Season 2, Episode 1: "Can security & flexibility co-exist?" with Vikas Mahajan, CISO at the American Red Cross
Season 2, Episode 1: "Can security & flexibility co-exist?" with Vikas Mahajan, CISO at the American Red Cross
Today, I’m speaking with Vikas Majahan, who you might know as the CISO at the American Red Cross. For this episode, we’re going to focus on the collision of traditional worlds of networking and network security, the rise and merits of what Gartner has coined as "SASE", and how Vikas approaches leading security in light of the Red Cross’ volunteer-based, highly critical, highly complex context.
What's great about this interview is we talk both tactics and strategy, and I expect many of you will be pocketing much of Vikas' advice.
Let me know what you thought of today’s discussion! You can tweet me at @netwkdisrupted + @awertkin, leave a review on Spotify or Apple Podcasts, or email me at email@example.com.
Read more about Vikas on our blog.
Hey, it's Andrew and welcome back to season 2 of Network Disrupted where health technology leaders trade notes on navigating disruption in our space. Today I'm speaking with Vikas Mahajan who you might know as the CISO of the American Red Cross. For this episode we're going to focus on the collision of the traditional worlds of networking and network security, the rise in narrative what Gartner has coined as SASE and how Vikas approaches leading security in light of Red Cross's volunteer-based, highly critical and highly complex context. What's great about this interview is that we talk both tactics and strategy and I expect many of you will be pocketing much of Vikas' advice. Speaking of advice. This episode is brought to you by... No I'm kidding. I'm not taking sponsors at the moment, but I did want to call out a technology community that I've been so impressed by recently in case it's helpful for those listening or their colleagues. I'm part of the network VIP Community, which is an open vendor-agnostic Groupon slack that look at hose to help ID practitioners, especially those
Touch Network infrastructure learn from one another share best practices and Jen generally connect if you know someone who would benefit from that send them to bit ly / Network VIP to sign up. Let me know. We thought you'd discussion. You can tweet me a network disrupted leave a review on Spotify or apple podcast. Actually. Please do that. It would mean a lot to me or email me at Andrew and I were disrupted. Com make you can give me a sense of the complexity you are handling sensitive information.
So thank you for joining, Vikas. Maybe you can give me a sense of the complexity at the American Red Cross. Sure,the American Red Cross is a very interesting organization because it's actually like several businesses under one roof. The largest part of our business is actually the blood processing and manufacturing. We provide somewhere between 40 and 50% of the nation's blood supplies. Which is a very very important role and it's something that the Red Cross takes very seriously in terms of making sure that that the blood is safe. If there's a fire at someone's home, the Red Cross is there. We're what we call a second responder. The first responders or your fire emergency rescue folks we come in and help the people rebuild their lives, get back on their feet, figure out what to do next. And so that compassion and empathetic serving of people I think is really what drives that mission. So, we use technologies in a number of ways being able to stand up - I remember one story during a hurricane in Puerto Rico where we actually had a volunteer fly into Puerto Rico prior to the hurricane. He then waited it out. We didn't hear from him for three or four days and then suddenly boom there's a ping on the screen. This person's here. And they basically said I was working very diligently just to get our Communications up and running. I didn't have time to check it in a good way I just had to get it working. Those are the types of people we have and that's what's amazing to me.
Right. And then on top of that, if you look at the average amount spent per employee across different industries, as you may know or certainly assume, get into Finance another industries and that's pretty high per employee. And you get down into other industries and it's quite low per employee from a spend on cybersecurity defensive or other measures. You're a nonprofit.
It's very true. Most nonprofits will face this challenge. Of course, you want to serve the mission. You want as much money to go towards the mission as possible. And so we count - we very much penny-pinch. We very much count every dollar out and say, "Is this a good use of the money? Is this a good investment of our donor dollars?" If we're going to put a dollar towards IT versus a dollar towards humanitarian services or other services... And so we have to be very very diligent about that and spend every dollar wisely. That means I don't necessarily go out and buy the most cutting edge solutions that are available today or tomorrow like a banquet. We have to be very diligent about those dollars and maximize those investments. I think the Red Cross donates somewhere between 90 cents of every dollar goes towards serving the mission. So that leaves very little overhead for running IT and finance and HR and all the other backend functions that a business needs.
