Enterprise domain and DNS management is flawed and risk-exposed in almost all large organizations. Stakeholders in IT, marketing, infrastructure, legal, and digital operations recognize that lack of control, visibility, and automation in legacy practices creates exposure. Private and public cyber-security authorities warn of known DNS network security risks. Domain and DNS hijacking, certificate compromises, appropriation of DNS controls, DNS cache poisoning, and other forms of DNS tampering are on the rise.
Domain, DNS, and certificate management problems are a direct result of manual processes throughout the end-to-end domain journey. Beginning with an initial corporate domain request, multiple processes are launched that are manual, error-prone, and costly in staff resource effort. Approval steps, DNS network and certificate provisioning, change management, governance and security maintenance typically rely on outmoded manual processes. Multiple stakeholders in the organization must execute scores of process steps on each domain and DNS zone file over its lifecycle. With corporate portfolios of hundreds to thousands of domains, errors and omissions over the domain management lifecycle make security vulnerabilities a certainty.
Learn how lack of functional ownership over domain and external DNS security, combined with a lack of visibility and unified control systems to enforce DNS security policies are the top factors that expose your company and customers to external DNS vulnerabilities.
Domain and DNS security exposure is not a theoretical idea. Hard evidence in the form of DNS network audits conducted by the authors of this article, bolstered by independent 3rd party digital security research firms, confirms that domains and DNS networks are exposed. Forensic tests conclude that large percentages of corporate domains commonly have the following issues:
Targeted industries such as finance, healthcare, insurance, telecommunications, tourism, supply-chain dependent manufacturers, and government need to be especially vigilant in managing their domain and related DNS networks. Audit evidence shows they are exposed.
Small businesses or those with only a few domains don’t have to worry much about domain management process. Their DNS networks are uncomplicated and relatively easy to monitor. Large enterprises with strategic digital asset portfolios are entirely different:
Many stakeholders manage the corporate domain process across multiple, siloed departments. Single-point accountability for the end-to-end domain management lifecycle is often missing. New domain requests pass through many layers of approval before going to IT network operations for setup. DNS security may be another team entirely. Hundreds of domains with live DNS records renew year over year, many of which have become forgotten. These “orphaned domains” and their associated DNS records are especially vulnerable to compromise.
The step-by-step processes for managing even a single domain in a large organization are complex and extensive. Large domain portfolios managed by multiple stakeholders across several departments demand effective, repeatable process, change management workflow, and audit records. Without these process basics, domain portfolios and their associated DNS networks are inevitably exposed to security risks.
Interviews confirm that large organizations typically lack a systematic workflow process for domains and DNS management. Organizations admit that their domain and DNS management processes are informal and manual. Without structured, systems-based, auditable records for domain change management, errors and omissions are inevitable, especially over the long lifecycle of unmanaged domains.
Organizations have rules and procedures for most IT operations, but domain and DNS change management is often handled via email communications and Excel spreadsheet lists of domains, passed between stakeholders. Some organizations partially automate workflow with centralized ticketing, or SharePoint applications. These systems can be time-consuming to create and manage. They’re often fragmented and lack change management audit capabilities. Internally created workflow systems typically lack integration between the domain registration process and DNS provisioning.
Organizations admit that their internal accountability for domains isn’t clear. Without ownership and accountability, domains and DNS are left unmanaged. Domain portfolios tend to grow, and old domains are rarely culled. Legacy domains can become unnecessary over time along with their associated DNS zone file resource records. DNS security settings for these domains ( DNSSEC, DMARC, SPF, and TLS certificates on redirections) are frequently broken or missing altogether.
Internal process management for domains and the DNS is difficult. Having multiple vendors makes it worse. Many organizations have more than one domain registrar; often the result corporate acquisitions. Having dozens of active, managed DNS services is even more common. Managing effective process over a fragmented domain and DNS supply chain presents other risks:
Business stakeholders and network security teams know that domain portfolios and the associated DNS network require ongoing governance and compliance controls. The solution usually implemented is a periodic audit of all domains, DNS zone files, and security settings. Audits are laborious, costly, and rarely establish compliance confidence.
Audits don’t work as a standalone, point in time activity. Only real-time, ongoing processes can effectively establish and maintain control over a dynamic domain/DNS environment. Lacking system-based, automated processes, most domain and DNS audits fail to complete due to the effort required.
Inefficient, manual processes for registering domains and managing the DNS network has three problems, confirmed by organizations that have evaluated their internal processes:
Organizations in the digital age demand agility. Change management process to register and set up new domains or change DNS settings should take minutes – not hours or days. Few organizations dare accelerate manual processes for fear of making mistakes. They tolerate cumbersome, manual processes as necessary evils. Domain and DNS reports take forever to generate, tying up costly staff resources. Comprehensive, real-time analyses of domain portfolios and DNS networks typically aren’t feasible with manual processes.
Manual processes for domains, DNS, and TLS certificate management are resource intensive and costly. As portfolios increase in size, the cost of manual processes is growing. Renewing a single TLS certificate on a domain requires 16 steps. Implementing and managing essential DNS security such as DNSSEC is also dependent on high-cost, manual processes. Busy network administrators lack the time and tools to manage domains and DNS settings. It’s increasingly costly as domain portfolios and DNS threats increase.
