Domain monitoring for policy compliance
By Ken Linscott, product director, Domains and Security Share this post
In our three previous posts, we’ve discussed how brand owners can defend their domains by using defensive registrations, blocks, and monitoring, with a focus on brand protection and third-party infringements.
Domain monitoring is a known and commonly used tool for focusing on how others are misusing a brand in new domain name registrations. But this is only half the value provided by domain name monitoring. It also serves as a valuable cyber security tool that can help enforce centralized domain name policy so that brands remain compliant, both internally and externally, with initiatives like the General Data Protection Regulation (GDPR).
WHOIS, RDAP, and ownership data
If you’ve been following the developments in the world of WHOIS records for domains following the implementation of GDPR, you’ll know there’s been a lot of change.
The WHOIS, a protocol that lists contact information for anyone requesting it, has increasingly been unable to meet the accuracy, accessibility, compliance, privacy, and other needs of domain name registrants, law enforcement agents, intellectual property and trademark owners, and individual users. This is hardly surprising given its birth in 1982 and the unimaginable way in which the internet and domain names have scaled up.
With the implementation of GDPR in May 2018, the WHOIS needed to be replaced. GDPR is the most extensive privacy act globally, as it gives control to EU and European Economic Area (EEA) individuals over their personal data, with the aim of protecting their privacy. Its implementation led to companies scrambling to make compliant their internal processes and systems and place more significance on information security departments since violators of the GDPR may be fined up to €20 million or 4% of their annual worldwide earning of the preceding financial year in case of an enterprise, whichever is greater. This has implicated not only European companies, but all companies globally that engage with EU or EEA individuals.
Unfortunately, the WHOIS simply did not meet these requirements. We needed a more secure and standardized format, with different access to data to ensure compliance with GDPR to protect the privacy of individual registrants, yet serve its original intent to provide clear ownership data to relevant organizations and authorities where warranted. In August 2019 The Registration Data Access Protocol (RDAP), which does just this, replaced the WHOIS as we knew it for some 30 plus years.
With this change, now is the time to review your domain monitoring needs, and increase your investment in this vital data feed for security and compliance.
And here lies the first really important point from a compliance perspective: You need to police your centralized domain name management policy. Policy without controls is worthless. Your control is domain name monitoring. Within the identified domains, you’ll find those registered in good faith (however misguided) by your employees and perhaps even outside agencies. You need these under your centralized management not only to be compliant with your policy but for a host of security reasons.
Monitoring digital assets for domain security
Digital assets including domains, domain name systems (DNS), and digital certificates, are fundamental building blocks for your business. They’re the means with which you communicate with clients, each other, and your internal networks. Sadly, digital assets are vulnerable to the risks of poor management and are increasingly targeted by cyber criminals who hijack online presence and web traffic, and impersonate businesses, duping clients and staff into sharing valuable and confidential information.
The generally accepted security approach is to consolidate under as few enterprise-class providers as possible for easy, more secure management. This should be done by surveying your organization (including marketing, legal, and IT) to understand their business needs from these assets, what they already own, and who has access. You will also need to ask your providers and registrars to undertake external audits for you.
These security reasons become clear when you realize that an important aspect of auditing and consolidating your portfolio—which is often overlooked—is understanding your company’s business critical domains. That is, domains that underpin the successful operation of your business via the web, email, voice-over IP, virtual private network access, and more—as well as the specific DNS and digital certificates those critical domains use.
Without an appreciation for these vital assets:
- You cannot effectively apply advanced security features such as locks, domain name system security extensions (DNSSEC), and domain-based message authentication reporting and conformance (DMARC), digital certificates, or certificate authority authorization (CAA) records to those domains. In other words, you can’t ensure that you’re doing everything to prevent your domains from being compromised in a cyber attack.
- You’ll also be unable to ensure that the quality of the DNS and digital certificate providers you’re using are sufficient for your needs.
- You risk accidently lapsing, abandoning, or divesting a domain you didn’t realize was mission critical to your business.
If you know your vital domains, you can put policies and controls in place that will significantly reduce the threat from cyber attacks against these assets. However, deciding on policy is one thing and enforcing this policy and ensuring it acts as the control is another. For this to happen, you not only need a provider who can monitor and identify new vital domains within your portfolio, and who can notify you if any vital domain is not adhering to those controls, but you need to be able to identify domains outside of that centralized management to ensure they are considered from a security perspective in exactly the same way as those managed centrally.
This is domain monitoring. It should be central to your approach to securing your digital assets and ensuring policy compliance.
As brands enter a new decade, new challenges and risks will spring from the same landscape as opportunities. Brand owners must prioritize having these tools as part of their overall domain strategy, as it will set apart those who are prepared and have the ability to respond swiftly to infringements.