Global Domain Strategies to Navigate an Everchanging Ecosystem

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right. Or if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "Global Domain Strategies to Navigate an Everchanging Ecosystem." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Patrick Hauss and Justin Hartland. Patrick is the Head of Corporate Development and Strategic Alliances in EMEA, based in Paris, for CSC's Digital Brand Services Division. He's responsible for key strategic initiatives across Europe and Middle East countries. Justin is a CSC Global Director of Products for the Digital Brand Service Division as well, based out of London. Justin has spent more than 20 years in the domain name and brand protection industry and brings his wealth of knowledge to CSC clients.

And with that, let's welcome Patrick and Justin.

Patrick: Hi, everyone. Very happy to spend this time with you today to walk you through the domain strategy topic together with Justin. And actually, before jumping into the actual strategy element of this presentation, I thought that actually sharing a real-life example would be a great way for me to illustrate what we will be speaking about today.

In fact, I would say many companies have had challenges when it comes to securing their online presence. It can be forgetting to renew a domain or even a vital domain. It can be being a victim of cyberattacks. In fact, thousands of companies have been going through many different types of situations when it comes to a cyberattack infringing situation, domain hijacking, and so on and so forth.

So the example that I chose for today is probably I would say one of the most interesting because it is really high highlighting how all the domain security components are basically connected to each other. So if we go in the detail and we look at what happened basically, in November 2016, the French company Vinci, their shares actually at the Paris Stock Exchange fell by nearly 20% after a fake press release was sent to the communication agency Bloomberg. Actually, the hoax said that the company had uncovered irregularities which had been hiding losses amounting to more than three billion euros.

The cause basically of this terrible situation is a deceptive domain name, which has been registered by a third party within the new gTLD space. The domain which has been registered by the third party is vinci.group, when the actual official domain name of Vinci is vinci.com. In a nutshell, what we need to understand is that this email was sent to Bloomberg with an email address ending with vinci.group. This email seemed completely official, and Bloomberg didn't do any further verification after receiving the actual email.

So how basically was this third party able to register such a domain name? I think first we need to go back to the history basically of the internet and the domain name system. And actually, none of them were originally designed for what we are doing with them today. The worldwide web was designed originally for people doing research. Academics, scientists were all using this tool to send emails and share information globally.

The rule for domain name allocation has ever been first come, first served. And with loads of new suffixes arriving on the internet, one after each other since 2012, companies still need basically to adapt their tactics as much as possible. The launch of the .group, which is an example among many others, and the registration vinci.group by a third party is really just one example out of many, many others.

Also, what I would like to say and when it comes to cybersecurity, I think we need to remember that all the stakeholders managing your online presence are basically outside your company's firewall, and the only way to control them is basically to choose your providers as carefully as possible. And when I speak about the stakeholders which are outside the firewall, I speak, of course, about your registrar, your DNS provider, your certificate provider, but I also speak about your hosting provider or even new ISP.

So I think this is exactly why every company needs to have a domain name strategy in place, and I'm going to give you some examples of what should be taken into consideration when it comes to building a domain strategy. I think, first of all, that every time a new case would be submitted to you involving a domain name, you should ask yourself two questions. I think the first question is, "Is this domain strategic for me as in is this domain needed for my business, needed for the business?" The second question is actually, "Do I already own this domain as in is this domain already in my domain portfolio?" The reason I think why you should always ask yourself these two questions is because they will ultimately help you take the right decision facing every specific case involving a domain.

So I would say let's have a look now at what the Group A that I present on this slide. So for a domain which is strategic for you, strategic for the business, and which is already in your portfolio, I think you will work mainly on consolidation as well as security since you want all your domains to be managed at the same place in a highly secured way. This is, of course, very true especially for your business critical domains, your vital domains on which you're going to, of course, apply all the different security features which are needed.

