As the world becomes more wired, the need for network security grows more critical. Banks, brokerage houses, and online stores have all stepped up their game to help safeguard personal information and online assets. While it is easy to take registrar security for granted, recent industry headlines demonstrates that registrars are also a target for hackers. So how exactly is a domain investor supposed to protect their domains?
Before I proceed, I should mention that computer and network security is an area near and dear to me. In fact, before joining Epik in 2009, I spent more than half of my professional career in the area of software security. I have evangelized and marketed security technologies at both Apple and Microsoft, helped build and patented the first virtual private network (VPN) hardware devices and managed security services, and led the development of digital rights management (DRM) systems. Suffice it to say, I have a lot of expertise that is now being brought to bear to help better secure our customers domain portfolios.
Access Control is Job #1
Access Control Lists (ACLs) provides an effective, albeit blunt force, approach to security. Access control lists contain IP addresses that specify that one or more users are allowed to connect while other addresses are marked as forbidden. The security system does not take note of what resources might be at those addresses–it only cares if you are on the list and know the password. Think of the ACL like the bouncer at a nightclub.
At Epik, we have implemented optional, account-wide whitelists. As the name implies, a whitelist contains all the IP addresses (or ranges of IP addresses) from which the account holder has authorize someone to access their account. The user still must know the username and password. It is simply another layer of security. For example, you might authorize the IP address of your home, your office, and your iPhone. If a hacker has your login credentials, but is not accessing from an authorized IP, here is what they see:
For static IP addresses, simply enter the address. If you have a dynamically allocated address, then I suggest entering an address range, typically 0-255, on the last block of numbers. You can add as many addresses or ranges as you like (although in this case, the fewer, the better). Each address can have an optional label like “Home” or “Office”. You can see your current IP address in the upper right hand of the Security tab.
Some security systems also allow users to create lists of forbidden IP addresses called blacklists. Epik does maintain IP blacklists at a system-wide level. The customer-facing domain manager does not have blacklists. In my experience, managing two lists creates opportunities for gaps to appear in the wall you have put around your account. In our system, by explicitly creating a whitelist, you are also implicitly creating a blacklist as well, which is to say, every other address in the world. This help prevents inadvertent gaps in your security. For anyone who has ever used the Verisign Namestore or EPP API, whitelists are in fact the core of how Verisign controls access to their registries.
For added security, once a user has logged into Epik and started a session, all actions are logged in the background by the system. The intent of the security processes in the Epik system is to safeguard against unauthorized access to a registrant’s domain assets, but to do so without creating arbitrary inconveniences and roadblocks. For example, Epik still gives the authenticated user instant access to their EPP code for transferring and has never introduced arbitrary registrar locks on domains beyond what ICANN requires of accredited registrars such as Epik.
Epik will soon introduce additional layers of security. While any single layer could theoretically be circumvented, when deployed together, the chances of unauthorized access drops dramatically. In general, the more challenges the system can put in one’s way, the more secure the system. The trick is to make the system highly secure while not being so locked-down that legitimate users cannot navigate the system. .
Epik’s next step will be to soon introduce multi-factor security authentication, through the additional option of requiring a SMS-based session ID.
Later in the year, we will roll out a more finely-grained role-based security system that can be applied not just to a portfolio, but even to specific domains within a portfolio. As it is, users can delegate access rights for a domain to another user as well as lease domains. The new role-based security system allows the registrant to further define access rights, e.g. for use by a registrant’s employees, partners, brokers and contractors.
We invite you take advantage of these tools to better protect your domains from unauthorized access and we look forward to your feedback.