DNS networks powering today’s digital enterprise are managed by specialized DNS experts who lack the time and tools to continually monitor cumbersome legacy systems. Public DNS networks are a prime target for bad actors who are able to search out, identify, and exploit organizations’ DNS-related security holes. Best practices and standards, such as DNSSEC, SPF, DMARC, and other DNS hygiene measures can effectively mitigate DNS security risks. Managing these tasks is cost-prohibitive because processes are manual and staff resources are limited and costly. DNS security audits confirm that virtually every organization has identifiable weak points throughout their DNS networks including missing end to end encryption, expired DSKEYS, misconfigured DMARC and SPF, and orphaned DNS records.
Domain, DNS, and certificate management processes are largely unchanged since the explosive growth of domain portfolios in the 1990s. Change management requests are often initiated by email and executed via disparate, non-integrated registrar/DNS administrative portals. DNS settings and security are administered by skilled, costly, and overburdened IT staff resources, unaided by automated tools. Ongoing governance and security compliance are left to periodic audits, powered by Excel, and often incomplete. It is difficult for IT staff to get and keep control of the DNS footprint without systems to efficiently manage the network.
Effective and efficient business processes have best practices in common:
There are three best-practice system pillars to improve domain, DNS, and certificate management:
Systems that provide necessary best-practice standards must start by integrating the domain registrar, managed DNS, and TLS certificate functions under a single point of control. When domains and the associated DNS networks are manageable under a single, secure, role-based access point, process steps reduce, visibility increases, security improves, and total cost of ownership declines.
Once disparate management functions are integrated under a unified control system, they can become error-free, repeatable steps. The domain and DNS management lifecycle involves multiple stakeholder roles and tasks. A workflow system assigns approved tasks to permission-based roles with easy-to-follow process steps. They follow the organization’s business rules and are easily templated. Workflow systems are fast, secure, and reduce error rates. They efficiently ensure uniformity of process, compliance with security policies, and retention of institutional knowledge.
People following manual processes make mistakes. Effective change management systems provide transparency and fast, easy remediation. Costly and ineffective periodic audits designed to mitigate errors are replaced by real-time, automated monitoring of all domain and DNS-related change management. An automated control system monitors the status of every domain and DNS setting, captures and reports all changes in audit records, and provides change digest alerts to help teams remediate errors.
The Domain, Managed DNS, and Certificate Authority service industries have been slow to provide badly needed best-practices solutions. The reason is legacy orientation. Registrars founded and grew exponentially from the 1990’s on a business model that emphasized selling more domains and, in some cases, serving enterprises with a Professional Services business model, i.e., billing their services for activity-based fees. Leading managed DNS services typically don’t offer domain registrar services. Certificate Authorities (CAs) just sell certificates.
These three related vendor categories and their respective business processes are highly interdependent. In the absence of industry-provided, integrated solutions, organizations have been obligated to manage as best they can with manual processes to control these three operational areas. Lacking packaged system offerings from the vendors, organizations have been challenged to invest the necessary time and capital to fully automate and integrate the complex processes of domain, DNS and TLS certificate management on their own.
Authentic Web Inc. is the first, and arguably the only provider to have solved the problem of integrating business critical domain, DNS, and certificate management functions together in one control system. Our vendor-agnostic approach provides a centralized control hub, integrating the key vendor management functions of domains, managed DNS, and TLS certificates. A single, unified system makes it easy for teams to address the increasing need to improve security and compliance control.
Workflow tailored to the needs of individual stakeholder roles permits the efficient execution of tasks based on job function and level. Business (domain) originators, management, and IT staff each have assigned roles according to their job function and organizational position. Every task has an assigned owner and provides a simple, step-by-step workflow to easily execute change over the domain lifecycle. When workflow is added to the integrated, single point control of domains, DNS, and TLS certificates, management tasks become streamlined, transparent, error-free and cost-reduced.
Change management functions offer ease, convenience, and secure transactions for all change management tasks. Numerous process steps are condensed under “service templates” or “one-click” functions making highly detailed and laborious processes including DNSSEC activation and TLS certificate renewals automatic and instantaneous. Simplicity and ease-of-use reduces the advanced skill levels and attendant high costs required to manage a large domain and DNS network.
With a single point of control in place over domains, DNS and TLS certificates, change management compliance gaps are addressed. IT security teams can have single pane of glass visibility over their DNS security posture. This permits the enforcement of DNS security policies that has not been practically possible without a unified control system.
Enterprise domain, DNS and certificate process management is stuck in a 1990s paradigm. It’s an obsolete model, far behind the demands of modern digital transformation. Manual processes, siloed operations and systems, lack of integration, and legacy vendor business models are perpetuating TCO increases and network security risk.
Increasing enterprise data security regulations make systems-based modernization of domain and DNS management a near-term imperative.
Authentic Web’s DNAM solution addresses this need by delivering system components: integration, workflow, ease of use, change management, security, and compliance. Leading global brands have adopted DNAM as a next generation control system to solve difficult DNS network security and compliance management problems while reducing Total Cost of Ownership by 30% to 50%.
Any organization recognizing the need to improve their domain, DNS, and TLS certificate management business processes should start with an external audit. It’s the fastest and easiest way to expose latent DNS network security issues. Authentic offers an APEX-level audit to bring visibility to the problem, form a baseline DNS analysis, and support a business case for modernization with zero resources required from you or your team.
Contact us for a guided tour to see how our integration and workflow can transform your domain and DNS business processes. Ideal participants include business originators and approvers in digital operations, and their counterparts in IT network administration or IT security teams.