Business Process Management and Improvement (BPM/I) can easily deliver organizations efficiency gains and operational cost savings between 15% and 50%. The measure of improvement depends on the degree to which existing business processes need an overhaul. In addition to cost benefits there are several reasons why BPM/I is required.
IT processes for corporate domain and DNS management are definitely an opportunity rich environment for improvement. IT is the most burdened of all stakeholder groups in the long, domain management lifecycle. Every domain in an organization’s portfolio of digital assets ends up with network operations and IT security to be managed in perpetuity. Domain and DNS management processes have become increasingly complex and painful over the years. Three factors are making the IT domain management job more difficult:
Managing this daunting environment and establishing/maintaining security relies on a myriad of IT procedures and processes. Individual steps number in the hundreds, made more complicated by systems that don’t integrate, teams that operate in silos, and multiple external vendors whose protocols often don’t comply with best practices. Examples of suboptimal, if not entirely broken manual processes abound.
Errors and omissions account for most organizations having scores of forgotten legacy domains, subdomains and expired CNAME records. These are catnip for malicious parties who easily detect and appropriate orphaned records for abuse. Microsoft, Starbucks, Mastercard, Hilton International, and hundreds of other global brands have fallen victim to the results of the process failure.
Encrypted online transactions are essential to enterprise and customer security. Audits reveal that significant numbers of enterprise domains and re-direct domains are not encrypted end to end. It’s understandable given that a single TLS certificate renewal requires 16 exacting process steps, most of which are executed manually.
DNSSEC is an essential measure to prevent DNS data interception and forgery such as cache poisoning. The process challenge is that DNSSEC requires a Chain of Trust involving multiple parties, any of which can fail. DNS signing keys, the cryptographic backbone of DNS security, roll-over annually and are frequently forgotten or misconfigured by organizations. Process errors typically result in large percentages of corporate domains failing in DNSSEC coverage, despite IT believing them to be fine.
Domain and DNS management requires large teams of individuals to coordinate process actions. Organizations typically have hundreds to thousands of domains, each with a few to a few hundred unique zone file settings (resource records), overlapped by several, complex security protocols including DNSSEC, DMARC, SPF, and HTTPS encryption (TLS certificates).
The myriad processes required to manage this are not a one-time endeavor. Domains and the DNS are a dynamic, ever-changing environment, made more troublesome by external vendors such as domain registrars and managed DNS providers. It is truly the devil’s playground both for internal errors and external exploits. Malicious parties who can’t easily breach corporate networks try their domain registrars instead to back-door in. They often succeed. Security agencies agree that the DNS is a leading global source of security threat to governments, organizations and service providers.
When dozens of staff members in siloed departments repeat operations with scores of discretionary steps – all manually done and lacking audit trails – bad things are bound to happen. Audits of enterprise domain operations confirm this to be the case.
Basic process improvements can transform domain management.
It’s much easier to manage process with fewer players. Selecting a single registrar and DNS provider with an automated, secondary DNS network unifies security on a consistent compliance standard including 2FA or SSO. Orphaned domains and unexpired DNS settings are easier to spot and rectify.
It’s shocking to see how much access many individuals can have in an operation, unrecorded, unchecked, and undetected. Domain and DNS administration should be strictly limited, monitored, and logged. This can be difficult if managed manually. Ideally, an automated change management system with managed, secure access, should facilitate the business rules and process steps an organization decides to implement.
Domain and DNS management presents so much scope and latitude for error (with extreme potential downside) it makes perfect sense that change management should be monitored in real-time. Processes, or better yet, systems, need to log all network actions, alert a second-tier operating authority via email digest alerts or other means, and self-audit configurations and settings. It’s unfair to burden individual staff members with this responsibility when tamper-proof systems can manage the process automatically.
A typical, large digital asset portfolio has a massive cost when management, maintenance, security and compliance is correctly valued and applied. Repetitive, redundant, error-prone, human-operated processes are inefficient, ineffective, and cost too much.
Simple process improvement examples can easily reduce the total cost of domain and DNS ownership by 30% to 50%:
The main challenge to executing these process improvements is an almost universal lack of systems specifically designed to automate and monitor the repetitive, error-prone and effort-burdened steps to managing the domain lifecycle. “Systems” for most organization means chain email threads, Intranet forms, central ticketing, SharePoint, and Excel spreadsheets. The problem is, domain and DNS lifecycle management is a long-term, complex, end-to-end series of processes demanding a single, unified, and integrated view.