Mergers and acquisitions put zero trust to the ultimate test

When Jay Chaudhry launched Zscaler in 2007, he envisioned a number of use cases for the zero-trust platform, from security for a growing distributed, virtualized IT environment a nascent cloud computing environment to improved network visibility and identity governance.

More recently, mergers, acquisitions, and divestitures have surfaced as key use case as companies increasingly look to add or pare down their businesses against the backdrop of a volatile global economic environment, according Chaudhry, Zscaler’s chairman and CEO.

Speaking at the their recent Zenith Live 2022 event, Chaudhry said Zscaler’s cloud-based Zero Trust Exchange platform and underlying technologies have been used in about 300 acquisitions and divestitures over the past three years to reduce the complexity and time involved in merging two networks together or breaking one apart.

“I did not think of this use case when I started the company,” he told The Register. “But our customers realized that the zero-trust architecture that we bring to the table does not require companies to connect networks because we don’t connect people to the network… We use the network merely as transfer and plumbing.”

Zero trust is getting a hard look by enterprises that are pushing more workloads into the cloud and edge amid more employees working remotely, all of which are beyond the boundaries datacenter security.

The architecture assumes that no user, device, or application on the network can be trusted. Instead, a zero-trust framework relies on identity, behavior, authentication, and policies to verify and validate everything on the network and to determine such issues as access and privileges.

It’s a fast-growing market. Gartner expects that by 2025, 60 percent of organizations will adopt zero trust as a starting point for security.

Zscaler knows a thing or two about this. Their technology connects a company’s users to applications or data based on their identity and policies put in place by the organization. If a user is authorized to access an application, the Zscaler system allows it. Central to Zscaler’s portfolio is Zscaler Internet Access (ZIA), which secures connections of software-as-a-service (SaaS) services, and Zscaler Private Access (ZPA), an alternative to VPNs for secure access to internal applications and services.

“In the Zscaler world, you don’t worry about the network,” Chaudhry said. “Each user is like an island. Each application is like an island and everything is connected to the internet. We are like a switchboard. A user comes to us and says, ‘I need to access this application in this datacenter.’ The policy rule says, ‘Are you allowed or not?’ If you are, you connect. If you’re not, you don’t connect.”

This capability is attractive to companies that are merging and want a way of bypassing an arduous integration process, Chaudhry said.

“When a company [buys another], they have to identify which applications of the acquired company they should keep and which they should eliminate,” he said. “Then, for a period of time, the acquired company will only give them limited access to applications in the acquiring company and vice-versa. To do so, traditionally they have to bring the two corporate networks together. When they integrate corporate networks, it creates problems.

“Each site has the same IP address name. They call them ‘overlapping IP addresses.’ Now they have to rename and create the stuff. It takes time, money and effort.”

With zero trust, “the integration is not about network or security. The integration means that the right users from each company can access the right applications,” the CEO said. “That’s what we do. It’s a fascinating example of how this new zero-trust architecture can make life so much easier.”

An integration process that in the past could take two or more years can now be done in weeks, he said.

Zero trust also eliminates the need for VPNs, which helps to speed up the process and reduce the costs associated with the appliances.

The use of zero-trust architectures for M&As comes as the global economy is battered by the ongoing COVID-19 pandemic, inflation, supply chain issues, regulatory pressures, and volatile stock markets.

KPMG said global M&A activity last year reached $5.1 trillion worth of transactions, almost matching the peaks seen in 2007 and 2015. Divestitures hit about $1.36 trillion, according to Forbes.

“It’s driven by overall business pressure,” Chaudhry said. “It’s driven by the fact that businesses have to become more agile and more competitive. They just can’t keep doing business the way they did. The success on every aspect of life depends on if you’re doing well in the core. In the good times, they expand into many areas, sometimes areas they shouldn’t be expanding into. In bad times, they go back into core areas.”

Careem moved to Zscaler several years ago as the company began to expand its business. Founded in 2012 and based in Dubai, the company started life as a ride-hailing company, similar to Uber and Lyft. Careem has since grown into a super app – customers can do everything from getting a ride and having food delivered to renting a car or bike, shop, recharge a mobile device, and make payments via its digital wallet, similar to Venmo.

Careem now has 1,700 employees, 2,000 contractors and about 100 million customers in 100 cities across the Middle East, Africa and South Asia. It’s quickly become one of the largest technology platforms in the region.

The shift to a super app began before Careem, which lives on Amazon Web Services, was bought by Uber in January 2020 for $3.1 billion, but it was accelerated by the pandemic, according to Peeyush Patel, CIO and chief information security officer (CISO) at the company. Careem also has added to its platform through acquisitions, partnerships, and investments, most recently buying food delivery service Munch:On in June and money transfer company Denarii this month.

All these acquisitions and investments require various amounts of integration between Careem and the other companies, Patel told The Register. Zscaler’s ZIA, ZPA, and DLP services make such integrations much easier. Before coming to Careem in 2021, Patel was CISO at McKesson and chief product security officer at Experian, where they acquired 10 to 15 companies every year, which included an IT integration process that could take a year or two.

They also include the use of VPNs, which gave each company in the deal access to everything on the other’s network, increasing the attack surface. An attacker who compromised one network could use the VPN to infiltrate the other. Careem itself had eight VPNs and couldn’t share data across various services, even as the need for more holistic risk management grew as the platform did.

“Some of the partners we’re bringing on may not be as mature as us,” Patel said. “When we do connectivity with them, how do we manage the risk? People are coming onto our platform, so they expect us to maintain that level of trust.”

Careem has used Zscaler in several acquisitions and partner integrations.

“Now when we make acquisitions, on day one we are able to integrate,” Patel said. “After we close, our CFO and their team had access to their financial systems and vice versa. Back before Zscaler, that was impossible.

“What used to happen was the network guys and the security guys would say, ‘I will not connect the network until I’m sure that the security on both sides are level.’ But today you are able to connect between the networks knowing fully who’s connecting from the acquisition side [and that] the connection is very targeted on the other side. It’s a point-to-point connection.” ®

READ MORE HERE