Enterprise runs on process. Leading enterprises employ control systems to automate, measure and improve process. In any industry, thousands of processes form the basis for value delivered. Whether the timely processing of an insurance claim, the quality production of a manufactured item, or the effective delivery of internal IT services, process creates value. Processes involve multiple, predictable steps and cross-functional coordination between stakeholders over a defined lifecycle. A process can be short, such as a simple purchase-to-fulfillment process or a complex, long-term asset management process that spans years.
Corporate domain, DNS and TLS certificate management is a prime example of a complex, long-term lifecycle process in need of re-engineering. Key signs indicate to organizations that business process improvement is needed. They are:
Interviews with stakeholders in organizations with large domain portfolios reveal many of these issues. The domain lifecycle process typically starts with a business originator role that requests a new domain registration. New domains are a common requirement for new products, special marketing campaigns, or as a defensive means of protecting trademarks. Once a domain is registered, the long lifecycle of change management begins with many DNS edits and certificate management actions taken over a period of years.
Process gaps occur when the rules of conduct or business procedures fail to meet stakeholder expectations. Originators typically want speed of turnaround. Approvers, especially Legal, may insist upon more vs. less due diligence. Expectations on speed of service delivery for the new domain can conflict with approval requirements. All-too-common email ‘ping-pong’ communications exacerbate the gap in expectations and performance.
Ofttimes, too many stakeholders are involved. The originator requires approval from a line manager, who in turn reports to an executive. Domains can be strategic. The CMO may have a stake. The legal department must “OK” the IP consideration of the requested domain(s). A domain administrator weighs in on the hundreds of Top-level Domains (TLDs) that should be considered. Network operations and IT security may require pre-approval of the new domain’s planned setup and security configurations.
Running a new domain request through this stakeholders’ gauntlet is time-consuming, often relying on round-robin email threads as the originator tries to get the approvals in line with all considerations and configuration details addressed. Despite (and in many cases due to!) broad stakeholder input, errors, and omissions occur.
Audits of dozens of organizations with large domain portfolios reveal problems that trace directly to flaws in the domain originator and approval stage of the process. Long domain and DNS management lifecycles have exposed severe security flaws years after a domain is initially registered.
- Domains are inconsistently registered: differing TLDs, variable terms from one to ten years, lack of “registrar lock” to secure the domain
- Use of different domain registrars or inconsistent use of DNS services, access privileges or change management controls
- Inconsistent or missing use of DNS security parameters: SPF, DMARC, and DNSSEC
- Inconsistent application of encryption certificates including redirections
- Failure to document the intended future domain re-direct or expiry terms
The effects of these process issues are cumulative. Organizations build portfolios of hundreds, or thousands of domains over time. Originators and approvers turn over and the purpose of many domains is forgotten. For example, orphaned domains or subdomains represent a serious IT security risk that has plagued well-known global corporations. The infamous Spammy Bear attack appropriated thousands of orphaned domains for misuse from major brands in finance, travel, healthcare and other vulnerable sectors. Orphaned domains are common. They dangerously expose the organization to security risk, and yet are easily eliminated with basic process improvement steps.
Registration process problems in organizations create issues immediately and over the domain lifecycle that erode internal value and call for business process improvement. Organizations’ current processes are manual and require too many steps, often misunderstood by stakeholders, or neglected altogether. Stakeholder time is valuable and management by email thread is costly, inefficient and error prone.
Effective corporate domain management starts with an integrated change management system that incorporates permissioned stakeholder roles into a secure, auditable process with automated security compliance. A tamper-proof, collaborative change management system offers essential capabilities that improve flawed domain management processes. System controls reduce cycle times, eliminate errors and omissions, keep customer and company data safe, and reduce material cost in human resource time:
- Domain Originators and Approvers are defined as permissioned roles that initiate a repeatable workflow process
- Myriad domain setup choices (TLDs, expiry terms, WHOIS details, registrar features, DNS security settings), are easily templated to meet compliance standards
- Domain histories are automatically documented and archived for future ease-of-management by retaining institutional knowledge to mitigate security exposures
The front-end process to managing domains is critical because it sets the template for ongoing domain lifecycle management, which can be years, or decades multiplied by 100s or 1000s of domains. Domains are critical digital assets. When they are initiated and approved by email thread, and governed by Excel spreadsheet lists, they impose a lasting management burden on the organization in resource expenditure and enterprise security risk.