Which is, for those of us who donate to the Red Cross very much appreciated that stewardship of the dollar. So then how do you do it? So, how do you think about a security architecture maybe give it a couple of examples so that you are flexible enough to secure against these emerging threats and this workforce that comes and ebbs and flows and, in many cases, volunteers. Lots of different problems to solve and I'm curious how you look at it from a overall security architecture standpoint.
It's definitely a complex environment. It's challenging because of the different needs. We have to keep our doors open at the end of the day. It's the Red Cross. People should feel coming into our facilities, working, volunteering, being able to have the flexibility to come into a place and connect. And as you said a lot of those folks are going to be bringing their own equipment and things like that. So we had to think through the network to be flexible enough to allow for a variety of use cases, but at the same time protecting the corporate network. And so, we have been spending a lot of time on looking at how to segment those types of things keep the sensitive data, the PII, and things that we deal with on a separate network that our employees have access to and select users who are involved in those areas of the business versus the networks that are going to be used for resources that are going to be used by everyone else including our volunteers, our contractors, etc., who need access to other things. And so we spent a good bit of time there. We spent a good bit of our time and energy around education training and awareness. Everybody who comes in as a new volunteer, everyone who's a new employee, we have to take them through this process to understand you are handling sensitive information because of the nature of the work about people. When you're doing a blood donation it's a very detailed information you provide to the Red Cross we have to be good stewards of that. And I think that message has certainly been getting more attention because of the hacks that take place, because of the data breaches that have taken place the last few years, everyone becomes sensitive to this. I would say ten years ago people probably were less worried about these types of things. "Hang on where the Red Cross - no one's going to target us." And now everyone's like well, we have to be really careful about this because look someone else got hacked this other organization got hacked and so it's brought a lot more attention to information security which has been good for my team. We really been able to present our facts and our information and the risks to the leadership. I present regularly to Board of Governors at the Red Cross as well about our security and risk foster and I'm seeing more attention and more investment being put in to make sure that we can keep up. I say the biggest change right now is most networks have been built on a datacenter eccentric model - your traditional internet is this bad evil cloud up in the sky and then there's this firewall-
The Red Cross is moving along towards the cloud as well. We've been heavily investing in the cloud for some time. And now we have to basically flip our security model and say, okay, these secure assets may no longer be inside of this walled garden we called the datacenter. They're now going to be existing into these cloud environments out there in this hostile environment called the internet. And now what we need to do is figure out how we secure those islands of data out in the internet. How do we enable these users who could be anywhere connecting data that could be located in any number of these islands in the internet flowing through this hostile environment. How do we protect this now. How do we flip this whole model around. And that's what we're working on today. And I think this is where the industry as well is trying to solve this problem. We're learning more about the latest around these concepts. I think the first one is the model around zero trust which is basically saying any device that comes in or any user comes in we treat as unknown until they prove otherwise and then we allow them access based on their demonstrated the ability to be trustworthy. Is the asset trusted? Is the user coming in from a trusted location? What are the risk factors? And looking at various conditions. And so it becomes much more of a real time decision saying okay based on these factors and who this person is I'm going to allow them access to this resource.
And also I mean you talk about network segmentation which before which is you what you must do. People on your network that shouldn't access those networks great lock them out. But I think it from a zero trust and point, you also get to that abstraction layer, as you said, of identity, device and application and now you're sort of divorcing that physical or virtual network from that as well. You want to map it at that hire level. I think there's a good tenant of your trust.
Correct. And then you take zero trust and now what Gartner has coined secure access service edge, SASE. You suddenly take this security model you convert it with your network security and you have this new conversion what they call SASE which is really looking at that entire user experience from: okay, I'm sitting in an airport in a kiosk trying to access this resource, what are all the elements of security? What are the elements of network security that I need to tie in to make this user experience occur? And to give this user the right access to the right resources at the right time. Taking it all of these factors. So we have to ensure now the usual could be anywhere on any network. How do we give them the security they need that network security layer as well as the identity layer as well as the data layer all wrapped into one form of axis real time occurring when they try to access resources? I think that's really where the things are going.
