Business Process Improvements Can Solve the Problem

IT Processes for Domain & DNS Management are Broken

Business Process Management and Improvement (BPM/I) can easily deliver organizations efficiency gains and operational cost savings between 15% and 50%. The measure of improvement depends on the degree to which existing business processes need an overhaul. In addition to cost benefits there are several reasons why BPM/I is required.

IT processes for corporate domain and DNS management are definitely an opportunity rich environment for improvement. IT is the most burdened of all stakeholder groups in the long, domain management lifecycle. Every domain in an organization’s portfolio of digital assets ends up with network operations and IT security to be managed in perpetuity. Domain and DNS management processes have become increasingly complex and painful over the years. Three factors are making the IT domain management job more difficult:

  1. Decades of enterprise shift to digital operations and cloudification have greatly expanded the number of domains and the complexity of the digital services that DNS resource records support. IT manages it all.
  2. The domain landscape is vastly more complex: The Internet started with a handful of Top-Level Domains: .com, .org,. .net…Today, there are more than 1,000 TLDs, not including Brand TLDs.
  3. The globally available DNS is under unprecedented attack. Woefully under-engineered for security, the DNS has become a leading enterprise security risk.

Managing this daunting environment and establishing/maintaining security relies on a myriad of IT procedures and processes. Individual steps number in the hundreds, made more complicated by systems that don’t integrate, teams that operate in silos, and multiple external vendors whose protocols often don’t comply with best practices. Examples of suboptimal, if not entirely broken manual processes abound.

Orphaned Domains and DNS Zone File Records

Orphaned Domains and DNS Zone File Records

Errors and omissions account for most organizations having scores of forgotten legacy domains, subdomains and expired CNAME records. These are catnip for malicious parties who easily detect and appropriate orphaned records for abuse. Microsoft, Starbucks, Mastercard, Hilton International, and hundreds of other global brands have fallen victim to the results of the process failure.

TLS Certificate Failures

TLS Certificate Failures

Encrypted online transactions are essential to enterprise and customer security. Audits reveal that significant numbers of enterprise domains and re-direct domains are not encrypted end to end. It’s understandable given that a single TLS certificate renewal requires 16 exacting process steps, most of which are executed manually.

Domain Name Security Extensions (DNSSEC)

Domain Name Security Extensions (DNSSEC)

DNSSEC is an essential measure to prevent DNS data interception and forgery such as cache poisoning. The process challenge is that DNSSEC requires a Chain of Trust involving multiple parties, any of which can fail. DNS signing keys, the cryptographic backbone of DNS security, roll-over annually and are frequently forgotten or misconfigured by organizations. Process errors typically result in large percentages of corporate domains failing in DNSSEC coverage, despite IT believing them to be fine.

Why Process Improvement is Essential to Corporate Domain Management

Domain and DNS management requires large teams of individuals to coordinate process actions. Organizations typically have hundreds to thousands of domains, each with a few to a few hundred unique zone file settings (resource records), overlapped by several, complex security protocols including DNSSEC, DMARC, SPF, and HTTPS encryption (TLS certificates).

The myriad processes required to manage this are not a one-time endeavor.

The myriad processes required to manage this are not a one-time endeavor. Domains and the DNS are a dynamic, ever-changing environment, made more troublesome by external vendors such as domain registrars and managed DNS providers. It is truly the devil’s playground both for internal errors and external exploits. Malicious parties who can’t easily breach corporate networks try their domain registrars instead to back-door in. They often succeed. Security agencies agree that the DNS is a leading global source of security threat to governments, organizations and service providers.

How to Improve IT Process in Domain and DNS Management

When dozens of staff members in siloed departments repeat operations with scores of discretionary steps – all manually done and lacking audit trails – bad things are bound to happen. Audits of enterprise domain operations confirm this to be the case.

Basic process improvements can transform domain management.

1. Consolidate Domain Registrars and Managed DNS Services

It’s much easier to manage process with fewer players. Selecting a single registrar and DNS provider with an automated, secondary DNS network unifies security on a consistent compliance standard including 2FA or SSO. Orphaned domains and unexpired DNS settings are easier to spot and rectify.

2. Establish Role-based, Permissioned Access to Change Management

It’s shocking to see how much access many individuals can have in an operation, unrecorded, unchecked, and undetected. Domain and DNS administration should be strictly limited, monitored, and logged. This can be difficult if managed manually. Ideally, an automated change management system with managed, secure access, should facilitate the business rules and process steps an organization decides to implement.

3. Audits, Logs, and Digest Alerts

Audits, Logs, and Digest Alerts

Domain and DNS management presents so much scope and latitude for error (with extreme potential downside) it makes perfect sense that change management should be monitored in real-time. Processes, or better yet, systems, need to log all network actions, alert a second-tier operating authority via email digest alerts or other means, and self-audit configurations and settings. It’s unfair to burden individual staff members with this responsibility when tamper-proof systems can manage the process automatically.

4. Process Efficiency Reduces Total Cost of Ownership

Process Efficiency Reduces Total Cost of Ownership

A typical, large digital asset portfolio has a massive cost when management, maintenance, security and compliance is correctly valued and applied. Repetitive, redundant, error-prone, human-operated processes are inefficient, ineffective, and cost too much. 

Simple process improvement examples can easily reduce the total cost of domain and DNS ownership by 30% to 50%:

  • Create “service templates” for repeat DNS configuration examples. Defaulting to pre-set zone file and security settings eliminates effort and errors
  • Automate security settings such as DNSSEC, TLS certificates, DMARC and SPF. Forced compliance reduces errors of omission and non-compliant domains
  • Have tamper-proof logs of network changes, with alerts to a 2nd-tier authority. Standardize a DNS audit process such that all zone files can be seen in real-time, anytime, with flags on non-compliant domains and DNS settings

The main challenge to executing these process improvements is an almost universal lack of systems specifically designed to automate and monitor the repetitive, error-prone and effort-burdened steps to managing the domain lifecycle. “Systems” for most organization means chain email threads, Intranet forms, central ticketing, SharePoint, and Excel spreadsheets. The problem is, domain and DNS lifecycle management is a long-term, complex, end-to-end series of processes demanding a single, unified, and integrated view.

Our 4th and final article posting in January explores new ways to automate inefficient domain management processes with a systems-based approach. Have a safe and enjoyable holiday!