What is best practice to secure code bases by IP / Instance on AWS but enable remote development like Nuclide?

Question

Hi I am setting up a new development environment for my employees.

How can i restrict access to the Github repos / codebase to particular AWS EC2 Instances, which my employees will use as remote development environment instead of developing on their local machines.

Like Nuclide in Facebook, you remote SSH on to your virtual machine and work locally, but with Github you can export code via gitub.com or simply clone to another PC? I need some sort of restrictions.

I am prepared to change to a private git provider but unsure which supports these features.

Many Thanks in advance

Answer 1

Github Enterprise provides IP restrictions by SSH keys

Whenever you add an SSH key to GitHub Enterprise via the Management Console, you can also specify which IP addresses to allow or deny connections from.

I would allocate a set of elastic IP#s for the number of the instances (developers) you are needing, then allow access only from that set of IPs for each of the developer keys. For example if you have 4 developers, allocate 4 EIPs e.g 52.44.1.1,52.44.1.2,52.44.1.3,52.44.1.4. Then in the Github management console, the from would look like this:

from="52.44.1.1,52.44.1.2,52.44.1.3,52.44.1.4" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYk7k1RM49DPq8UrWhO8bIgheqAZfjqXczCjRSHshq2/qt8tWBHeiLpgAUVYFoY5Hv3+JXvMkuFE4h7HZYUWp+xXVg63L0wosrq+cVo1od2ddwiyYsnUypguSqjNxRPQ4PGQoWCTGfTLLPh2Su1nHmAf/Z0fdZo3ojunLb42ErbvJ2cIWbM/PMzdEDpUMZyLrG1JL4tGVnSRweWoaFgK6EkfE+gkyytKPuOIZREVNrO4+awTXpLDqdC0h/FFmkQCrwEFqdsm6JPARfJKVnHm7RgedLN1cpFi9Jo7ZFu5dJPTbYBKnpwsmTQkJSahNVGGDO4fQUBdC9tcKUW0gvNkRR== GitHub Enterprise Admin User

In this way a given instance can by spun up with a known IP# and the developers key would work for any given instance.

Answer 2

If you are under compliance restrictions, you should consult your legal team, development team, and auditors on suitable implementation methods. It will be difficult to completely prevent data exfiltration by developers that have access to your source code and, while a very good question, is not suited for stack overflow.

Ultimately this is about two distinct issues:

1. controlling what developers can do with the source code and
2. hosting a secure Git server.

Note there are a range of options from detecting to preventing actions.

Developer Restrictions

TLDR A user with access to a machine with Git source code will most likely have access to SSH keys or passwords that allow them to connect with GitHub and move data between a local computer and remote environment. A good read on preventing data exfiltration

• Do you have internal policies surrounding each developer's responsibilities to encrypt laptops, use approved software/tools, and proper handling of data.
• Can you identify and restrict network protocols in the development environment (VM) to prevent copying files
• Can you use automated processes to move code between machines (ChatOps)
• Can you use continuous deployment (CI/CD) to automatically configure environments used for testing to limit the number of developers that need access to source code?
• Are you prepared to customize the development environment to restrict the commands and configure monitoring tools to identify undesired behaviors.
• Considered creating an air gapped network environment along with physical security controls. This prevents any data from leaving your network at the cost of preventing access to the internet.

Github Repos Controls

• Use GPG signing to verify who is committing code.
• Use SAML on github.com or SAML, LDAP, CAS if running GitHub Enterprise to onboard/offboard users.
• Is Github.com sufficient for protecting your source code. If not, you can install Github Enterprise (or similar Git solution) on
  • your local network that requires VPN
  • a private AWS network as you describe.
• Use audit logs and log forwarding with GitHub Enteprise to detect the behavior rather than prevent it.

Security and Legal

• Are there other compensating controls that are less restrictive that satisfy your company regulations?
• Are the company regulations put in place internally (through security) or externally via compliance? Are they flexible?
• Can you modify the company regulations or limit which developers/projects are subject to these restrictions?

Please consult with your internal legal/security teams on defining the process and restrictions. You can also reach out to Git providers that can offer best practices on compliance and SDLC in general.