A Complete Business Process Guide to Improving Domain and DNS Management
Visibility, Control, and Automation over Domains, DNS, and TLS Certificates
Enterprise DNS Security is at Risk
Enterprise domain and DNS management is flawed and risk-exposed in almost all large organizations. Stakeholders in IT, marketing, infrastructure, legal, and digital operations recognize that lack of control, visibility, and automation in legacy practices creates exposure. Private and public cyber-security authorities warn of known DNS network security risks. Domain and DNS hijacking, certificate compromises, appropriation of DNS controls, DNS cache poisoning, and other forms of DNS tampering are on the rise.
The Problem is Process
Domain, DNS, and certificate management problems are a direct result of manual processes throughout the end-to-end domain journey. Beginning with an initial corporate domain request, multiple processes are launched that are manual, error-prone, and costly in staff resource effort. Approval steps, DNS network and certificate provisioning, change management, governance and security maintenance typically rely on outmoded manual processes. Multiple stakeholders in the organization must execute scores of process steps on each domain and DNS zone file over its lifecycle. With corporate portfolios of hundreds to thousands of domains, errors and omissions over the domain management lifecycle make security vulnerabilities a certainty.
Security Exposure Evidence
Domain and DNS security exposure is not a theoretical idea. Hard evidence in the form of DNS network audits conducted by the authors of this article, bolstered by independent 3rd party digital security research firms, confirms that domains and DNS networks are exposed. Forensic tests conclude that large percentages of corporate domains commonly have the following issues:
- Lack Start of Authority (SoA), making them easy to appropriate for use
- Orphaned resource records pointing to IPs no longer under IT control
- TLS encryption missing on redirecting domains
- Domains lacking correct DMARC and SPF records
- DNSSEC showing as “signed” yet non-compliant due to expired DSKEYS
- Domains across multiple registrars without consistent password access controls
- Multiple DNS service vendors making change management and security compliance difficult
- Lack of secondary DNS subjecting the organization network DDOS risk.
Targeted industries such as finance, healthcare, insurance, telecommunications, tourism, supply-chain dependent manufacturers, and government need to be especially vigilant in managing their domain and related DNS networks. Audit evidence shows they are exposed.
Large Enterprise Domain, DNS, and Certificate Management Process
Small businesses or those with only a few domains don’t have to worry much about domain management process. Their DNS networks are uncomplicated and relatively easy to monitor. Large enterprises with strategic digital asset portfolios are entirely different:
- The organization owns hundreds or thousands of domains
- Acquisitions lead to multiple domain registrars and managed DNS providers being in use
- Password management protocols differ across vendors: i.e.: 2FA or SSO
- Digital presence creates hundreds of redirects and subdomains
- DNS zone file resource records on the portfolio number in the thousands, managed in a constant state of change
- DNS security settings such as DMARC, SPF, and DMARC are much harder to manage at scale with manual processes
Many stakeholders manage the corporate domain process across multiple, siloed departments. Single-point accountability for the end-to-end domain management lifecycle is often missing. New domain requests pass through many layers of approval before going to IT network operations for setup. DNS security may be another team entirely. Hundreds of domains with live DNS records renew year over year, many of which have become forgotten. These “orphaned domains” and their associated DNS records are especially vulnerable to compromise.
The Importance (and lack) of Domain Management Workflow Process
The step-by-step processes for managing even a single domain in a large organization are complex and extensive. Large domain portfolios managed by multiple stakeholders across several departments demand effective, repeatable process, change management workflow, and audit records. Without these process basics, domain portfolios and their associated DNS networks are inevitably exposed to security risks.
Primary Research Confirms the Exposure
Interviews confirm that large organizations typically lack a systematic workflow process for domains and DNS management. Organizations admit that their domain and DNS management processes are informal and manual. Without structured, systems-based, auditable records for domain change management, errors and omissions are inevitable, especially over the long lifecycle of unmanaged domains.
Organizations have rules and procedures for most IT operations, but domain and DNS change management is often handled via email communications and Excel spreadsheet lists of domains, passed between stakeholders. Some organizations partially automate workflow with centralized ticketing, or SharePoint applications. These systems can be time-consuming to create and manage. They’re often fragmented and lack change management audit capabilities. Internally created workflow systems typically lack integration between the domain registration process and DNS provisioning.
Three simple questions can test your organization’s DNS infrastructure controls.
Organizations admit that their internal accountability for domains isn’t clear. Without ownership and accountability, domains and DNS are left unmanaged. Domain portfolios tend to grow, and old domains are rarely culled. Legacy domains can become unnecessary over time along with their associated DNS zone file resource records. DNS security settings for these domains ( DNSSEC, DMARC, SPF, and TLS certificates on redirections) are frequently broken or missing altogether.
