We built a cohesive security framework with Microsoft’s integrated solutions: IndiGo’s Ambuj Bhalla

headshot of man

“Traditionally, regulators in the aviation industry have focused on human safety and physical security. But over the last few years, with rapid digital transformation, cybersecurity has become crucial to the evolving needs of the sector,” says Ambuj Bhalla, the director of cybersecurity – CISO at InterGlobe Aviation, the parent company of IndiGo.

With a fleet of 278 airplanes flying to 71 domestic and 24 international destinations, IndiGo is India’s largest domestic airline. Given the scale of its operations, the company processes data of millions of customers across multiple countries every year while keeping its digital infrastructure secured from bad actors.

“We built a cohesive security framework with the integrated solutions that Microsoft offers,” says Bhalla, who has over two decades experience in securing critical infrastructure across different critical sectors like aviation, power, and telecom.

The cybersecurity leader recently spoke to Microsoft Stories India about navigating the pandemic, prioritizing assets to secure, and the human angle of security and risk management.

Edited excerpts from our conversation follow:

Let’s talk about the current cybersecurity landscape in the Indian aviation industry.

Aviation is a critical infrastructure, and there is still a lot to explore in this area. Traditionally, regulators in the aviation industry have focused on human safety and physical security. But over the last few years, with rapid digital transformation, cybersecurity has become crucial to the evolving needs of the sector.

Now, there is a lot more focus on conducting cybersecurity training sessions, including red teaming, and phishing simulations, which also help to ingrain security as a culture across the aviation industry.

As the country’s largest domestic carrier, how has IndiGo’s cybersecurity journey evolved over the years?

Security professionals need to understand the minutest details of how the business works to strategize and make risk-based security investments.

We had to understand user behavior and how customers interact with our website and app interface while booking their tickets. Their experience during the booking process has a direct impact on the brand. So, we needed to make sure that we are protecting their data without making it too complex.

Our industry has additional complexity because we have several partners who also need access to our networks. We countered that by data segregation and classification.

Finally, we can deploy the most complicated and secure technologies, but it’s entirely possible that they may get bypassed. Technology can only take us so far. We depend on people who use these solutions. So, we looked at cybersecurity with a new perspective and treated it as a process, rather than just implementing technologies.

The biggest challenge for us was to embed a cybersecurity culture within the organization. We engaged with employees and top management to understand their needs, keeping in mind that implementing new security infrastructure is not an isolated task.

Over the last three years, we’ve implemented many programs at IndiGo to create cyber hygiene awareness among employees.

What role does Microsoft’s security solutions play in your approach to secure IndiGo’s data and infrastructure?

Microsoft allows us to have a single security solution for all our needs, which gives us complete visibility over our assets. We built a cohesive security framework with the integrated solutions that Microsoft offers.

Indigo was an early adopter of Office 365, which transformed the way we collaborate and communicate. This also really helped us when we moved our functions online because of the pandemic. Had we not adopted Office 365 earlier, it’d have been very difficult for us to implement features like Azure Active Directory Conditional Access, which became our baseline during the pandemic, when we had to manage thousands of endpoints that were not secured by the perimeter.

We also use Azure Active Directory for Single Sign-On and passwordless authentication, and Microsoft Intune for mobile device management (MDM). Our next step will be to explore risk-based, artificial intelligence and machine learning enabled sign-in mechanism.

The biggest complexity in the aviation industry is data security of our customers and employees, given that we must comply with several local laws around data protection. Regulations differ according to the region, and we need to classify our data to adhere to the standards mandated by different countries. Microsoft simplifies the process through tools that allow data segregation and classification.

Microsoft’s application threat modeling for secure software development, which makes it possible to identify and mitigate potential security issues at an early stage when it is relatively easier and most-cost effective.

The open architecture of Azure Sentinel makes it easier for us to conduct risk management. It allows ingest of any data to it–from multiple cloud service providers or even on-premises solutions. It runs analytics and AI at cloud scale to understand and counter the risks that threaten an organization.

With the perimeter no longer applicable in hybrid workplaces for most organizations, what advice would you give security professionals to help them adapt to the changing threat landscape?

It is important to have a vision while implementing cybersecurity. No organization can secure all their assets all the time. Security professionals need to determine what their high value assets are and then invest in the right solutions.