The domain management lifecycle moves quickly from the business originator who registered the domain to IT staff that set it up and configure the initial DNS settings, but it doesn’t stop there. For most organizations, a domain is forever and entails years – even decades of ongoing governance. Large portfolios with years of accumulated legacy domains and DNS configurations create governance and compliance management pain for the organization that grows exponentially over time.
Domain portfolio governance is a necessary process of continually examining every domain registered by the organization to determine whether it should be renewed or expired upon its registration anniversary date. When hundreds or thousands of domains are involved, expiring monthly on contract terms ranging between one and ten years, it can become a painful and costly area to manage. In the absence of an end-to-end change management system with tamper-proof historical data and audit reports, domain stakeholders have a difficult time knowing which domains are necessary vs. those that can be discarded. The default position becomes “keep everything.” This is problematic in two ways:
- Bloated domain portfolios with accumulated legacy domains add unnecessary cost to the organization – not just for the domain renewal fees but also for ongoing DNS maintenance and security compliance by IT staff. Old legacy domains no longer actively used and managed by the business are rich targets for malicious parties who can hijack orphaned DNS settings for phishing, identity theft, and other purposes that can damage a brand. The best practice approach is simple, “If you own it, you must to manage it.” Bloated portfolios add significantly to vendor costs and internal security and compliance work effort.
- Domains that had a clear and discrete purpose when originally registered can become unclear over time as they spawn subdomains, redirects and various DNS configurations that become orphaned over time. Organizations often fail to ensure that security policy compliance is maintained over each domain’s lifecycle, such as SPF, DMARC, DNSSEC, and TLS/SSL certificates. Failure to maintain good DNS hygiene by removing old settings on these legacy domains creates hidden security exposures and compliance gaps.
Recognizing the security risks of large legacy domain portfolios, organizations often mandate periodic audits to review the details behind each domain and their respective DNS zone files and security settings. Audits are typically manual processes, involving significant IT resource expenditure. Manual audits are an ineffective use of valuable resources. Audits rarely complete with all questions effectively answered. Few enterprises employ automated tools to comprehensively examine and report the status of each domain, subdomain, domain redirect, and their associated DNS zone files. To properly assess compliance with security policies domain portfolio owners minimally need to know:
- Does every domain in the portfolio have SoA (start of authority) to mitigate hijacking?
- Is SPF, DMARC and DNNSSEC correctly configured on every domain?
- Is there a valid TLS certificate on every domain and redirect?
- Is the portfolio free from HTTP 400-series response codes such as “no name server or response found?”
- Are all resource records checked for orphaned settings that point to unmanaged servers?
- Is there a tamper-proof record of change activity for each domain and DNS setting?
The absolute necessity of knowing the real-time status of every domain, DNS record and security setting in an organization’s portfolio reveals another painful issue for domain managers: Total Cost of Ownership. Businesses are tempted to define domain portfolio management costs as registration and renewal fees only. This thinking dramatically understates the true cost of operating these strategic digital assets. Accurate domain management costing must reflect the total annual staff labor inputs to domain, DNS and security management. Companies that fail to conduct periodic audits are understating the true cost of maintaining a secure domain portfolio and DNS footprint. Those that do run audits are burdened with costly resource deployments that often fail to accurately assess the portfolio’s condition in real time. The result is that the Total Cost of Ownership to manage domain portfolios and DNS infrastructure has grown substantially over the past two decades.
Organizations that take the time to fully and accurately tally the total cost of owning and operating a large domain portfolio often conclude that the biggest drain on their operating line is manual labor expended through the domain lifecycle. As enterprise digital footprints continue to expand, the allocation of human resource costs to ensure a secure digital footprint can only be mitigated with integrated domain/DNS management or automated software tools to reduce manual labor.
In summary, ongoing governance and compliance for large domain portfolios and the related DNS infrastructure is a painful exercise, rife with unmeasured costs in resource expenditure. The flipside of high costs of management, i.e. failure to execute essential tasks such as domain/DNS audits, saves apparent costs while putting the organization at unacceptable security risk.