Enterprise DNS Security is at Risk

Enterprise domain and DNS management is flawed and risk-exposed in almost all large organizations. Stakeholders in IT, marketing, infrastructure, legal, and digital operations recognize that lack of control, visibility, and automation in legacy practices creates exposure. Private and public cyber-security authorities warn of known DNS network security risks. Domain and DNS hijacking, certificate compromises, appropriation of DNS controls, DNS cache poisoning, and other forms of DNS tampering are on the rise.

The Problem is Process

Domain, DNS, and certificate management problems are a direct result of manual processes throughout the end-to-end domain journey. Beginning with an initial corporate domain request, multiple processes are launched that are manual, error-prone, and costly in staff resource effort. Approval steps, DNS network and certificate provisioning, change management, governance and security maintenance typically rely on outmoded manual processes. Multiple stakeholders in the organization must execute scores of process steps on each domain and DNS zone file over its lifecycle. With corporate portfolios of hundreds to thousands of domains, errors and omissions over the domain management lifecycle make security vulnerabilities a certainty.

Security Exposure Evidence

Domain and DNS security exposure is not a theoretical idea. Hard evidence in the form of DNS network audits conducted by the authors of this article, bolstered by independent 3rd party digital security research firms, confirms that domains and DNS networks are exposed. Forensic tests conclude that large percentages of corporate domains commonly have the following issues:

  • Lack Start of Authority (SoA), making them easy to appropriate for use
  • Orphaned resource records pointing to IPs no longer under IT control
  • TLS encryption missing on redirecting domains
  • Domains lacking correct DMARC and SPF records
  • DNSSEC showing as “signed” yet non-compliant due to expired DSKEYS
  • Domains across multiple registrars without consistent password access controls
  • Multiple DNS service vendors making change management and security compliance difficult
  • Lack of secondary DNS subjecting the organization network DDOS risk
DNS Security Exposure Evidence

Targeted industries such as finance, healthcare, insurance, telecommunications, tourism, supply-chain dependent manufacturers, and government need to be especially vigilant in managing their domain and related DNS networks. Audit evidence shows they are exposed.

Large Enterprise Domain, DNS, and Certificate Management Process

Small businesses or those with only a few domains don’t have to worry much about domain management process. Their DNS networks are uncomplicated and relatively easy to monitor. Large enterprises with strategic digital asset portfolios are entirely different:

  • The organization owns hundreds or thousands of domains
  • Acquisitions lead to multiple domain registrars and managed DNS providers being in use
  • Password management protocols differ across vendors: i.e.: 2FA or SSO
  • Digital presence creates hundreds of redirects and subdomains
  • DNS zone file resource records on the portfolio number in the thousands, managed in a constant state of change
  • DNS security settings such as DMARC, SPF, and DMARC are much harder to manage at scale with manual processes

Many stakeholders manage the corporate domain process across multiple, siloed departments. Single-point accountability for the end-to-end domain management lifecycle is often missing. New domain requests pass through many layers of approval before going to IT network operations for setup. DNS security may be another team entirely. Hundreds of domains with live DNS records renew year over year, many of which have become forgotten. These “orphaned domains” and their associated DNS records are especially vulnerable to compromise.

The Importance (and lack) of Domain Management Workflow Process

The step-by-step processes for managing even a single domain in a large organization are complex and extensive. Large domain portfolios managed by multiple stakeholders across several departments demand effective, repeatable process, change management workflow, and audit records. Without these process basics, domain portfolios and their associated DNS networks are inevitably exposed to security risks.

Primary Research Confirms the Exposure

Interviews confirm that large organizations typically lack a systematic workflow process for domains and DNS management. Organizations admit that their domain and DNS management processes are informal and manual. Without structured, systems-based, auditable records for domain change management, errors and omissions are inevitable, especially over the long lifecycle of unmanaged domains.

Organizations have rules and procedures for most IT operations, but domain and DNS change management is often handled via email communications and Excel spreadsheet lists of domains, passed between stakeholders. Some organizations partially automate workflow with centralized ticketing, or SharePoint applications. These systems can be time-consuming to create and manage. They’re often fragmented and lack change management audit capabilities. Internally created workflow systems typically lack integration between the domain registration process and DNS provisioning.

Organizations admit that their internal accountability for domains isn’t clear. Without ownership and accountability, domains and DNS are left unmanaged. Domain portfolios tend to grow, and old domains are rarely culled. Legacy domains can become unnecessary over time along with their associated DNS zone file resource records. DNS security settings for these domains ( DNSSEC, DMARC, SPF, and TLS certificates on redirections) are frequently broken or missing altogether.