I put on this slide couple of examples. And I think when we speak about securing your own domain portfolio, we usually speak about the different layers of security that you can apply to your own digital assets. This is what we call DiD, defense in depth, and here on this slide you're going to be able to see a few examples of what can be put in place in order to secure your own digital assets, your own domains against hijacking. For example, registry lock is a very good example, multifactor authentication, as well as IP validation for example.

So let's get back to our table and let's have a look now at the Group B. So for a domain I would say which is strategic for your business and which is not now in your portfolio, I think that's typically when you need to put some I would say strong measures in place in order to get the domain which is vital for you or strategic for you back within your portfolio. So I think domain infringement requires domain enforcement. That's the rule. And, of course, your goal is going to be to make sure that this Group B will be as small as possible, which means you've been able to deal with infringing situations and get ultimately these domains back in your Group A.

Category C is for domains which are not strategic for the business, but which are still in your portfolio. These domains, I believe they need review, and I think most importantly they need strong and accurate data in order to evaluate whether there's an opportunity to lapse potentially these domains. In some cases, you may also have an opportunity to divest domains to a third party, which could be interested in acquiring these domains from you. Again, I think this requires really solid data as well as a professional evaluation beforehand.

Last but not least, Category D will allow you to deal with a situation where you are not the owner of the domain and where third parties have been basically using your trademarks within a domain, like a new domain registration. And I think here the issue is that the internet is growing extremely fast and domain threat intelligence is a must nowadays.

So speaking about that specifically, speaking about domain threat intelligence, I think this is typically what will allow you to deal with every kind of situation, detect newly registered domains in a very fast way. I think most importantly this will also allow you to monitor the behavior of each domain that you have detected so that basically you can take decision in order to act against cases where, for example, the domain was not a threat originally when the domain was just registered, but basically, for example, which transformed itself into a critical phishing case, for example, two years after the domain was registered. So I think that's probably why domain threat intelligence is now a must and it's very important to put in place in the businesses.

So again, Category A to D will allow you to have an overall view of your domain strategy, answer as many questions as possible, and also take the appropriate decision and direction.

I'm going to leave it to Justin now. Justin, the floor is yours, and I'll let you walk everyone into how to implement a domain name strategy.

Justin: Patrick, thank you so much for that. And really what I'm going to be looking at today is some practical measures that can be used to put these strategies into place. So I'm not going to be focused on what names, what extensions, but really how as a large corporation you can put these into place.

I put this into five categories. I think I probably could make 50 categories. But I tried to narrow it down to five sort of key ones that we can look at today, and those are centralization, automation, compliance, integration, and changing landscape.

So let's start off with centralization. So when I'm talking about domain names, we quite often talk about domains, DNS, and SSLs because there's a lot of advantages in having all of those assets centralized into one space. And one of the key things that you get from this is complete control over those assets. That allows you to budget correctly. It allows you to control so you understand fully across the globe what is within your business. We've mentioned this on previous webinars and seminars, but every company has every single laptop registered with its ID number, but quite a lot of companies still don't have all of their domain names in one space and understand who owns what and where is it. So this gives you that control.

Secondly, we're looking at renewal of these assets. So we see some companies operate as CSC do, which is we have an auto-renew policy. So if you have domain names with CSC, we will always renew them unless you tell us not to. So we will only lapse a domain name if we're instructed by the appropriate person. There are companies out there, in particular sort of more retail registrars where if you don't pay your invoice, they're not going to renew your domain. So you have to watch out for things like that. And that's why if you don't have your assets centrally managed and somebody goes off and uses a small registrar and then perhaps they leave the company and you don't get the renewal notification, then your domain potentially could get lapsed, and that will cause problems within the business especially if it's live.

Third is by doing all of this you can configure how you want your domain management, your DNS management to be configured to your company needs. So an example of this is you may have various operations, you may have North America or EMEA and APAC, and you want the APAC team to operate and do DNS changes and register new names for a specific set of names. Well, you can set that up ahead of time. There may be specific templates based off different brands, so when you register a domain, you have to have a WHOIS template. And it may be that you want to keep those separate. So you can choose how to configure it and it's exactly to your business needs.

