Royal Caribbean Charts a New Course with CrowdStrike ASPM

Royal Caribbean, a global leader in cruise vacations, has always prioritized the safety and security of its guests and operations. Rated "best overall cruise line" for 22 years running, the company thrives on operational excellence, which recently centered on its IT service management processes.

For Alice McElroy, Director of IT Service Management and Operations, the primary goal wasn’t security, but achieving operational visibility into the company’s vast portfolio of applications. With over 80 critical business applications interfacing with sensitive data, McElroy’s team faced persistent challenges in application discovery, dependency mapping, and maintaining an accurate configuration management database (CMDB). 

McElroy’s goal was clear: “I need to understand what’s running on our systems and how everything connects. If I don’t know where everything is, I can’t manage it effectively.”

Prior to adopting CrowdStrike, Royal Caribbean's operations team struggled to maintain an accurate inventory of applications and infrastructure. The company’s CMDB, populated through ServiceNow's Discovery and Service Mapping tools, was often inaccurate and time-consuming.

“The traditional approach fell short,” McElroy explained. “Mapping business applications to their underlying infrastructure — especially in cloud environments — was resource-intensive. We faced ongoing issues with outdated data and incomplete application maps, stemming from a lack of comprehensive understanding of the architecture.”

To address these challenges, Royal Caribbean hired a third-party consulting firm. The cost was significant to generate just 60 application maps. Despite this investment, the results were limited, and the maps quickly became outdated with new application deployments.

In 2023, Royal Caribbean turned to CrowdStrike Falcon® Application Security Posture Management (previously Bionic) for a proof of value. The POV focused on two key applications that had previously lacked visibility. Within just four hours of deploying Falcon ASPM, the solution generated a detailed application map for those applications, uncovering hidden connections and dependencies that had previously gone unnoticed.

“The accuracy of application and infrastructure mapping is impressive,” McElroy noted. “By leveraging actual code, Falcon ASPM identifies real-time dependencies and provides insights that were previously obscured. This bridges the gap in architectural knowledge, reducing reliance on tribal knowledge. Now, our application maps reflect what the code is truly doing, ensuring they are both comprehensive and accurate.”

After licensing Falcon ASPM, Royal Caribbean was able to automate the mapping of applications across its infrastructure, drastically reducing both the time and cost associated with traditional methods. Falcon ASPM’s code-based discovery capabilities scan the code itself, yielding more accurate data than assumptions made by developers.

The solution not only helped McElroy’s team uncover hidden connections between applications, but IT also enabled seamless integration with ServiceNow, enriching the company’s CMDB with more reliable and accurate data.

In just six months, Falcon ASPM enabled Royal Caribbean to generate over 200 application architecture maps, covering both production and non-production environments. These maps were created in a fraction of the time compared to the weeks or months it would have taken with traditional ServiceNow service mapping.

The results were undeniable. Before deploying Falcon ASPM, Royal Caribbean had 295 business applications and 223 application service maps. After implementation, the company added 119 new business applications and generated an impressive 913 new application service maps, bringing the total to 414 business applications and 1,136 application service maps.

“Falcon ASPM has saved us time and money. The cost savings are significant, and we can produce far more application maps in significantly less time,” said McElroy. “This capability enhances our understanding of application dependencies and allows us to identify application drift effectively.”

This newfound visibility not only enabled Royal Caribbean to optimize its IT operations and improve CMDB accuracy, but also provided critical insights into how technology supports essential business capabilities. By understanding application dependencies and configurations, the organization can better align its IT resources with business objectives, enhance operational efficiency, and drive innovation.

While Falcon ASPM’s core value proposition is typically security-focused, Royal Caribbean’s use case highlights its immense potential as an operational tool for enterprises struggling with application discovery and dependency mapping.

“We bought Falcon ASPM to improve our visibility and mapping of applications,” McElroy noted.

The solution has proven particularly valuable for organizations dealing with the complexities of large-scale IT environments. “We’re not the only company facing these challenges. Many large enterprises are grappling with similar struggles to maintain an accurate CMDB and map their business applications,” McElroy concluded. “This is the operational pain point Falcon ASPM is solving, and it’s a real unmet need in the market.”