For sure in marrying network security and the network in general especially as it relates to those that are not inside physical locations. There's a lot of promise there. When I talk to my own feelings about it and also when I talk to prospects and customers about it, I always also get the other side of that which is but that's a lot of eggs to put in one basket.
Exactly and so trying to separate the reality from the hype is becoming the challenge. And as you said you go back to where when the market comes new everyone wants to be in that market and so suddenly everyone says I have the whole solution. But I think over time what you realize is there isn't one-size-fits-all solution to this. And so the key now becomes the standards and the company's willingness to work together and to solve the problem by allowing you to put the best pieces together. I hope it doesn't take too long. That's my biggest concern is it will come way too late and for the companies and industries of old to figure out how to work together in this space because it does sound so daunting, given isis. As you said that there's a lot of complexity here underneath this that sounds great and concept of it underneath the hood, there's dozens of technologies we're talking about trying to work together as one to try and make it all happen. I think that the reality of making that happened is definitely still several years away.
For sure. It's an acronym soup of all of the promises and all the different areas. But conceptually if those capabilities that are part of a SASE cloud are you can bring that together with vendor interoperability even better. I think in general the markets will decide these things based on appetite for buying. It's critical in network and network security though that there's interoperability and in my day job on the DNS side, that's critical. I mean, you're not a closed system you're communicating with billions of other clients and other DNS servers and interoperability is not an optional thing. But I think for sure SASE will be part of a security architecture without a doubt. The question just comes to what vendors are you working with to fulfill those because from a requirements capability what this thing supposed to bring to the market perspective. I think it makes a lot of sense and you touched on something else as well, which is the that sounds wonderful if we were starting today. But we're not starting today. We have decades in many cases of solutions that we've put out and things that do this already effectively or things that do this other ways. So the idea of SASE the idea of cloud-based network security or bring this together with the network the idea of zero trust. How do you break that apart to look at? Where do you start? What can you implement today? What do you thinking about tomorrow? How do you take the where you want to go and plot that along some sort of road map or some sort of iterative architecture?
So, great question because that is exactly what I'm working on right now. I'm trying to find a way to explain this. At the end of the day. I have to sell this to my peers, I have to sell this to my bosses, I have to explain to them this is where we're going. This is the information security strategy and roadmap. I need my peers. I can't do this alone. I have to bring the network teams along, our server teams along, everyone along to say we're all going to agree to play together as we make this happen. And so I'm currently working on the messaging. How do I wrap that up? And how do I figure out the steps we take to get there? It's not going to happen overnight, but I have to lay the foundations out now. And the way I have it laid out at the moment, and this is by no means final, I'm trying to break it up into three fundamental areas. One is what I call zero trust, which would include addressing our identity management areas so that we're focusing more on risk and access and user behavior. And then I'm breaking that down also into the way we provision access into systems outside of our traditional corporate data center. Now, we're looking at provisioning into cloud applications and other areas and really driving that whole user life cycle process. And then I've also had a category, I call this the secure network, the secure access service edge, which also needs its own efforts. This old model of the MPLS network and your data coming back to a central data center where everything's secure and inspected and everything else gone, downhill model is gone. So we have to figure that out. I have a separate workstream, if you will, focused on that. And then we have this area around cloud in cloud governance. That's the other key thing. The overarching theme around this is we have to have a good policy and governance around it to make it all work and work together. At the end of the day, that is the glue that binds it all together. You got security in a number of areas, you've got the cloud, you've got the network, you've got your data centers, you've got everything else but you need uniform policy and security and approach to that in a governance model to apply. And that's what we're figuring out. So looking at where we make investments, for example, in a cloud access security broker technology solution, which would be part of this larger SASE infrastructure as well. What does that look like? How do we define the policies that will apply to our AWS instances, our Amazon instances, our Azure instances... all these different environments because, guess what? They're all getting spun up. Whether we like it or not, the business has been readily expanding into these and we need to be able to keep up and if we don't get good governance around that I think it's all going to end up being the Wild Wild West which is what we're trying to avoid.
