The IT Director is the one who receives the stress-inducing, “Critical”, “Urgent”, “ASAP”, “Priority 1”, “Production Critical”, “Revenue Impacting”, or “Brand Damaging” emails at all hours from the NOC because of a domain-related issue.
Then the Director wakes up the team and forces them to fix an issue that should never have happened. Then they all sit on the emergency call while trying to figure out how to access the domain or DNS to resolve the problem.
Something is wrong here; we have known it for years but never acted. Our manual processes managing domains, DNS, and certificates by excel combined with the management by the committee is not working. It is more than not working; it impacts the business and drives employee fatigue. The pain symptoms are clear;
1 → Loss of a Domain
We often fail the simplest of tasks to renew a domain name because:
- We had no visibility into the domain’s use
- Thought it was not part of our production services infrastructure,
- A team member failed to click a button
- An email warning was missed due to the noise of other registrar emails,
- Or no one updated an expired credit card.
2 → DNS Hijack Risk
We are exposed to this hijack risk:
- Many domains reside in registrar and DNS services with no change monitor.
- We have little visibility into our live zones.
- We do have visibility into orphaned IPs or Dangling CNAMEs.
- We do not enforce DNSSEC as a security policy.
- We use various registrars without any change controls. We had no visibility into the domain’s use
3 → No Change Management
We have no idea WHO changed WHAT, WHEN on most of our domains. Our team members make edits to the DNS constantly. Any of those edits can expose the business to risk due to errors and omissions today or perhaps down the road when the DNS record no longer maps to live web resources we control.
4 → No Access Controls
We do not even know who might have access to many of our domains and DNS systems. With personnel turnover and outsourced IT Management, it is a black hole with multiple siloed registrar and DNS systems in use; we have simply lost control of who has access and cannot restrict access permissions to read-only, edit DNS, or edit WHOIS. Combined with no change management history, we are asking for trouble.
5 → Certificates Expire Randomly
Due to our siloed operations and systems with many people (who turn over) and Certificate Authorities, we miss some. It is painful and embarrassing as it exposes our team.
We catch most because our people are diligent, but this reliance on humans to pay attention inevitably results in a periodic certificate expirations.
6 → Multiple Siloed Systems
We have domains at various registrars and even more DNS providers. While we tightly control the handful of core domains, we have hundreds of domains registered by multiple groups across the company.
Without a single pane of glass control system, it is impossible to know that we are not exposed to or effectively manage our assets.
7 → Wasted IT Resource Time
We are constantly chasing down domain issues. The first question is always who has access to this one. Then it goes on; what is live, should it be live, doing an inventory audit is anything but simple, changing a WHOIS record or some other five-minute task is always a pain that creates work wasting valuable IT resource time.
8 → No DNS Security Policy
A DNS security policy defines the records and configuration of every DNS zone file. A policy would include specifications related to SPF, DMARC, DNSSEC, HTTPS only Redirects as well as our WHOIS information. We do have to worry about enforcing a DNS security policy because we do not have a DNS security policy.
9 → A defined DNS Security Policy would not matter
Even if we had a DNS security policy, we do not have control or vulnerability audit system to automate discovery to ensure compliance. Without a single pane of glass system, we would have to add headcount to keep us compliant, and you know there is no budget for more IT headcount.
10 → Excel is our Technology to Manage Domains
We managed domains in excel and cross our fingers. Enough said!
We know this is very 1999 but we have never implemented a modernization program or even found a technology platform that can bring everything together with the functions we need to support management of domains, related DNS zone files and certificates into a single pane of glass view.
The root of the problem?
There is no centralized single pane of glass system and internal ownership to manage this area.
We have teams that manage different parts of our DNS ecosystem. Stakeholders include IT, Infrastructure, InfoSec, DevOps, and of course, shadow IT across several business units.
Stakeholders have the product, digital and IP teams on the business side. Everyone needs domains, but no one owns them to ensure they’re managed using best practices.
If these symptoms and conditions of dated business process managing domains, DNS and certificates are familiar to you, then your foundation is built on hope. You will experience an outage; you likely have already had incidents that beg the need to rethink and modernize. We keep talking about fixing it, but nothing ever happens. Now with the increase in the DNS threat landscape and a growing digital surface area on the DNS, it is time to act.
2023 will be the year you finally address chronic pain.
Authentic Web offers a single pane of glass systems designed to empower teams to make it painless. Contact us to learn how easy consolidating your domains, DNS, and certificates are. Make it a priority to Get and Keep control.