Flexibility and security can co-exist for the Red Cross

American Red Cross CISO Vikas Mahajan discusses flexible security strategies for front-line operations and his roadmap for moving toward a SASE model.

The American Red Cross and its massive network of workers and volunteers are the nation’s premier second responders, arriving right behind first responders when disaster strikes to help people rebuild their lives. They also collect and supply 40-50% of the nation’s blood supply.

At the same time, the American Red Cross is a natural, high-profile target for nefarious actors.

For Vikas Mahajan, the organization’s Chief Security and Information Officer, finding a way to empower his organization to do the work it does while keeping networks and data secure is a worthwhile challenge.

He joins BlueCat Chief Security Officer Andrew Wertkin on the Network Disrupted podcast to talk about his strategies for deploying solutions that don’t burden those on the front lines, and his roadmap for moving security towards a Secure Access Service Edge (SASE) model.

Remember security serves the mission, not the other way around

At the Red Cross, locking a volunteer out of a necessary application because the network they’re on “isn’t up to snuff” can mean the difference between life and death. So, Vikas and his team have implemented a number of intuitive, lightweight security mechanisms that allow the Red Cross’ volunteer base to quickly access services they need for their missions.

Last year, Mahajan’s team rolled out two-factor authentication for the Red Cross’ devices and computers. Only, Vikas didn’t want this to be the 2FA that required everyone to carry around a hardware token or to have to enter a code—he wanted this to be a smart, adaptive method.

So, now, when a user logs in, the system intelligently looks at different aspects of the user before deciding whether to trigger an extra check. Are they using a new computer? Are they on a new network? Are they in a new location? This more flexible policy for authentication has increased the acceptance of 2FA by users and allows them to move quickly when it matters most.

How does Mahajan’s team create solutions like this? By engaging a variety of stakeholders and teams, like the volunteers themselves, the legal department, and others using the technology infrastructure, to learn what they need.

It all boils down to Mahajan’s approach to security, which is done in partnership with others across the organization.

It just goes back to the entire way we approach security. It has to be in tandem, in partnership with others. I can’t do it in a black box and I can’t just build it and say everyone follow these rules. It’s just not going to work, especially in an organization like ours where it requires us to be open.

Flip your security model

The biggest shift Mahajan is working on right now? Moving from a data center-centric model, in which data is a protected asset in a walled garden, to one in which you must secure data wherever it happens to be—in the cloud, en route somewhere, etc. Today’s security leader is challenged not with keeping bad things outside the firewall but instead securing the “islands of data” out on the internet.

Enter: zero-trust, and the SASE security model.

According to Gartner, “SASE combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SDWAN) to support the dynamic secure access needs of organizations. These capabilities are delivered primarily aaS and based upon the identity of the entity, real time context and security/compliance policies.

Currently, Mahajan’s team is operating on a zero-trust model and working on building policies and governance around the company’s usage of the cloud, networks, and data centers. He is also looking to build out the Red Cross’ SASE strategy and roadmap, knowing there are a number of challenges with embracing it.

Manage expensive IT transitions incrementally

In certain sectors, a lot of resources and funding can be allocated towards cybersecurity. I.e., the spend can be quite high per employee in the finance industry. But for non-profits, the majority of funds go towards supporting the mission of the organization. For the Red Cross, 90 cents of every dollar goes towards the mission, prompting IT to critically evaluate every additional bit of spend against the question:

“Should we spend another dollar towards securing our organization, or towards our humanitarian services?”

This context challenges Mahajan and his team to do a number of things differently.

First, they take advantage of generous pricing offers from technology partners, who support non-profits.

Second, Mahajan focuses on an incremental process for upgrading technology and solutions. Towards the end of a refresh cycle, he takes the opportunity to evaluate a new generation of solutions—in this case, ones that support proven, common-sense controls like strong encryption, identity verification, multi-factor authentication, etc. While it means that the time horizon for technology turnover is long, it also injects an element of stability and time for deliberation into the overall technology strategy.

If you’d like to hear the full episode with the American Red Cross CISO Vikas Mahajan, you can listen to it below.

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more