Managing the domain lifecycle is painful for organizations.
Domains are touched by numerous internal stakeholders yet few, if any, owners. Originators request and register domains – by the hundreds – that accumulate in over-sized portfolios. Subdomains and redirection domains expand the corporate digital footprint to the point where the original domain purpose is often forgotten.
IT staff is burdened with managing every domain, their respective DNS zone files, TLS certificates and a necessary array of security measures including DMARC, SPF and DNSSEC. This is a labor-intensive task, unsupported by automated tools and it must be maintained over a period of years. Most organizations fail domain/DNS security audits miserably. HTTP error codes, missing TLS certificates on redirects and the absence of DNSSEC, SPF and DMARC are common issues.
Overhanging the pain of internal domain management is a highly fragmented and non-integrated vendor landscape, exacerbated by redundant, multi-vendor choices made by organizations. Companies routinely use more than one domain registrar, each with its own password security regime. Some offer MFA and SSO support. All too many still operate via email and call-center access – easily spoofed by unauthorized parties. These same organizations often use multiple managed DNS service providers. Because vendors’ domain and DNS administration systems are not integrated, malicious actors find it easy to identify orphaned domains or neglected DNS settings and appropriate them for misuse, unbeknownst to enterprise IT or InfoSec teams. They’ll even activate a fake SSL certificate on a hijacked domain using the domain owner’s organization-validated name for credibility.
Managing the domain lifecycle in these circumstances is inefficient and labor-intensive which drives unnecessarily high Total Cost of Ownership for domain portfolios. With so many parties in the stakeholder mix (digital marketing, executive management, brand protection attorneys, IT, network security…) often operating in silos, governance and ongoing compliance are lacking.
To address the situation, many organizations adopt a variety of process initiatives, such as a documented procedure for registering and managing domains. Some partially automate the process with a SharePoint front-end or intranet application for domain ordering, or a unified ticketing application for submitting change requests to IT. Others simply outsource domain management to a professional services firm.
These measures fall hugely short of the necessary steps to properly secure a domain and DNS operation with security, compliance and minimized cost of ownership. The domain management lifecycle spans multiple stakeholder roles over years of domain ownership. Only an end-to-end automated change management system can reliably establish visibility and control over every domain an organization has, plus the associated DNS configurations (AKA zone files), TLS certificates and DNS security settings.
An automated, change management system should anchor to one, single, enterprise-grade domain registrar. The registrar will offer no consumer, retail or small business services, especially via easily compromised call center support. Access to change management must be hierarchically permissioned by approved role and password-secured using MFA or SSO. The system must keep a tamper-proof audit log of every change by user. Changes should automatically communicate to designated management via alerts. Most importantly, the change management system must provide a fully integrated “single pane of glass” view of not only the domain portfolio, but all ancillary services: DNS values, TLS certificates, and all DNS security settings.
With visibility and change management over all domain-related operations under a single control hub, domain lifecycle management becomes pain-free. Compliance is automatically enforced via a rules-based system, eliminating human error. Error detection and automatic remediation reduces labor while ensuring flawless domain and DNS operations. System-generated reports such as DNS traffic by domain can help management identify unnecessary domains to reduce overall portfolio size.
The domain lifecycle is complex business management process involving multiple, siloed stakeholders, and a fragmented, non-integrated vendor ecosystem. It’s surrounded by actively hostile players adept at hijacking domains and DNS settings causing immeasurable harm to global brands and their customers. Relying upon manual processes to manage the domain lifecycle is not only painful for staff, it’s costly, non-compliant and open to security risks. Only a modern change management system, purpose-bult for the complex and evolving domain and DNS environment can deliver what the digital organization needs to be efficient, secure and pain-free.