Corporate domain management broadly covers end-to-end activity concerning an organization’s domains. For individual domain owners and small businesses, it’s not much to manage. You order a domain from a registrar, configure the DNS settings, and auto-renew the domain by credit card. Simple right? In larger organizations with hundreds, even thousands of domains, it isn’t simple at all. In fact, it’s extremely complex and quite painful for your teams.

Corporate domain portfolios are increasingly the source of cyber security breaches that have seriously damaged prominent brands and their customers. Attackers employ clever multi-step campaigns to compromise domains and DNS networks. DNS hijacking and man-in-the-middle schemes expose enterprise brands and customers to credential and data theft.

Managing domains securely has become a costly endeavor, involving multiple stakeholders in the organization. The massive shift to digital transformation and cloud-based networks has propelled the global domain name system (DNS) to unprecedented usage and ubiquity. Cloud adoption has changed the game. The legacy approach to secure the enterprise network perimeter is dead. Domains, the DNS and associated services like PKI-based encryption certificates are growing massively. With this growth, comes new challenges, and management pain for organizations.

The Pain of Corporate Domain Management

The vendor landscape for corporate domains and related services such as DNS, SSL certificates and DNS security products is fragmented and complex. Many organizations use multiple domain registrars for their portfolio. The few that have consolidated on one or two registrars invariably have dozens of DNS services from years of legacy activity, corporate acquisitions and siloed operations across the enterprise. Rarely are these multiple vendors functionally integrated with change management controls. Operations teams are obligated to manage domains, the DNS and SSL certificates on separate, unconnected platforms. Each vendor/provider has its own proprietary administration portal with unique password protocols. Some have 2FA, or single sign on capabilities but many don’t. Multiple vendors and platforms, multiple logins, multiple password regimes and siloed operations all add up to multiple pain points, security risk and compliance gaps for corporate domain owners.

02-domain-pain-point-1
02-domain-pain-point-2
02-domain-pain-point-3
02-domain-pain-point-4

The internal landscape isn’t much better. Domains and the supporting DNS are everywhere, seemingly touched by everyone yet owned by no-one. Domains originate from corporate users in sales, marketing, product management, customer service and elsewhere. Any individual or group that is sponsoring a digital initiative, no matter how small, very likely requires a domain or domains. Brand teams including intellectual property lawyers frequently order domains for brand protection purposes. Domain portfolios are growing from multiple internal sources. And it doesn’t stop there. Over time, individual domains typically spawn many sub-domains and re-direct domains, all of which require setup, tracking and management. These “third-level” sub-domains are a notorious source of security vulnerabilities.

IT teams in network infrastructure and cyber-security are obligated to set up, configure, monitor and manage domains, the DNS, associated SSL certificates and the myriad security measures necessary to a secure operation. It’s a huge task for an organization with even just a few hundred domains. Network operators, more so perhaps than marketing folks, understand that domains are the tip of the digital iceberg. Underneath is a vast, sprawling network of endpoints, DNS zone files, and SSL certificates (which expire annually.) An increasingly dangerous global DNS environment demands that organizations deploy counter-measures such as DMARC, SPF,  and DNSSEC. All require internal expertise and work effort to properly manage. DNSSEC can be very tricky to manage at scale as each DNS connection requires an annually rolled digital signing key and a multi-party chain of trust extending to domain registrars, registries and DNS providers. Budget and resource constrained IT teams are not equipped with tools to manage DNSSEC efficiently so they either ignore it or employ half measures.

Domain management is vastly changed since the first corporate URLs surfaced in the 1990s. The chaotic growth of domains, TLDs and DNS services has outpaced the necessary tools an organization needs to manage this complex environment. Domain registrar administration portals and DNS management tools are little different today than they were in 2003. Surprisingly, organizations operate domain networks largely with manual processes lacking end-to-end change management controls. Email threads, Excel spreadsheets, internal ticketing systems and perhaps a SharePoint front-end cobble together as an “end-to-end management approach.” They don’t succeed. They’re high-effort, low-control methods that are non-compliant and easily compromised. Real life examples abound.

If this painful picture seems familiar, it isn’t unique. Most large organizations when pressed, admit that domain management is a costly, inefficient and insecure operation in need of pain relief. Their challenge is that solutions are elusive when overall ownership is unclear, internal stakeholders abound and the external vendor ecosystem is fragmented.

The good news is that domain management pain can be drastically reduced with a straightforward set of best practices. Security policies coupled with modern digital control systems provide visibility, effective change management and automation. IT teams and all enterprise stakeholders can enjoy pain-free domain and DNS management in an expanding digital world.

Security Compliance Performance

Our next article in this 5-part series discusses the addressable pain points at the front-end of the corporate domain management journey: originators and domain registrars.