The Weakest Link: The Domain and DNS Vendor Supply Chain

Internal process management for domains and the DNS is difficult. Having multiple vendors makes it worse. Many organizations have more than one domain registrar; often the result corporate acquisitions. Having dozens of active, managed DNS services is even more common. Managing effective process over a fragmented domain and DNS supply chain presents other risks:

  • Password and access controls are inconsistent: Some support 2FA & SSO – others do not
  • Not all managed DNS services support DNSSEC
  • Most registrars lack integrated controls to manage zones on preferred DNS networks
  • Security policy implementation and compliance is practically impossible
  • Human resource costs and constraints create operational inefficiencies
  • Change management controls over multiple vendors is difficult
  • Internal vendor ownership operating in silos makes oversight difficult

Audits Alone Cannot Solve the Problem

Business stakeholders and network security teams know that domain portfolios and the associated DNS network require ongoing governance and compliance controls. The solution usually implemented is a periodic audit of all domains, DNS zone files, and security settings. Audits are laborious, costly, and rarely establish compliance confidence.

  • Domain portfolios and DNS networks are dynamic, ever-changing across multiple registrars and managed DNS providers – any audit is simply a point in time snapshot, rather than a real-time, current assessment
  • Most audits are manual, lacking the IT forensic tools to accurately view HTTP status codes on thousands of zone files residing on large server networks

Audits don’t work as a standalone, point in time activity. Only real-time, ongoing processes can effectively establish and maintain control over a dynamic domain/DNS environment. Lacking system-based, automated processes, most domain and DNS audits fail to complete due to the effort required.

Domain Name Asset Manager: DNAM™

It’s an easier way to secure and manage corporate domains and the DNS Learn more

Manual Domain and DNS Processes Perpetuate Three Problems

Inefficient, manual processes for registering domains and managing the DNS network has three problems, confirmed by organizations that have evaluated their internal processes:

team
Team Performance is Lacking

Organizations in the digital age demand agility. Change management process to register and set up new domains or change DNS settings should take minutes – not hours or days. Few organizations dare accelerate manual processes for fear of making mistakes. They tolerate cumbersome, manual processes as necessary evils. Domain and DNS reports take forever to generate, tying up costly staff resources. Comprehensive, real-time analyses of domain portfolios and DNS networks typically aren’t feasible with manual processes.

graph_bar_3d
Costs are High

Manual processes for domains, DNS, and TLS certificate management are resource intensive and costly. As portfolios increase in size, the cost of manual processes is growing. Renewing a single TLS certificate on a domain requires 16 steps. Implementing and managing essential DNS security such as DNSSEC is also dependent on high-cost, manual processes. Busy network administrators lack the time and tools to manage domains and DNS settings. It’s increasingly costly as domain portfolios and DNS threats increase.

weak_security
Security is Weak

DNS networks powering today’s digital enterprise are managed by specialized DNS experts who lack the time and tools to continually monitor cumbersome legacy systems. Public DNS networks are a prime target for bad actors who are able to search out, identify, and exploit organizations’ DNS-related security holes. Best practices and standards, such as DNSSEC, SPF, DMARC, and other DNS hygiene measures can effectively mitigate DNS security risks. Managing these tasks is cost-prohibitive because processes are manual and staff resources are limited and costly. DNS security audits confirm that virtually every organization has identifiable weak points throughout their DNS networks including missing end to end encryption, expired DSKEYS, misconfigured DMARC and SPF, and orphaned DNS records.

Why does the Problem Persist?

Domain, DNS, and certificate management processes are largely unchanged since the explosive growth of domain portfolios in the 1990s. Change management requests are often initiated by email and executed via disparate, non-integrated registrar/DNS administrative portals. DNS settings and security are administered by skilled, costly, and overburdened IT staff resources, unaided by automated tools. Ongoing governance and security compliance are left to periodic audits, powered by Excel, and often incomplete. It is difficult for IT staff to get and keep control of the DNS footprint without systems to efficiently manage the network.

