Secure Access for GitHub

Last updated on 
Secure Access for GitHub
Secure Access for GitHub

GitHub has become an essential tool for developers and organizations worldwide, providing a platform for collaboration, code sharing, and project management. Given its critical role, securing access to your GitHub repositories is paramount. This article explores various methods to enhance the security of your GitHub environment, emphasizing Single Sign-On (SSO), Multi-Factor Authentication (MFA), and other best practices to safeguard your code and data.

Introduction to GitHub Security

Securing your GitHub application involves implementing several layers of protection. These include managing user access, configuring network security, enabling logging and monitoring, and integrating with security tools. Let's delve into these strategies to enhance the security of your GitHub environment.

1. Managing User Access

a. Use Strong Password Policies

Implementing strong password policies is the first step in securing user accounts. Ensure all users follow best practices for password creation:

  • Use a mix of upper and lower case letters, numbers, and special characters.
  • Avoid common passwords and patterns.
  • Change passwords regularly and avoid reuse.

b. Enable Two-Factor Authentication (2FA)

Two-Factor Authentication adds an additional layer of security by requiring users to provide a second form of verification. GitHub supports 2FA through various methods such as SMS, authenticator apps, and hardware tokens.

c. Implement Role-Based Access Control (RBAC)

GitHub's RBAC allows you to assign roles to users based on their responsibilities. By limiting access to certain functionalities, you can minimize the risk of unauthorized actions:

  • Read: Can view the repository.
  • Write: Can push to the repository.
  • Admin: Can manage repository settings and user permissions.

2. Configuring SAML single sign-on for your enterprise

Enterprise owners can enable SAML SSO and centralized authentication through a SAML IdP across all organizations owned by an enterprise account. After enabling SAML SSO for enterprise account, SAML SSO is enforced for all organizations owned by enterprise account. All members will be required to authenticate using SAML SSO to gain access to the organizations where they are a member, and enterprise owners will be required to authenticate using SAML SSO when accessing an enterprise account.

To access each organization's resources on GitHub Enterprise Cloud, the member must have an active SAML session in their browser. To access each organization's protected resources using the API and Git, the member must use a personal access token or SSH key that the member has authorized for use with the organization. Enterprise owners can view and revoke a member's linked identity, active sessions, or authorized credentials at any time.

For detailed configuration, please refer this LINK

Prerequisites

  • GitHub Administrator account is required to do the configuration and setup SAML Single Sign-on (SSO)
  • GitHub Enterprise Gold plan is required. Other GitHub plans like Developer or Team do not support SAML Single Sign-on (SSO)
  • Note - Make sure you do not enable SSO for all users before testing and getting the Single Sign-on (SSO) recover codes from GitHub

Github enterprise edition

GitHub Enterprise Edition offers enhanced security with advanced vulnerability scanning and compliance tools, including the exclusive option of single sign-on (SSO). It supports large-scale operations with robust infrastructure and customizable workflows. Enterprises benefit from dedicated support and guaranteed service-level agreements (SLAs). Collaboration is improved through advanced code review and project management tools, and flexible deployment options include cloud-hosted, self-hosted, and hybrid setups.


Github Single sign-on (sso)

GitHub SAML Single Sign-On (SSO) for enterprise cloud solution by Instasafe provides secure Single Sign-On access to GitHub & multiple On-Premise and Cloud Applications using a single set of login credentials. With Instasafe IDP service you can SSO login to multiple applications using a single Github username and password. Github Single Sign-On (SSO) can also be enabled if your users are in any of the third-party Identity Providers and you want your users to log into Github using existing IdP credentials, you can easily allow them to SSO into Github in a secure manner.

With Instasafe github SSO, you can

  • Enable your users to automatically login to Github
  • Have centralized and easy access control of the users
  • Connect easily with any external identity source like Azure AD, LDAP.

Supported SSO features

Instasafe Github SAML integration supports the following features:

  • SP Initiated SSO Login: Users can access their Github account via a URL or bookmark. They will automatically be redirected to the Instasafe portal for login. Once they've signed on, they'll be automatically redirected and logged into Github.
  • IdP Initiated SSO Login: Users need to login to the Instasafe first , and then click on the Github icon on the applications dashboard to access Github.