Sounds like one process that you might have or you can speak to but two sometimes there's just... other things become so important that this sort of road map to gain this vision loses some gas. So how do you maintain that or how do you think about that?
It's very true that the risk and priorities of today may not initially be the same as tomorrow. I think COVID was a great example that came out of nowhere and everyone had to adapt very quickly. And whatever plans you had you had to completely switched around and started addressing this need. And we just have to be prepared for that as IT professionals, unfortunately. That's just the nature of the beast. The biggest thing I can do in my mind is put this vision together and make sure I get the buy in for my counterparts and then figuring out this layered roadmap of how to get there. As I said, we're not an organization where we can invest millions of dollars all at once. I can't just go rip and replace what we have. So what I'm trying to do is sell this as a incremental process, as we refresh technology as we refresh our devices, let's start including the necessary pieces underneath those to build this foundation. So for example, one of the first things I want to do is work with our end user support team to say once you buy and refresh our computers, we do them in a rolling three year period, but in certain segments of the business during those various degrees of time, I said the next round of devices you buy let's buy devices that have some type of strong authenticator on them - fingerprint reader, facial camera, etc. so that I can move towards getting rid of passwords, which I know is a pain for many of our users and we can move toward stronger forms of authentication or trust with our users. And I suddenly have more risk factors. So that's one way we can make investments. The same thing has to happen on the network. The network equipment all has end-of-life dates on it. Every piece of it has to change it. So when I go to that team I say, okay you're planning to now refresh your network Edge devices. Let's look at that lets understand what that vendor's model is around SASE and how we can plug this all together. What are they saying? And how do we make that work so that we make the right investments? And I don't have to do it all at once. So it's going definitely going to be three, four, five years right? Especially for a non-profit. We're never going to be able to afford to do it all at once. But I think that's actually a good thing because it also gives time for the market to mature. It also gives time for this whole thing to start coming together. This soup really does have to converge still.
Is there an example of a decision you've made, whether it's a product you bought, changed your architecture or something concrete where you proved that value and you got that feedback from the business?
Yes, I think we have that. When we enabled the two factor authentication, we did that that year. We're certainly not the first to market to get into that technology. And and I think for many years it was viewed as getting in the way. Why do I need to log in again? I'm just trying to login to get my email, I'm trying to do this that, and the second factor is just going to be a pain. And so I think that perception has died down partially because, again, what's happening in the industry is people are getting hacked accounts are getting compromised, data is getting stolen. And I think once our leadership also started to see that in the headlines and they heard it from our board, some of our board members worked at companies where those types of things happened. And so they came back to, what are you doing about this? And I said, oh absolutely we would love to do something about this and we want to enable it in such a way that it isn't in the way all the time. So instead of going with a constant, you need this hardware token next to you and every time you login you have to put this in a machine or type in a code- We went with an adaptive message. We said what we're going to do is make it smart so that when the user logs in, it looks at what they're doing and based on their machine, where they are and what they're doing, we're going to challenge them only when needed. So it's going to learn. So it's going to say, okay the first time you login I'm challenging you, I'm fingerprinting your device, I understand what it what you're coming. If then come back to me when that same machine, no problem. Go back in, I'm not going to challenge you again. But if you then come to me with a new machine, yes we're going to challenge you again. Or you coming from a new location. So we made it smarter and I think that helped a lot with the acceptance. It became, oh this is not going to get in my way all the time. It's just going to prompt me once and if I'm using the same machine, I don't have to worry about it again for a long time and the risk factors, the risk analysis we're doing now is much far more intelligent than the old days. It isn't just black and white. It's all those different factors: your IP address and your geolocation and all these other things that we can now weigh into the transaction before we enable access. I think that really speaks volumes to where the technology has come as well. Because it gives us far more insight into the posture, the security posture. And I think that's really critical to us making decisions. I don't want to get in your way all the time. There's just no need for it. If every time you're coming in from the same computer on the same device from the same location, why do we have to keep challenging you? And bringing that approach makes it a lot friendlier conversation with our users as well as the leadership saying we're not going to get in your way.
