including CIAM) is a great area to realise these benefits. By migrating from one CIAM system to the other and shutting down the unused system, you save maintenance, management and license costs.

For example, by decommissioning one of the CIAM services, the skills of that team can be repurposed towards the ongoing support and management of the other IT or related security initiatives. Alternatively, reduction of IT head count may be one of the M&A goals – i.e. downsizing the combined team once the integration is complete. Either way, there are economic benefits to CIAM solution consolidation.

Further, the reduction in the number of CIAM solution providers also drives efficiency. Essentially you may be halving communication channels, vendor contacts, contracts, meetings etc.

Moving licenses from two CIAM solution providers to one may also result in unlocking significant volume discounts. As the number of users and volume of transactions increases, typically the cost per user or transaction also decreases.

 

Tips for efficient CIAM consolidation in M&A

When you decide to consolidate the two CIAM systems, there are certain things you must consider.

M&A Due diligence

During due diligence, the CIAM system holds important information about active customers, user behaviour (frequency of visits, service stickiness) and data quality. Examine how many accounts are dormant or rarely used. The processes used until now for user account creation (onboarding) and credential management can be analysed to determine a level of assurance on the data contained within the legacy system.

Moving quickly

Complete process re-engineering of CRM or ERP migration is a large task to attempt in a short period, but clean and consistent user registration, account management, password recovery and login processes in a consistent new brand across both parties is an achievable goal.

M&A success is often graded on how soon the synergies of the two parties in the transactions are realised. Just like when a head of state changes, a typical goalpost is the achievements made within the first 100 days. IT has to move fast to fit this timeline.

To aid in the complex transition and buy time for your IT team, the planning can begin on paper already during due diligence. This involves scoping the CIAM capabilities of the organisation to be acquired and already then mapping a path to integration. For more information, download this white paper on migrating your organisation’s CIAM system.

Brand transitioning or rebranding

Sometimes M&As can be almost invisible to the end user. This is often the case when two established brands in separate fields are involved. In other cases, brands are combined, or a new brand is created to represent the organisation.

Check that your chosen CIAM provider supports branding functions to ensure that the new system looks familiar for old users, while both established brands are continually supported.

Regulatory requirements

Your CIAM system is a continual touch point with your external users. It can be used to explain upcoming changes, then to collect and record necessary user consents for changes in data processing. Rather than making changes to individual services or applications, this time-consuming communication can be done once, in a central service, as part of the login process to the new central CIAM platform.

During an M&A process, customer, supplier and other third-party data should be handled carefully, according to relevant data protection legislation. Cross-border acquisitions may introduce newer, stricter requirements for user consent and data processing transparency.

In some cases, combinations of data between the entities may be limited by legislation. Being fair and open with users about the reason for data collection, and how it will be used, is also a great way to earn trust from the partners and customers being acquired through the merger.

CIAM systems can provide tools for reading user data from various data sources in different physical locations, collecting organisation and user consent about changes, giving customers the ability to review and download their data.

Merging accounts: User Driven Federation and Directory User Mapping

If the user base of the acquired company overlaps with that of the acquirer, a smooth way to merge accounts is essential. Again, check what your CIAM provider offers to facilitate this.

For example, User Driven Federation is a Ubisecure CIAM product feature that enables users to choose how they log in to a target service (for example, using an identity provider/IdP) and, if the login credential has never been used before, to link it to an existing account.

This is very useful when there is no common trusted attribute between the authentication methods. Once the linking has been performed once, it is remembered for all subsequent visits. More than one login method can be linked to an account too. This is what lets users link another account, such as Google Workspace or LinkedIn, to their account, even if the accounts do not share the same email address.

When there is a common trusted attribute, such as a verified email address or social security number, Ubisecure’s Directory User Mapping feature allows automated lookup and login without interruption. For example, logging in via BankID often works based on matching the social security number. In federation networks and third-party IdP services, such as Azure AD, Directory User Mapping can be configured to trust the email address sent by the partner and use it to lookup the new account.