Having it all in one space you're going to be able to make simpler decision-making. So within domain management, there are always new domains coming on, on online, and so by having everything there, by understanding what you have and what you don't have, you can make those simple and quick decisions.

It's a rather boring one but invoicing. There's a lot of time and effort spent, and I think a lot of people will understand this, on just dealing with invoices. Well, by having your assets in one place, then you're receiving one invoice or maybe a couple of invoices, but you're receiving it from one vendor. So that's going to obviously improve your own efficiencies within your company. It's going to improve the approval times and how quickly you can do those things. So that is a sort of hidden benefit of doing that.

What we're seeing in particular with our customer base is that a lot of companies want to do security audits. And so if you've got one vendor that you just need to do one security audit on then, that obviously makes life a lot easier again. So it's absolutely essential that you make sure you're using a company that meets certain criteria. And depending on your industry, it may be absolutely necessary, and in other industries it's really recommended. So you can actually make sure that all of those vendors or that vendor you've chosen meets that criteria.

And then the upshot is look you're going to save time on internal processes, and it's going to make your life more efficient and quicker to do things. And with the right vendor as well, they can almost act as an arm of your department in dealing with these things. So they're going to know, for example, if you need to register a domain, what is that default template that you need to register it to, and if it's in this country, it's this, if it's in this country, it's this. So you get a lot smoother processing, and it just really works together a lot easier for you and your teams.

So if we move from centralization and we start looking at automation, so what do we mean by automation? So in particular here I'm talking about APIs, so application programming interfaces. What these allow is software components to interact with each other. They can exist between various types of software. And they're used to connect different web systems. And so this is a really good way of improving those efficiencies. So we talked about using one provider. Well, if you use one provider and you then set up APIs to make your life easier, then obviously things are going to run a lot smoother for your company, and you're going to be able to extract the data that you really want.

And just moving on, just looking at the advantages of automation, and some of you may be looking at this and going, "What are you talking about? I don't understand this." There will be somebody within your business who does and probably understands the benefits of this. But obviously, the first thing here is security. So it reduces or eliminates credentials required for various vendors and allows you to have better control of who's accessing accounts because it'll be through your own systems.

The process makes your data part of a bigger work workflow. So for instance, rather than requesting through a customer service person to send you information, you're able just to download that information as and when you want.

By having all of that data consolidated, it's in one view for you. And then you've got the flexibility of utilization with other third-party enterprise solutions, like ServiceNow, which again you'll see benefits.

So automation, whilst it's not for everyone, it's certainly worth investigating within your organization if this is something that should be looked at and can we get some advantages in doing that.

Okay, moving on to compliance. So this is an area where I think everybody really needs to pay a lot more attention to now, and there's a number of reasons for this. What we are seeing as a registrar is far more emphasis from the registries, who control the actual domain extensions, on ensuring that the data that they hold is correct and is valid.

Now in the European Union, there is a directive called NIS2, which is being implemented right now across all of the member states. And various registries are bringing in different tools, different systems to verify the owners of domain names. And so this is all about KYC, know your client. And so there is going to be this big change in trying to ensure that the owners of a domain are really who they are. We saw recently in Italy the registry there has launched a system where they're looking at the VAT numbers, do they match the company that's registered, and making sure that data is in line.

But they're going to be looking at company name. So if you bought a company many moons ago but you never changed the WHOIS information on that company and it's now part of your company's name, then there's a chance that that might flash up as like, oh, you need to rectify this WHOIS record and this ownership. So that's going to be a lot more especially across the European Union. But what we're seeing is across the globe each registry seems to be taking this extremely seriously and looking to implement similar changes to what we're seeing in the European Union.

So having a clean portfolio is super important. Now this isn't something that I think needs to be looked at on a daily basis. I think this is something that you should look at once, maybe twice a year. It depends on the activity around your account. But really you need to be looking at sort of key things like who is the legal owner of the domain; what are the email addresses associated with the domain, and just making sure things like company addresses are all correct. It's not a fun task. It's a very boring task. But it should be a task that's done at least once a year.

