Flexibility and security can co-exist for the Red Cross

The American Red Cross and its massive network of workers and volunteers are the nation’s premier second responders, arriving right behind first responders when disaster strikes to help people rebuild their lives. They also collect and supply 40-50% of the nation’s blood supply.

At the same time, the American Red Cross is a natural, high-profile target for nefarious actors.

For Vikas Mahajan, the organization’s Chief Security and Information Officer, finding a way to empower his organization to do the work it does while keeping networks and data secure is a worthwhile challenge.

He joins BlueCat Chief Security Officer Andrew Wertkin on the Network Disrupted podcast to talk about his strategies for deploying solutions that don’t burden those on the front lines, and his roadmap for moving security towards a Secure Access Service Edge (SASE) model.

Remember security serves the mission, not the other way around

At the Red Cross, locking a volunteer out of a necessary application because the network they’re on “isn’t up to snuff” can mean the difference between life and death. So, Vikas and his team have implemented a number of intuitive, lightweight security mechanisms that allow the Red Cross’ volunteer base to quickly access services they need for their missions.

Last year, Mahajan’s team rolled out two-factor authentication for the Red Cross’ devices and computers. Only, Vikas didn’t want this to be the 2FA that required everyone to carry around a hardware token or to have to enter a code—he wanted this to be a smart, adaptive method.

So, now, when a user logs in, the system intelligently looks at different aspects of the user before deciding whether to trigger an extra check. Are they using a new computer? Are they on a new network? Are they in a new location? This more flexible policy for authentication has increased the acceptance of 2FA by users and allows them to move quickly when it matters most.

How does Mahajan’s team create solutions like this? By engaging a variety of stakeholders and teams, like the volunteers themselves, the legal department, and others using the technology infrastructure, to learn what they need.

It all boils down to Mahajan’s approach to security, which is done in partnership with others across the organization.

It just goes back to the entire way we approach security. It has to be in tandem, in partnership with others. I can’t do it in a black box and I can’t just build it and say everyone follow these rules. It’s just not going to work, especially in an organization like ours where it requires us to be open.

Flip your security model

The biggest shift Mahajan is working on right now? Moving from a data center-centric model, in which data is a protected asset in a walled garden, to one in which you must secure data wherever it happens to be—in the cloud, en route somewhere, etc. Today’s security leader is challenged not with keeping bad things outside the firewall but instead securing the “islands of data” out on the internet.

Enter: zero-trust, and the SASE security model.

According to Gartner, “SASE combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SDWAN) to support the dynamic secure access needs of organizations. These capabilities are delivered primarily aaS and based upon the identity of the entity, real time context and security/compliance policies.

Currently, Mahajan’s team is operating on a zero-trust model and working on building policies and governance around the company’s usage of the cloud, networks, and data centers. He is also looking to build out the Red Cross’ SASE strategy and roadmap, knowing there are a number of challenges with embracing it.

Manage expensive IT transitions incrementally

In certain sectors, a lot of resources and funding can be allocated towards cybersecurity. I.e., the spend can be quite high per employee in the finance industry. But for non-profits, the majority of funds go towards supporting the mission of the organization. For the Red Cross, 90 cents of every dollar goes towards the mission, prompting IT to critically evaluate every additional bit of spend against the question:

“Should we spend another dollar towards securing our organization, or towards our humanitarian services?”

This context challenges Mahajan and his team to do a number of things differently.

First, they take advantage of generous pricing offers from technology partners, who support non-profits.

Second, Mahajan focuses on an incremental process for upgrading technology and solutions. Towards the end of a refresh cycle, he takes the opportunity to evaluate a new generation of solutions—in this case, ones that support proven, common-sense controls like strong encryption, identity verification, multi-factor authentication, etc. While it means that the time horizon for technology turnover is long, it also injects an element of stability and time for deliberation into the overall technology strategy.

If you’d like to hear the full episode with the American Red Cross CISO Vikas Mahajan, you can listen to it below.