GitHub/GHE Project

From MozillaWiki
Jump to: navigation, search

IT GitHub Project Overview

Purpose

IT will be managing and supporting GitHub (GH) Organizations (Orgs) in order to better provide consistent support, security posture, and grow the capabilities.  (e.g. SAML)

This is primarily accomplished via an IT team (ghe-admins@mozilla.com) having ownership rites in the org. 

IT Involvement in KTLO (Keeping The Lights On)

IT admins will be involved in the following, plus other things, as needed:

  • Membership maintenance (on-boarding and off-boarding.)
  • Private repository creation/recording
    • Private repositories are a cost concern, a privacy/security concern, and due to their being hidden, often go orphaned, so we record them so SOMEONE knows about them.
  • Interfacing with GitHub support if needed
  • Working with Incident Response and CPG around issues that concern them

Managing Org Ownership permissions

One of the known security changes we're working to implement is to limit the number of people with org owner permissions wherever possible.  As part of induction, we'll be reaching out to the people with owner permissions and asking if they need this (at all, and in light of the duties that IT is now taking on)

  • There are auth0, and duo and GHE costs related to keeping them, and various bits of upkeep - so we would like to remove them where feasible. 
  • Any remaining org owners will be required to have a "root" account, separate from their "daily driver" or "mortal" account.

Ways to Reach IT

Unifying Secops Posture

Secops has been involved in the day to day maintenance in several orgs, but with IT admins taking that over they are able to focus on policy and procedure and trying to make sure that while there may be several policies to follow, they're documented and standardized (or as similar as is reasonable) and documented in some form.

GHE/SAML

One of the goals of this is to make on-boarding/off-boarding more consistent.  In that vein, we're migrating organizations to GitHub Enterprise (GHE) and working to enable SAML linkages to help us identify and communicate with them

More information on the specific GHE/SAML process, and questions around it can be found here.