The Weakest Link: The Domain and DNS Vendor Supply Chain
Internal process management for domains and the DNS is difficult. Having multiple vendors makes it worse. Many organizations have more than one domain registrar; often the result corporate acquisitions. Having dozens of active, managed DNS services is even more common. Managing effective process over a fragmented domain and DNS supply chain presents other risks:
- Password and access controls are inconsistent: Some support 2FA & SSO – others do not
- Not all managed DNS services support DNSSEC
- Most registrars lack integrated controls to manage zones on preferred DNS networks
- Security policy implementation and compliance is practically impossible
- Human resource costs and constraints create operational inefficiencies
- Change management controls over multiple vendors is difficult
- Internal vendor ownership operating in silos makes oversight difficult
Audits Alone Cannot Solve the Problem
Business stakeholders and network security teams know that domain portfolios and the associated DNS network require ongoing governance and compliance controls. The solution usually implemented is a periodic audit of all domains, DNS zone files, and security settings. Audits are laborious, costly, and rarely establish compliance confidence.
- Domain portfolios and DNS networks are dynamic, ever-changing across multiple registrars and managed DNS providers – any audit is simply a point in time snapshot, rather than a real-time, current assessment
- Most audits are manual, lacking the IT forensic tools to accurately view HTTP status codes on thousands of zone files residing on large server networks
Audits don’t work as a standalone, point in time activity. Only real-time, ongoing processes can effectively establish and maintain control over a dynamic domain/DNS environment. Lacking system-based, automated processes, most domain and DNS audits fail to complete due to the effort required.
Manual Domain and DNS Processes Perpetuate Three Problems
Inefficient, manual processes for registering domains and managing the DNS network has three problems, confirmed by organizations that have evaluated their internal processes:
1. Team Performance is Lacking
Organizations in the digital age demand agility. Change management process to register and set up new domains or change DNS settings should take minutes – not hours or days. Few organizations dare accelerate manual processes for fear of making mistakes. They tolerate cumbersome, manual processes as necessary evils. Domain and DNS reports take forever to generate, tying up costly staff resources. Comprehensive, real-time analyses of domain portfolios and DNS networks typically aren’t feasible with manual processes.
2. Costs are High
Manual processes for domains, DNS, and TLS certificate management are resource intensive and costly. As portfolios increase in size, the cost of manual processes is growing. Renewing a single TLS certificate on a domain requires 16 steps. Implementing and managing essential DNS security such as DNSSEC is also dependent on high-cost, manual processes. Busy network administrators lack the time and tools to manage domains and DNS settings. It’s increasingly costly as domain portfolios and DNS threats increase.
3. Security is Weak
DNS networks powering today’s digital enterprise are managed by specialized DNS experts who lack the time and tools to continually monitor cumbersome legacy systems. Public DNS networks are a prime target for bad actors who are able to search out, identify, and exploit organizations’ DNS-related security holes. Best practices and standards, such as DNSSEC, SPF, DMARC, and other DNS hygiene measures can effectively mitigate DNS security risks. Managing these tasks is cost-prohibitive because processes are manual and staff resources are limited and costly. DNS security audits confirm that virtually every organization has identifiable weak points throughout their DNS networks including missing end to end encryption, expired DSKEYS, misconfigured DMARC and SPF, and orphaned DNS records.
Why does the Problem Persist?
Domain, DNS, and certificate management processes are largely unchanged since the explosive growth of domain portfolios in the 1990s. Change management requests are often initiated by email and executed via disparate, non-integrated registrar/DNS administrative portals. DNS settings and security are administered by skilled, costly, and overburdened IT staff resources, unaided by automated tools. Ongoing governance and security compliance are left to periodic audits, powered by Excel, and often incomplete. It is difficult for IT staff to get and keep control of the DNS footprint without systems to efficiently manage the network.
Business Process Paradigm: Domain, DNS, and Certificate Control Systems
Effective and efficient business processes have best practices in common:
- Reduced process steps to eliminate redundant actions
- Templated, controlled change management procedures, eliminating human error
- System-enforced security policies that ensure end-to-end compliance
- Tamper-proof, system-based, self-auditing providing ongoing governance in real time
There are three best-practice system pillars to improve domain, DNS, and certificate management:
1. Integration of Domain Registration and DNS Management
Systems that provide necessary best-practice standards must start by integrating the domain registrar, managed DNS, and TLS certificate functions under a single point of control. When domains and the associated DNS networks are manageable under a single, secure, role-based access point, process steps reduce, visibility increases, security improves, and total cost of ownership declines.