Business Process Paradigm: Domain, DNS, and Certificate Control Systems

Effective and efficient business processes have best practices in common:

  • Reduced process steps to eliminate redundant actions
  • Templated, controlled change management procedures, eliminating human error
  • System-enforced security policies that ensure end-to-end compliance
  • Tamper-proof, system-based, self-auditing providing ongoing governance in real time

There are three best-practice system pillars to improve domain, DNS, and certificate management:

team
Integration of Domain Registration and DNS Management

Systems that provide necessary best-practice standards must start by integrating the domain registrar, managed DNS, and TLS certificate functions under a single point of control. When domains and the associated DNS networks are manageable under a single, secure, role-based access point, process steps reduce, visibility increases, security improves, and total cost of ownership declines.

graph_bar_3d
Overlay of Workflow Process

Once disparate management functions are integrated under a unified control system, they can become error-free, repeatable steps. The domain and DNS management lifecycle involves multiple stakeholder roles and tasks. A workflow system assigns approved tasks to permission-based roles with easy-to-follow process steps. They follow the organization’s business rules and are easily templated. Workflow systems are fast, secure, and reduce error rates. They efficiently ensure uniformity of process, compliance with security policies, and retention of institutional knowledge.

weak_security
Tamper-proof Audit History and Change Alerts

People following manual processes make mistakes. Effective change management systems provide transparency and fast, easy remediation. Costly and ineffective periodic audits designed to mitigate errors are replaced by real-time, automated monitoring of all domain and DNS-related change management. An automated control system monitors the status of every domain and DNS setting, captures and reports all changes in audit records, and provides change digest alerts to help teams remediate errors.

Legacy Practice Obsolescence

The Domain, Managed DNS, and Certificate Authority service industries have been slow to provide badly needed best-practices solutions. The reason is legacy orientation. Registrars founded and grew exponentially from the 1990’s on a business model that emphasized selling more domains and, in some cases, serving enterprises with a Professional Services business model, i.e., billing their services for activity-based fees. Leading managed DNS services typically don’t offer domain registrar services. Certificate Authorities (CAs) just sell certificates.

These three related vendor categories and their respective business processes are highly interdependent. In the absence of industry-provided, integrated solutions, organizations have been obligated to manage as best they can with manual processes to control these three operational areas. Lacking packaged system offerings from the vendors, organizations have been challenged to invest the necessary time and capital to fully automate and integrate the complex processes of domain, DNS and TLS certificate management on their own.

The New Paradigm: Integration

Authentic Web Inc. is the first, and arguably the only provider to have solved the problem of integrating business critical domain, DNS, and certificate management functions together in one control system. Our vendor-agnostic approach provides a centralized control hub, integrating the key vendor management functions of domains, managed DNS, and TLS certificates. A single, unified system makes it easy for teams to address the increasing need to improve security and compliance control.

Business Process Improvement Workflow

Workflow tailored to the needs of individual stakeholder roles permits the efficient execution of tasks based on job function and level. Business (domain) originators, management, and IT staff each have assigned roles according to their job function and organizational position. Every task has an assigned owner and provides a simple, step-by-step workflow to easily execute change over the domain lifecycle. When workflow is added to the integrated, single point control of domains, DNS, and TLS certificates, management tasks become streamlined, transparent, error-free and cost-reduced.

Business Process Improvement Ease of Use

Change management functions offer ease, convenience, and secure transactions for all change management tasks. Numerous process steps are condensed under “service templates” or “one-click” functions making highly detailed and laborious processes including DNSSEC activation and TLS certificate renewals automatic and instantaneous. Simplicity and ease-of-use reduces the advanced skill levels and attendant high costs required to manage a large domain and DNS network.

Business Process Improvement Security and Compliance

With a single point of control in place over domains, DNS and TLS certificates, change management compliance gaps are addressed. IT security teams can have single pane of glass visibility over their DNS security posture. This permits the enforcement of DNS security policies that has not been practically possible without a unified control system.

Are your teams equipped

Do they have what it takes to get and keep the DNS network secure? Request a DNS Audit

Summary

Enterprise domain, DNS and certificate process management is stuck in a 1990s paradigm. It’s an obsolete model, far behind the demands of modern digital transformation. Manual processes, siloed operations and systems, lack of integration, and legacy vendor business models are perpetuating TCO increases and network security risk.

Increasing enterprise data security regulations make systems-based modernization of domain and DNS management a near-term imperative.

Authentic Web’s DNAM solution addresses this need by delivering system components: integration, workflow, ease of use, change management, security, and compliance. Leading global brands have adopted DNAM as a next generation control system to solve difficult DNS network security and compliance management problems while reducing Total Cost of Ownership by 30% to 50%.