I mean it in this proving business value side, unfortunately and ironically in some sense the awareness of breaches and how these breaches occur in the general public now probably makes it a little easier to sell things like two factor and probably less resistance from the user. But that was really good insight. I would imagine you must have some strategy for securing data on devices as well though, because your employees, volunteers, whoever might not necessarily have rapid access they need to a cloud-based application and therefore their devices might have PII or other information on it so they can get their job done.
This became another area of interest where we really had to think about how we enabled access. The simple fact is we cannot give assets to everybody. Far too many thousands of volunteers and we can't possibly provision every single one of them an asset. But we need to enable them to do their jobs and get access to the resources they need. And so we really focused on building a policy that would allow for flexibility: bring your own device, allow you to access things and to write the policies in a way that wasn't so frightening. So a lot of the standard corporate policy is we can wipe your device at any time and you can lose all your data. Who the heck wants to turn over their personal device to us to go to be able to say I can just go click a button and wipe your whole thing and everything on it. The technology again has become smarter here. The technology now allows us, for example in Office 365 we switch over to Exchange ActiveSync technology and modern authentication which together enabled us to now smartly wipe devices. I can just wipe your email. I don't have to wipe everything else and not just your email, just your Red Cross email. Not anything else on your device. And so it becomes far less risky of proposition for the user, it's very friendly and it gives us the protections we need just in case that device doesn't walk away or get stolen or whatever and I have a reason where I need to wipe a device for example. So we carefully crafted those policies, met with legal, met with volunteer community, and our use community to say, what's going to make the most sense to protect the Red Cross and give you what you need to do your job? So that's the type of dialogue that needs to happen. I told my team recently, I said every one of our security policies as we revamp them, I want to review them not only with an IT, but with our business users who are going to be impacted because we need their input. Otherwise, it just feels like you're being told what to do as opposed to having some say into it. And I think it just goes back to the entire way we approach security has to be in tandem, in partnership with others. I can't do it in a black box and I can't just build it and say everyone follow these rules. It's just not going to work, especially in an organization like ours where it requires us to be open, our doors have to be open 24/7. This is not a bank. I can't lock everything down. We have to buy a policy that's flexible enough to adapt to the needs. And fortunately the technology is continuing to mature to allow us to offer some of those flexible options.
I can't tell you how many security policies I've seen that have forbidden any personal use of corporate devices. Okay, but then you get to reality and you've got somebody on the road, you've got somebody who just needs to do something. They're not going to carry two laptops around so that policy isn't necessarily achievable. Maybe it is in certain industries, but in most industries it's not. So if the policy itself doesn't make sense to the end user, they're way less likely to follow it. And if people aren't following it, then invalidates the entire policy.
Exactly so going back to devices, for example, we again want to make it as transparent as possible when a user gets a device from us, that locker encryption is installed. They don't know anything about it, it's hidden there. It doesn't get in their way when they login, if they turn on their computer. Behind the scenes it's all getting encrypted, it's all being protected, and there are none the wiser. Now if they happen to do something to their device and it gets screwed up, we have a way to get the key back that restore their device and what not. But the point is we've made it so that it's not in the way. My wife, she works at a bank. Different story. They have a much higher need for security than I do. So she has to carry around a token. She has to carry around-
She probably carries around two phones, right?
Yeah. Exactly. Everything is separate. They're not even allowed to use wifi at their work. I get it. It's a bank. It's a whole different risk posture than ours. I don't need to do that at the Red Cross. I need to have the flexibility to make it adaptable and to address the risk based on the need and the situation. And so, making the technology as transparent as possible also helps.
Perfect. So fantastic, Vikas. It was great to talk to you. One of the things I appreciate it and personally passion about as well is throughout this entire conversation, whether it was the security architecture or just talking about how you think about any specific solution, you have the business and the users and the mission of the organization in mind. And I really centered and focused around providing value as well as achieving your mission, and I think that's a fantastic focus that I don't hear enough from leaders. And really it screamed through and so just wanted to thank you for that and thank you for joining us.
I greatly appreciate the opportunity to speak and share some of my insights and expereinces with everyone. I think it's a great form for us to be able to talk and that's really the key is we always have to be able to and willing to talk and share and learn from one another. So, thank you.