December 15, 2015

Stay Secure for Success with Git in the Enterprise

Git at Scale
Traceability

Introduction

Throughout this series of posts, we are examining some of the challenges faced when adopting Git in the enterprise space, and presenting tips and best practices for successfully managing the task. Today we’ll explore authentication, authorization and keeping your intellectual property secure.

Security 

Raw Git has a limited approach to security, providing solid authentication while ignoring authorization altogether. That is, it cares about who you are but leaves what you do to the file system. This approach is great if all you want to do is ensure each commit author is who he or she claims to be because identity is verified through the use of public-key cryptography signatures.
 
But what if you want to restrict access to a particular repository? A particular branch? How about a single file full of proprietary secrets? Git offers nothing to deal with these needs, which is a key reason so many Git management solutions exist. But not all Git management solutions are created equal when it comes to security.
 
Git management solutions for the enterprise typically make it easy to create users and groups and to restrict project (read: repo) access using those tools. In addition, there are typically a small set of roles that have varying permissions that you can assign. Some (e.g., GitLab) extend the notion of permissions to branches as well, making it possible to restrict access to some users but not others.
 
If your needs extend beyond that (e.g., finely grained permissions at the folder/file level), a solution is much harder to find. The best solutions will offer various levels of monitoring and track patterns of use.
Consider also your needs for audit trails and logging. In a secure or regulated environment, you may be required to keep immutable logs of who changed what, when, and why. Standard Git allows a lot of flexibility when it comes to rewriting history or even hiding changes completely. If audit trails are important, look for a version management tool that provides reliable, secure logging.

Security Best Practices

  • Be sure the branching structure you choose not only matches your workflow but also carves up your content according to security needs.
  • Select a Git management solution that supplies access control to the maximum necessary granularity for your security needs.
  • When branches aren’t enough, organize your content ahead of time so that critical files are together to simplify restricted access.
  • Choose a Git management solution with active and timely monitoring of user actions to flag and report questionable behavior before you lose IP.

Keep Reading

The previous posts in this series are GitSwarm: Your Questions AnsweredNarrow Cloning with GitSwarm, GitSwarm + Helix: Unity through Diversity, and Reliability for Git in the Enterprise. In our next installment, we’ll tackle the issue of repository management and avoiding Git sprawl. For the complete series of Git in the Enterprise tips and best practices, download our free eBook.