Integration Creates the Breach the Target Did Not Have

A target can be uncompromised before close and exposed by the integration itself. New trust, data movement and administrators create a different attack surface.

The answer

The target may pass security diligence and still be breached by the integration. New network links are opened. Identities are federated. Data is copied. Administrators receive unfamiliar access.

The target may pass security diligence and still be breached by the integration. New network links are opened. Identities are federated. Data is copied. Administrators receive unfamiliar access. Temporary tools move information. Vendors coordinate under compressed deadlines. The transaction creates a threat state that did not exist in either company alone. Integration is not the movement from risk to control. It is a period of deliberate trust expansion.

Change multiplies uncertainty

Teams understand their own systems imperfectly. Integration combines two partial models while changing both. Attackers benefit from:

  • Temporary privileges and shared credentials.
  • Monitoring gaps across new connections.
  • Confusion about which team owns an alert.
  • Data exports outside normal controls.
  • Employees accepting unusual requests as deal-related.
  • Delayed patching and change freezes.
  • Providers receiving conflicting authority.

Value object — The Integration Trust Gate

Before each material connection or migration, record:

  • Business outcome and deadline.
  • New trust created between identities, networks, data and administrators.
  • Evidence that both sides meet the minimum control state.
  • Monitoring and incident ownership after connection.
  • Containment method if the new trust is abused.
  • Rollback plan and maximum exposure window.
  • Named authority accepting residual risk.

The gate is a decision record, not a generic security checklist.

Federation can import weakness

Single sign-on feels like control because access becomes central. If dormant accounts, weak recovery or excessive privilege are federated, the buyer centralises exposure. Reconcile people, machine identities, administrators and recovery before federation. Start with constrained groups and observe.

Data migration changes audience

Moving data into the buyer’s platform may give new teams, analytics and AI tools access. Legal transfer does not automatically establish operational need. Map the new audience, permissions, retention and inference risk. Validate that source restrictions survive transformation.

Temporary access is the permanent risk

Integration accounts and consultants are created to meet a date. Expiry is omitted because dependencies are uncertain. Require owners, short lifetimes and automatic review for every integration privilege. Search for residual access after the phase completes.

Unify incident command before infrastructure

Before connecting systems, define who declares an incident, preserves evidence, isolates the link and communicates across both organisations. A technically reversible connection is not safe if nobody has authority to reverse it.

Measure change-created exposure

Track new privileged relationships, data movements, exceptions, failed controls and time to remove temporary access. Review incidents and near misses by integration wave. The integration plan creates the future enterprise. It can also create the first event the future enterprise must survive.

Sources

  1. NIST SP 800-207: Zero Trust ArchitectureNIST SP 800-207: Zero Trust Architecture

    Primary authority

  2. NIST: Cybersecurity Framework 2.0NIST: Cybersecurity Framework 2.0

    Primary authority

  3. Swiss NCSC: Current threats affecting companiesSwiss NCSC: Current threats affecting companies

    Primary authority

Adam J. De CollibusFounding Partner, Svperior / Systems Engineering

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry