Royal Caribbean adopts Zero Trust on land and sea
The name Royal Caribbean conjures up images of luxury cruise ships, top-notch entertainment, fine dining, sandy beaches, breathtaking sunsets, tall tropical beverages.
“Our mission is to create fabulous vacations with great experiences and great memories for our crew and our guests,” says John Maya, vice president of operational excellence at Miami-based Royal Caribbean Group.
Beyond the glitz and glamour, however, Royal Caribbean has the same internal systems as any company in the travel/hospitality industry – corporate offices, sales, marketing, reservations, call centers, baggage handling, etc.
Maya describes his IT infrastructure as hybrid cloud, with some resources hosted on Amazon AWS and Microsoft Azure, but also some core systems, such as the mission critical reservations application, running on an IBM AS-400 server in an Equinix data center in Virginia.
Legacy VPN reaches the end of the road
There are three brands under the Royal Caribbean Group umbrella—Royal Caribbean International, Celebrity Cruises and Silversea Cruises—with a total of 85,000 employees, most of whom work aboard the ships that take vacationers to more than 300 destinations, everywhere from Alaska to Australia.
But there are also between 8,000-10,000 employees who work at fixed locations, including corporate headquarters, offices in Europe and Asia, and port operations scattered across the globe. There are also third-party contractors, and close to 1,000 call-center agents who work out of their homes.
On the cruise ships, guests and most crew members don’t have access to the corporate network, but Maya does have to provide secure remote access for the captain and other key employees.
They were all connected to corporate headquarters through a hub-and-spoke style Cisco AnyConnect VPN. Maya said the VPN was reaching end-of-life, and he was looking for an alternative that would provide better security, cut costs, and a deliver a better user experience.
Zero Trust
Based on discussions with colleagues and his own experiences at previous career stops, Maya entered into discussions with Zscaler, then signed up for the company’s Zero Trust Exchange, a cloud-native platform that securely connects users to workloads they need to do their jobs.
Maya says he’s been “thrilled” with the experience. “The Zscaler Zero Trust Exchange enables us to work from anywhere—office, cruise ship, hotel, airplane, Starbucks. It has become so ingrained into our environment that it has become foundational. We don’t see how we can operate without it,” he says.
For example, Maya said end users used to have the ability to power up and turn off the VPN at will. He wanted a system where end users were required to go through Zero Trust-based access controls for all connectivity. “With Zscaler, we can lock down device access to the internet and put restrictions on where people can surf. It’s always on,” he says.
In the past, Royal Caribbean loaned out end-user devices to contractors all over the world. “We didn’t do the greatest job getting that equipment back,” Maya concedes. With the new system in place, all third parties have to bring their own devices and have their own Office 365 licenses.
“We put a Zscaler agent on their device so they can access the network,” he says. Maya’s IT department works with their counterparts at contractors’ companies to make sure that agent is running in the background, enforcing Zero Trust rules for multi-factor authentication and identity and access management (IAM).
Security service edge
With the Zscaler security service edge (SSE) platform, Royal Caribbean applications sit behind a cloud-based security exchange, and users connect to applications directly. This isolates threats, improves the user experience, eliminates the opportunity for hackers to invade the network and make lateral movements, and enables the platform to apply Zero Trust security principles for access control.
The platform can also conduct sophisticated security tasks such as decryption and deep packet inspection of all traffic, blocking malware, and preventing exfiltration of sensitive data.
The service has multiple components, each providing a specific benefit to Royal Caribbean:
- Internet Access: Provides fast and secure access to the internet and SaaS applications. The service performs AI-powered phishing detection, browser isolation, and even detects malicious command-and-control traffic, which would indicate that malware has invaded the network and is communicating with the attacker.
- Private Access: Provides secure access to Royal Caribbean’s private applications, enforces least privileged access, and also conducts inline prevention, deception, and threat isolation.
- Digital Experience: Analyzes traffic from the end user point of view and is able to troubleshoot and resolve user issues. For example, Maya says that it provides enhanced visibility into the activity of call-center agents down to the level of monitoring data flows and traffic hops.
Zero Trust benefits
Maya says when he pitched his CFO on the idea of switching from the VPN to Zscaler’s Zero Trust platform the three benefits he envisioned were lower cost, better security, and a better user experience.
On the cost front, he has been able to reduce the number of appliances in the data center and reduce support costs associated with the VPN infrastructure.
Security has been improved because he has moved away from hub-and-spoke VPNs and a traditional castle-and-moat security architecture to a cloud-based Zero Trust model. Maya says the nature of the business is that Royal Caribbean collects personal information on its customers, and the Zero Trust approach helps him protect that valuable customer data.
The employee experience has improved because workers can now “fire up Zscaler” and securely connect to their productivity applications in a couple of clicks.
Beyond those benefits, Maya says he appreciates the attentiveness and responsiveness of Zscaler personnel. He maintains longstanding strategic relationships with some of the biggest players in the industry: Cisco, Microsoft, and IBM. But he says he has always felt like “a guppie in a large pond” when dealing with these behemoths.
Zscaler personnel are “always available to help solve an issue,” and that goes all the way up to the top. “I can send an email to the CEO and get a return email within 10 minutes,” Maya says.
Copyright © 2023 IDG Communications, Inc.