Step-by-step guide given below for GitHub SAML Single Sign-On (SSO) for your organization

Configure github in Instasafe:

  • Login to the Instasafe Admin Console.
  • Go to the IDP section in Identity management.
  • In choose IDP, select the application type as SAML.
  •  Enter IDP Name as GitHub.
  • Enter the SP Entity ID or Issuer : https://github.com/enterprises/<custom_domain_name>
  • Enter the ACS URL : https://github.com/enterprises/<custom_domain_name>/saml/consume
  • Enter the IDP entity ID 
  • Click on Next to proceed further.
  •   In the Attribute Mapping tab configure the following attributes as shown in the image below.

 Application set up in Instasafe console

  • In the instasafe admin console.
  • Go to applications in perimeter management.
  • Create the github application and add the logo if needed.

 Set up the Access policy for the application access

  • In the access policy create an policy for github access
  • Enter the policy name
  • Choose the expiry date as per requirement.
  • Click on the next button
  • Click on the add button and add the user or user group to whom you want to give access to the github application.
  •  Add the github application.
  •  Save the access policy


Configure SSO in github enterprise

  • Navigate to the top right corner of GitHub.
  • Click your profile photo >> then click your Enterprises.
  • In the Enterprises account sidebar, click on  Settings >> Authentication security.
  • Under SAML single sign-on, enable the checkbox Require SAML authentication.
  •        Enter the required details.

Sign on URL

Enter the SAML Login URLs for single sign-on requests.

Issuer

Enter the IdP Entity ID or Issuer. This verifies the authenticity of sent messages.

Publi certificate

Paste the X.509 Certificate to verify SAML responses

  • Under public certificate, to the right of the current signature and digest methods, click on  edit.
  • Select the Signature Method and Digest Method from the dropdown, then click the hashing algorithm used by your SAML issuer.
  • Before saving SAML SSO for your enterprise, click Test SAML configuration to ensure that the information you've entered is correct.
  • Click Save SAML settings.

3. Enabling Logging and Monitoring

a. Enable Auditing

Auditing logs are crucial for tracking and investigating security incidents. GitHub provides auditing features to log important events such as login attempts, changes to user permissions, and modifications to critical settings.

b. Monitor User Activity

Monitoring user activity helps in identifying unusual or unauthorized actions. Implement monitoring tools that provide insights into user behavior and alert you to potential security threats.

4. Integrating with InstaSafe for Enhanced Security

a. Single Sign-On (SSO)

InstaSafe Secure Access enables seamless and one-click access to GitHub applications using Single Sign-On. With SSO, users authenticate once and gain access to multiple applications without needing to sign in repeatedly. This not only enhances user convenience but also improves security by reducing the risk of password fatigue.

b. Multi-Factor Authentication (MFA)

MFA provides an additional layer of security by requiring users to verify their identity through multiple methods such as OTP, T-OTP, push notifications, biometric verifications, or hardware tokens. This reduces the risk of unauthorized access due to compromised passwords.

c. Device Authentication

InstaSafe ensures that only authorized and compliant devices can access your GitHub instance. By enforcing device authentication, you significantly reduce the chances of data breaches and ensure that only the right users with the right devices are accessing your application.

Benefits of InstaSafe Secure Access for GitHub

1. Granular Access Controls

InstaSafe allows you to provision users or user groups based on their roles, determining who can access specific applications. This granular control enhances security by ensuring that only authorized personnel can access sensitive information.

2. Complete Visibility

Gain complete visibility of user activity with InstaSafe’s detailed insights. This visibility helps in monitoring user behavior, detecting anomalies, and improving overall security posture.

3. Enhanced Security with Seamless User Experience

By integrating MFA and SSO, InstaSafe provides an enhanced security layer while maintaining a seamless user experience. Users enjoy easy access without compromising on security.

4. Easy to Deploy

InstaSafe Secure Access can be set up in minutes, making it easy to get started. The straightforward deployment process ensures that your GitHub instance is quickly secured without extensive configuration.

Conclusion

Securing your GitHub application is crucial to protecting your code and sensitive information. By implementing strong user access controls, network security measures, and leveraging InstaSafe’s Secure Access solution with SSO and MFA, you can ensure that your GitHub instance remains secure, user-friendly, and protected from potential threats.