Securing Identity: Carnival’s Quest for AD & Entra ID Cybersecurity

[MUSIC PLAYING] My name is Ed Moore, and I have responsibility to help all of the nine Carnival brands on their identity and access management solutions. We deal with the architecture and engineering side of things. And then operationally, they're broken up, and they have their own team. And I support the operations side of North America. The security risk for us would definitely be the protection of Active Directory, making sure that we're not phished, things like that. So we're watching for threats, like every other company that is out there today. We're worried about our threats. What we're trying to do is just build the best mousetrap that we can and be able to harden our overall environment. Azure Entra and Active Directory are very critical to our business in the sense that we probably use that a little bit more than everybody else. And the way that we go about it is we have subdomains on each of the ships so that they can perform autonomously outside of any internet connectivity to the satellites or anything like that. And so Active Directory is very key to our business drivers and our business purpose to be able to deliver a good response or a good experience to our customers as well as those that are in the back office, either in reservations or anywhere else, from finance all the way through the revenue cycle chain. I think for us to look, for third-party Active Directory solution, we were looking for to fill that gap between what Microsoft was offering us versus what we needed. And what we needed is a better way to back up and recover should we have a possible issue. So we were looking for another third-party solution out there that can help us back up Active Directory Entra and anything else that we have and be able to put that immutable backup to use, as well as being able to recover quickly from bare metal. For us on the Quest On Demand solution, that provides us a single pane of glass into everything that's kind of going on from most of the IAM solution or from the Active Directory Azure point of view. So we're pulling in data from all of our Active Directory instances and domain, subdomains for us, as well as everything from Azure and then from some of the other products as well. So we're using GPO admin. We're pulling in data from anything there. We're pulling in everything from change auditor and some of the other Quest products into single pane of glass. So what does ARS, or Active Role Server, actually do for us? We are actually a big customer, a big proponent, I should say, in the way that we use it. Our ITOs, our IT Officers, on board each of our ships are the ones that are actually clamoring for this and was making the business case not to let that one go. They really needed that in their business. That provides them with the ability to do things much quicker than they can from a command line or any other interfaces that they had previously. They like to be able to click through and do changes. So for us, ARS was a productivity gain on the IT officer side of things. So with the emergent threat of ransomware, that's how I was able to sell the business case to be able to bring in DRE. We wanted that additional security blanket, again, for the ability to recover from bare metal. That's what we sold to our CIO. We didn't have that solution, and that's why we were also looking for something better, a better way in which to bring up Active Directory again, should we have that situation, also the ability to have the immutable backup and actually store something offline, which we weren't doing previously. And so to take multiple copies instead of one single copy, that's what we started doing as we changed our overall backup architecture. And that's how we provided that business case to go forward in order to make us a little bit more secure. We justify a DRE tool at Carnival just simply because I think everybody understands the importance of Active Directory in a recovery scenario. So we drill all the time on things that we need in order to go through that situation, should that be called upon. And I think everybody sees the importance of having that as the first layer of things that you have to bring up. And so for us, to be able to do that quickly, under two hours from bare metal, possibly depending upon some other farms and stuff like that, I think that was a definite win for us to be able to have that assurance. The time saved for us between doing something with DRE versus manually, we thought that it would take us well over 72 hours to try to do something manually. And so for us to do this, going from 72 or more hours manually to something that's less than two hours, is a big time save for the overall recovery of the company. [MUSIC PLAYING]