For cases where no matching account is found, the user can be redirected to an account registration process. In most cases, the account registration can be completed online and an active user session is established to enable the user to continue to the desired target application and start using it – without the need to log in again.

An opportunity to move to the cloud

If both organisations are at a turning point, running older IAM solutions on premises, M&A may be a perfect time to consolidate to a cloud-based Identity-as-a-Service (IDaaS) solution. During the transition period, a hybrid approach could be used to ensure continuity. Again, check what options are available to you with your IAM solution provider.

In this hybrid approach, Ubisecure IDaaS can be configured to trust both organisations’ existing authentication services, allowing new applications and backends to be configured using modern techniques such as OAuth2 and OpenID Connect. Ultimately, after migration is completed, the older, legacy, on premises CIAM solutions can be decommissioned and switched off. This brings all those benefits of consolidation we spoke about earlier – such as saving license, management and support costs – but also savings hardware costs.

 

Divestitures – CIAM makes a business easier to sell

A side-effect of M&A is often the sell-off or spin out of part of the organisation – divestiture. This is either to raise capital for the coming acquisition or to sharpen the focus of the new organisation after a shift in direction caused by a recent acquisition. Sometimes the M&A does not result in the desired benefits and part or all of the target organisation is sold off again.

In these situations, CIAM can create an increased level of readiness for splitting the user management into two and providing a smooth transition, preserving business value and revenue – while collecting consent for the process as the Data Controller and Data Processor changes as part of the divestiture process.

 

Ubisecure IAM supports efficient M&A

Ubisecure provides a feature-rich IAM platform with powerful capabilities to support efficient M&A, including:

  • Rapidly integrate each organisation’s existing CIAM system.
  • Use identity federation to attract customers of the acquired company to existing services.
  • Connect multiple user repositories to the single CIAM system.
  • Wide password hash algorithm support to eliminate the need for setting new passwords.
  • Allow users to find and link their existing accounts themselves, using User Driven Federation, as part of the uninterrupted login process.
  • Flexible UI/UX branding support, allowing many different brands in many different languages and layouts.
  • Option for rapid Identity-as-a-Service (IDaaS) deployment – get started quickly without the need for on-premises infrastructure deployment and installation.
  • Option for on-premises deployment – for local hosting in your secure facilities.
  • Easy integration of applications due to support for open identity standards.
  • Cost savings of vendor consolidation by standardising on one platform.
  • Improved security to protect valuable user assets.
  • Faster integration of two businesses through a wide range of open standards patterns and flexible, timesaving “compatibility flags” to support strange third-party protocol implementation.
  • Support for various modern IT architecture patterns in complex environments.
  • Provides a single integration point for identity federation.
  • Offers federation standards and capabilities, such as OAuth2 and OpenID Connect.
  • Enables federation exceptions, via CIBA Core, for non-standard, but existing high value applications.

Give value back to your new customers

Customers especially will appreciate the benefits that the new CIAM system brings, such as your ability to:

  • Streamline user experiences alongside sufficient security measures.
  • Enable consistent multi-factor authentication (MFA) across services for more convenient, secure login and transaction confirmation.
  • Introduce a single portal for delegated user management and access right reviews.
  • Introduce a single view of account information, authentication methods and roles for end-users.

 

Summary

CIAM is a great enabler in accelerating the integration of two or more IT systems during M&A. Smoothly transitioning users to securely integrated applications is possible using various software product features such as identity system federation, User Driven Federation and Directory User Mapping.

Ubisecure software additionally supports migration tools, enabling users to keep their old usernames and passwords, transition to a new system smoothly and, if necessary, upgrade to stronger authentication methods.

Retaining a strong relationship with the customer, enabling them to consume all of the wider products and services of the combined entity is key to sales growth. The successful management and retention of the external users, such as customers, partners and suppliers is key to the success of a M&A.

Find out how Ubisecure CIAM can help facilitate your M&A strategy. Get in touch.