But also you can prevent these things from having to be reviewed in the future as well by creating standard templates. So if you know that every domain you want this template, then work with a provider that always ensures that they have the clean and best template and they always use that. And it might be different for different countries because of requirements. But at least you're using the same approved template. So that's super important just making sure you don't have to do too much cleanup work in the future.

So for me, compliance is huge and you really need to be on top of that. And obviously, if you've got that data in one place and you understand the domains that you own, then you'll be able to do this a lot quicker and easier.

Okay, so one of the other things when you've implemented a domain strategy is you'll then be able to see the benefits of all of that information in one space and what are the things that you can now do with it. So I'm just going to go through a few these points.

And the first point is CAA records. Now some of you may not know what that is. A CAA record is a text file in the zone of DNS, and effectively it's a way of implementing an SSL policy. So if you choose an SSL provider and across the company you like, "No, no, we've chosen these guys, this is the only company we should ever be using to register SSLs," then you can put that company in the CAA record. And whenever a request for a digital certificate comes through, it gets checked against that record, and if that company is on there, then yes, the certificate can be released and ordered. But if it's not, then it will decline the digital certificate being ordered. So it's a good way of creating that SSL policy around your domain names. And obviously, that's just set on your DNS, and it's a record that's very easily updated. So it's a really good way of implementing policy.

If you've got your DNS and domains in the same place, there's a real advantage here. Setting up DNS prior to registration is still required by certain domains. So for example, with .de, you need to up the name servers before you register the name. Now if you're using two different providers, then you're going to require that provider to set up the DNS, and depending on your internal systems and processes, that may take a little while. Now if you need to register a domain quickly, then you can't wait a little while. So there is an advantage of having that centralization there.

Patrick talked about this earlier. He talked about how I think it was in B and D in the policy, but he talked about domains that are getting registered by third parties. Now one of the important things with that and when you have a monitoring program in place is that you actually understand what you already have. And so again, by having them centralized, by having a proper list of domains, then you understand your approved list of names. And therefore, when you see a name that sits out of that, there could be a number of reasons. It could be yes, it's a third party and they're trying to misuse your brand. Or it could just be one of your business divisions have gone out and registered it. It could be a franchise that have gone out and registered it, and you need to go and have a word with them about moving the name under your management. So it gives you a lot of benefits by having that in one place.

And then you've got budget. Budget forecasting, it's a job that we have to do every year. We have to understand what is our spend for next year. Domain names generally are registered for one year. Some are two years. Some are even longer. So you need to understand what's going to be your budget for the following year. Really simple if you've got that data in one place.

And then, should things go wrong, which from a CSC perspective I don't think it does happen very often, then you are able to call somebody, and you know your domains, you know your DNS and whatever other services are under one roof. So you'll then be able to get to the crux of the problem, if there is a problem, and resolve it as quickly as possible. So it really helps with simplifying things. So simplified processes equals time savings. So you know what domains you've got, you've got them in one place, and you're making your life easier.

And this really needs to feed into that domain strategy because this is where you can make decisions before you fall foul of third-party registrations, enforcement work, monitoring. So the landscape of domain names, it's constantly changing. And you've also got to understand the risks that are out there.

So I put here a couple of TLDs have either become popular or launched over the last year or so. So last year we saw a huge number of .AI registrations, both from ourselves, both through the registry numbers, but also third parties and people were like really sort of hopping on the bandwagon. And so this is definitely something that we went to our customers and told them about.

And then Australia launched its top level of .AU, which obviously an awful lot of our customers went out and protected their brands, which they historically had on a .com.AU or .org.AU, and they got the corresponding .AU. That was predominantly less for a commercial use as far as I'm aware, but more from a protection use. But it eliminated the risk immediately. And Australia gave people who already had those domains a priority period where they could register them. So that was very useful for brand holders.

