The American Red Cross and its massive network of workers and volunteers are the nation’s premier second responders, arriving right behind first responders when disaster strikes to help people rebuild their lives. They also collect and supply 40-50% of the nation’s blood supply.
At the same time, the American Red Cross is a natural, high-profile target for nefarious actors.
For Vikas Mahajan, the organization’s Chief Security and Information Officer, finding a way to empower his organization to do the work it does while keeping networks and data secure is a worthwhile challenge.
He joins BlueCat Chief Security Officer Andrew Wertkin on the Network Disrupted podcast to talk about his strategies for deploying solutions that don’t burden those on the front lines, and his roadmap for moving security towards a Secure Access Service Edge (SASE) model.
Remember security serves the mission, not the other way around
At the Red Cross, locking a volunteer out of a necessary application because the network they’re on “isn’t up to snuff” can mean the difference between life and death. So, Vikas and his team have implemented a number of intuitive, lightweight security mechanisms that allow the Red Cross’ volunteer base to quickly access services they need for their missions.
Last year, Mahajan’s team rolled out two-factor authentication for the Red Cross’ devices and computers. Only, Vikas didn’t want this to be the 2FA that required everyone to carry around a hardware token or to have to enter a code—he wanted this to be a smart, adaptive method.
So, now, when a user logs in, the system intelligently looks at different aspects of the user before deciding whether to trigger an extra check. Are they using a new computer? Are they on a new network? Are they in a new location? This more flexible policy for authentication has increased the acceptance of 2FA by users and allows them to move quickly when it matters most.
How does Mahajan’s team create solutions like this? By engaging a variety of stakeholders and teams, like the volunteers themselves, the legal department, and others using the technology infrastructure, to learn what they need.
It all boils down to Mahajan’s approach to security, which is done in partnership with others across the organization.
“It just goes back to the entire way we approach security. It has to be in tandem, in partnership with others. I can’t do it in a black box and I can’t just build it and say everyone follow these rules. It’s just not going to work, especially in an organization like ours where it requires us to be open.”
Flip your security model
The biggest shift Mahajan is working on right now? Moving from a data center-centric model, in which data is a protected asset in a walled garden, to one in which you must secure data wherever it happens to be—in the cloud, en route somewhere, etc. Today’s security leader is challenged not with keeping bad things outside the firewall but instead securing the “islands of data” out on the internet.
Enter: zero-trust, and the SASE security model.
“SASE combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SDWAN) to support the dynamic secure access needs of organizations. These capabilities are delivered primarily aaS and based upon the identity of the entity, real time context and security/compliance policies.” – Gartner
Currently, Mahajan’s team is operating on a zero-trust model and working on building policies and governance around the company’s usage of the cloud, networks, and data centers. He is also looking to build out the Red Cross’ SASE strategy and roadmap, knowing there are a number of challenges with embracing it.
Manage expensive IT transitions incrementally
In certain sectors, a lot of resources and funding can be allocated towards cybersecurity. I.e., the spend can be quite high per employee in the finance industry. But for non-profits, the majority of funds go towards supporting the mission of the organization. For the Red Cross, 90 cents of every dollar goes towards the mission, prompting IT to critically evaluate every additional bit of spend against the question:
“Should we spend another dollar towards securing our organization, or towards our humanitarian services?”
This context challenges Mahajan and his team to do a number of things differently.
First, they take advantage of generous pricing offers from technology partners, who support non-profits.
Second, Mahajan focuses on an incremental process for upgrading technology and solutions. Towards the end of a refresh cycle, he takes the opportunity to evaluate a new generation of solutions—in this case, ones that support proven, common-sense controls like strong encryption, identity verification, multi-factor authentication, etc. While it means that the time horizon for technology turnover is long, it also injects an element of stability and time for deliberation into the overall technology strategy.
If you’d like to hear the full episode with the American Red Cross CISO Vikas Mahajan, you can listen to it here.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
Why McMaster University didn’t want another CIO
McMaster’s CTO, Gayleen Gray, highlights the importance of her unique role in a world where expectations of the CIO and CTO are colliding.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.
IT pros debate: Who should own DNS in the cloud?
Six networking pros dig into who should own DNS in the cloud during the third Critical Conversation on Critical Infrastructure hosted in Network VIP.
9 tech leaders’ advice on running a technology organization (part 3)
A compilation of the best insight and technical takeaways from the first season of the Network Disrupted podcast, led by BlueCat CSO Andrew Wertkin.