2. Overlay of Workflow Process
Once disparate management functions are integrated under a unified control system, they can become error-free, repeatable steps. The domain and DNS management lifecycle involves multiple stakeholder roles and tasks. A workflow system assigns approved tasks to permission-based roles with easy-to-follow process steps. They follow the organization’s business rules and are easily templated. Workflow systems are fast, secure, and reduce error rates. They efficiently ensure uniformity of process, compliance with security policies, and retention of institutional knowledge.
3. Tamper-proof Audit History and Change Alerts
People following manual processes make mistakes. Effective change management systems provide transparency and fast, easy remediation. Costly and ineffective periodic audits designed to mitigate errors are replaced by real-time, automated monitoring of all domain and DNS-related change management. An automated control system monitors the status of every domain and DNS setting, captures and reports all changes in audit records, and provides change digest alerts to help teams remediate errors.
Problems Solved with a Single Pane of Glass Control System
Legacy Practice Obsolescence
The Domain, Managed DNS, and Certificate Authority service industries have been slow to provide badly needed best-practices solutions. The reason is legacy orientation. Registrars founded and grew exponentially from the 1990’s on a business model that emphasized selling more domains and, in some cases, serving enterprises with a Professional Services business model, i.e., billing their services for activity-based fees. Leading managed DNS services typically don’t offer domain registrar services. Certificate Authorities (CAs) just sell certificates.
These three related vendor categories and their respective business processes are highly interdependent. In the absence of industry-provided, integrated solutions, organizations have been obligated to manage as best they can with manual processes to control these three operational areas. Lacking packaged system offerings from the vendors, organizations have been challenged to invest the necessary time and capital to fully automate and integrate the complex processes of domain, DNS and TLS certificate management on their own.
The New Paradigm: Integration
Authentic Web Inc. is the first, and arguably the only provider to have solved the problem of integrating business critical domain, DNS, and certificate management functions together in one control system. Our vendor-agnostic approach provides a centralized control hub, integrating the key vendor management functions of domains, managed DNS, and TLS certificates. A single, unified system makes it easy for teams to address the increasing need to improve security and compliance control.
Business Process Improvement: Workflow
Workflow tailored to the needs of individual stakeholder roles permits the efficient execution of tasks based on job function and level. Business (domain) originators, management, and IT staff each have assigned roles according to their job function and organizational position. Every task has an assigned owner and provides a simple, step-by-step workflow to easily execute change over the domain lifecycle. When workflow is added to the integrated, single point control of domains, DNS, and TLS certificates, management tasks become streamlined, transparent, error-free and cost-reduced.
Business Process Improvement: Ease of Use
Change management functions offer ease, convenience, and secure transactions for all change management tasks. Numerous process steps are condensed under “service templates” or “one-click” functions making highly detailed and laborious processes including DNSSEC activation and TLS certificate renewals automatic and instantaneous. Simplicity and ease-of-use reduces the advanced skill levels and attendant high costs required to manage a large domain and DNS network.
Business Process Improvement: Security and Compliance
With a single point of control in place over domains, DNS and TLS certificates, change management compliance gaps are addressed. IT security teams can have single pane of glass visibility over their DNS security posture. This permits the enforcement of DNS security policies that has not been practically possible without a unified control system.
Enterprise domain, DNS and certificate process management is stuck in a 1990s paradigm. It’s an obsolete model, far behind the demands of modern digital transformation. Manual processes, siloed operations and systems, lack of integration, and legacy vendor business models are perpetuating TCO increases and network security risk.
Increasing enterprise data security regulations make systems-based modernization of domain and DNS management a near-term imperative.
Authentic Web’s DNAM solution addresses this need by delivering system components: integration, workflow, ease of use, change management, security, and compliance. Leading global brands have adopted DNAM as a next generation control system to solve difficult DNS network security and compliance management problems while reducing Total Cost of Ownership by 30% to 50%.
1. External Audit
Any organization recognizing the need to improve their domain, DNS, and TLS certificate management business processes should start with an external audit. It’s the fastest and easiest way to expose latent DNS network security issues. Authentic offers an APEX-level audit to bring visibility to the problem, form a baseline DNS analysis, and support a business case for modernization with zero resources required from you or your team.
2. DNAM System Demonstration
Contact us for a guided tour to see how our integration and workflow can transform your domain and DNS business processes. Ideal participants include business originators and approvers in digital operations, and their counterparts in IT network administration or IT security teams.
- You instinctively know the business has DNS management gaps and security exposures
- You are not sure where or what to do about it
- Your network and IT security teams are already maxed out and likely not equipped
- You are not alone. We help enterprise teams GET and KEEP their DNS secure. It starts with an audit.