5

Proprietary software developed by a (smallish) company is stored in the company's GitHub private repository. For work, software engineers are requested to create company-specific GitHub account bound to their work email address.

But access to the private repository can be granted or revoked independently from the "account origin". What can be the risks of using personal (i.e. associated with an email which is not related to the company) GitHub account by developers?

Edit: I see one potential risk: if the account is used also for other things than work, its SSH key is likely to be saved also in places where these "other things" are done. This is a potential threat to work repositories; with a dedicated account, it's easier for the developer to keep the key(s) only in work-related (maybe controlled) environments.

Are there any other specific risks?

Konstantin Shemyak
  • 639
  • 5
  • 12

1 Answers1

6

The general rule of thumb is to only allow business accounts access to business assets.

If an employee is let go, there are a lot of different access rights to remove. If I was an employee and had to register for access, I would need to let someone in charge know that my personal email fluffybunny@gmail.com was me, and was allowed access. Then when I was "decruited", someone would have to look up who I was on Github and remove that access by hand.

By using official business email, the relationship between the email and the person is set and reliable, and then revoking access is straightforward. It could even be automated.

The other aspect is that all the commits and notifications, which can contain sensitive info, is not going to a non-business account.

"But, but, I could have access to this stuff through my personal account if I did X, Y, Z!" Yes, but that's you violating policy/intent and that's on you. The business needs to set the tone by doing things like enforcing the separation of business and personal communications and access.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • AFAIK to grant/revoke repository access to/from a GitHub user, the repository owner does not need the associated email; only the account handle is needed. I do not see how this is less straightforward than with an account bound to a corporate email. The specific quesion is "what are the risks (for the business) in the described case". – Konstantin Shemyak Jan 07 '20 at 09:52
  • The risks are info disclosure and lingering unauthorised access after access has been revoked. – schroeder Jan 07 '20 at 10:04
  • How does one get "unauthorised access after access has been revoked" in this case? – Konstantin Shemyak Jan 07 '20 at 10:06
  • Handles are editable. It is possible to edit the handle to look like another person's account and hide. – schroeder Jan 07 '20 at 10:26
  • None of the problems described by schroeder are insurmountable. However, having a consistent, "use business accounts to access business assets" policy makes everything much simpler to manage. This reduces risk due to human error. Larger companies often go a step further and use a single identification provider (e.g., SAML), making access management even easier. – Brian Jan 09 '20 at 20:23