As primary technical lead, we designed and built the complete onboard IT platform for a privately owned sailing yacht, bringing identity security and network segmentation normally seen in corporate headquarters to life at sea, and supporting it ever since.
At a glance
Vessel
SY Shagala Bagala (privately owned sailing yacht)
Role
Primary technical lead, full IT stack
Scope
Network, WiFi, connectivity, security, M365
Status
Built from scratch · ongoing support
SY Shagala Bagala (privately owned sailing yacht)
A network built from the ground up
We designed and built the complete onboard network, with a segmented VLAN architecture separating guest, crew, navigation and IoT / camera traffic. The whole platform runs on a full UniFi ecosystem of gateway, switches and access points, engineered for the hull and its operation.
Interior and deck WiFi was engineered for complete coverage, including an exterior access point mounted on the mast to extend connectivity across the full deck, with strong signal wherever owner, guests and crew actually are.
Full interior and deck coverage
Exterior mast access point for full-deck WiFi
Tuned for dense marina RF environments
Identity security from the corporate world
WiFi is protected by certificate-based EAP-TLS authentication, backed by an on-board RADIUS / AD / NPS / ADCS stack. This is the identity model used to protect corporate headquarters, rarely seen on a yacht, and it ensures only trusted, known devices can ever connect.
Certificate-based EAP-TLS WiFi authentication
On-board RADIUS / Active Directory / NPS / ADCS
No shared passwords; only trusted devices admitted
Isolated navigation
Radar and bridge electronics are segmented onto a dedicated navigation VLAN, so navigation traffic never competes or interferes with the rest of the network, and cameras and IoT devices sit on their own contained segment.
Radar and bridge electronics on an isolated VLAN
Navigation kept strictly separate from guest and crew traffic
Cameras and IoT on their own contained segment
Resilient connectivity & email security
Starlink provides primary connectivity with automatic failover and outage diagnostics for uninterrupted internet. On the cloud side, we secured the yacht's Microsoft 365 tenant, and successfully responded to a business email compromise (BEC) attack, containing it and hardening the tenant against recurrence.
Starlink with automatic failover and outage diagnostics
Microsoft 365 email security and hardening
Successful response to a business email compromise (BEC) attack
The outcome
Corporate-grade reliability, security and privacy aboard a sailing yacht
A network only trusted devices can join, with each segment contained
Uninterrupted connectivity underway, with graceful failover
A Microsoft 365 tenant hardened and proven against a real-world attack
Supported after handover, with issues resolved quickly when they arise
TODO: owner / captain testimonial. Placeholder: “It is the first time the technology aboard has simply faded into the background. Everything works, and we never think about it.”
Captain · SY Shagala Bagala (pending approval)
Out of respect for owner privacy, this case study is deliberately free of sensitive detail. The vessel name can be anonymised on request.