And the other area that's really key in this is understanding those brand strings. So as Patrick was showing about the strategic names, I think it's not just about your strategic brands, it's about your strategic brand strings because some companies may decide because they have two words as their brand that when they register a domain, they will always register the two words together or the word plus a hyphen and the other word. So having that list of brand strings is super important for when launches like .AU come along or things like .AI get popularized. So it's really important. It just helps make life easier for everyone.

Having internal processes. So sometimes people who manage the domain names may not make the decision on domain names. It might be the brand department do that. But if you've got a connection and you are constantly working and meeting, some of these launches, they come around really quickly. So you need to be in a position where you get the relevant information and you can get it to those people as quickly as possible, so that if you decide, yes, we do want to register .AI, then you can go ahead.

And then the final piece is just make sure you reserve budget for these. Quite often if you were to ask me what domain names are going to launch next year, there's some that I could probably tell you, but there's probably quite a few that will just happen out of the blue and we won't be able to help predict those. So it's a really tricky one. So it's always worth just having that bit of buffer budget for new registrations that come along.

And I thought I'd just sort of show you what is going on right now. At the moment, Turkey have launched their top level, which is .TR. Traditionally most companies use .com.TR or .org.TR, etc. And again, they've given a priority period. So if you already had a .com.TR, you can apply for the .TR. And that ends in August this year, and then general availability will be from September. So this is really important to look at. TR used to be quite a restrictive domain name, but those rules have been broken down. So what we see with things like this is the risk profile goes up. And so we would definitely recommend companies having a look at this, not just to protect the TR because we've got a Turkish name, but if you've never worked in Turkey or you may use franchises in Turkey or something like that, it's worth having a look at this extension because the risk profile has changed.

Similarly in Venezuela, .VE has launched. Again, you could register .co.VE, .com.VE. And so that has not given a priority period and has just sort of hit us. And so that is now available to register. And again, we would advise people to look at the domains that they already have in Venezuela and then perhaps looking at securing the corresponding .VE.

.AD this is for Andora. They've launched a sunrise and limited phases period, and general availability is in October. But again, this is not a new launch. It's an extension that used to have really restrictive rules, but those rules are slowly going to go away. But they are giving periods for brand holders to go and secure their relevant names before that general availability.

And then this year, we we've seen Global Bock launch at sort of March time of this year. And so this is just another thing to contemplate whether you get into the blocking space or not. I think that companies are looking at this and whether it's got the right TLDs that they really care about, or whether it's actually there's a lot of TLDs in there that I don't care about. And it's the expense versus this. So there's a lot more to it than that, but it's definitely worth looking at. Is it something that we want to do?

So these are the things that are going on right this moment in time. And I think with that, I am going to pass over to Patrick, who's going to go through the summary with you all.

Patrick: Thank you, Justin. So yeah, quickly as a summary, I think something we tried to highlight today is really how all the different topics related to domain security are connected to each other. Centralization, allowing you to have white lists, allowing you basically to be even more efficient when it comes to domain threat intelligence, dealing with enforcement when you have infringing situations and so on. It's all about making your life easier when it comes to day-to-day domain management. So I think these are all very important and critical topics that need to be addressed.

Improving your security posture by building up your governance. We spoke about policies basically. And I do believe that indeed having the right set of rules, integrating people doing cybersecurity within your organization, like…into this discussion will definitely be a great added value to your overall domain security posture. So I think that's really critical to look at.

Centralization, I think that's probably the word we've been using the most, Justin, today. I think we do all see and believe in the value of centralized assets management with all the benefits that you're going to be able to get out of that, like automation for example. We spoke about that.

Processes that you're going to be able to put in place, streamline the workflow, get efficiency. Again integrated automation. So I think all that will really benefit for your organization. And with upcoming regulations, we spoke about NIS2. Again, I think that's really the right moment to have a look at the overall domain security posture and domain strategy for each of your organizations.