Of all the assets that your company owns, few have a bigger value-to-cost disparity than your domain names. At a mere $15 per year, they represent a value that can be hard to measure as they form the backbone of services such as your company e-mail service, your website, parts of your infrastructure and branding. For example, a simple remote. Mycompany.com might be vital for your remote workers to connect with your website over your VPN.
A lot of companies, however, are not in control of their domain names. Instead, they chose to let a third party manage their domain names. This could be the MSP that manages their IT but it could also be the company that built their website.
Both of these companies often insist that they should be in charge of managing your domain names, because they need to setup your domain properly or need to make regular changes. If there’s something those nerds in IT don’t like it’s coordinating with other people to get something done that they could easily do themselves!
I have been on the “managing side” of this discussion and have been somewhat of a domain name hoarder myself – and have seen enough downsides to the point we lost interest in registering domain names for our clients – and I can certainly understand why these parties would like to be in control of your domain names. Especially if you, as the partner, lack the expertise to manage them yourselves. It’s easily said to “add these records” or “change these records”, but it can be a complicated affair.
Recently I’ve been on a “security” binge, and this raised a question about the managing of domain names. Is letting a third party manage your domain names a security risk for your company? I’m not talking in the sense of using parties such as Cloudflare, Name.com or other registrars / DNS providers.
However, I believe that at the very minimum companies should be registering all their domain names themselves or let a third party register domain names using an account the company has full access to, guaranteeing that they have full access to their domain names at all times. Even if they aren’t capable of managing their domain names themselves, doing this would at least guarantee that they remain full control if their relationship with whomever had access to the domains changed.
Not being in full control of their domain names could lead to a variety of problems. From outages caused by an enraged third party, to domain names being kept “hostage” to malicious actors being able to make changes that could impact the security posture of a company, whoever has control of the domain names could be disrupting the online operations of a company that might not always be visible to the naked internet eye.
I am not familiar with all domain registrars, so perhaps the following already exists, but an ideal scenario would be the reverse solution of what you see with a lot of domain resellers. A company would create an account, and grant another company permission to register domain names or would be able to give them access to specific domain names, which could easily be revoked with a few clicks or a call to the help desk of said registrar.
Of course, this would go against the best interest of companies that tend to have a tendency to keep domain names “hostage” as it can be the only leverage they have if a client refuses to pay for certain services.
However, from a security perspective I feel like it’s in a companies best interest to move to a model where they’re fully in charge of their own domains with the option to delegate. After all, online services and domain names have become more and more important and are no longer just tied to a company website with a contact form and an About Us page that nobody ever reads.
What do you think? Should companies be in full control of their domain names? And how can this be achieved if the company owning the domain name lacks the knowledge to properly manage domain names themselves?