Repository Code Security (Plan Text)

Repository Code Security (Plan Text)

[BGaudreault Brian]

Hello,

If someone downloads code to their notebook PC and leaves the company, what protection do we have against them not being able to access the local code copy anymore?

Thanks,
Brian

Re: Repository Code Security (Plan Text)

[Konstantin Khomoutov]

On Wed, 24 Jun 2015 18:18:00 +0000
BGaudreault Brian <BGaudreault@edrnet.com> wrote:

> If someone downloads code to their notebook PC and leaves the
> company, what protection do we have against them not being able to
> access the local code copy anymore?

What do you mean by "local code"?
That one which is on the notebook?
Then you can do literally nothing except for not allowing cloning your
Git repositories onto random computers in the first place.

If you instead mean the copy of code available in the repositories
hosted in your enterprise then all you need to do is to somehow
terminate the access of that employee who's left to those repositories.
(This assumes they're accessible from the outside; if they aren't, the
problem simply do not exist.)

RE: Repository Code Security (Plan Text)

[BGaudreault Brian]

Thanks.  Yes, I meant that "local code" is code pulled down to a person's PC, so we don't want them to leave the company with access to this code.  So we can only prevent this scenario by running GitLab in our environment instead of running GitHub in the cloud?  Would removing a GitHub account from the GitHub repository prevent them from accessing the code on their PC?

How do you prevent private GitHub repositories from being pulled down to unauthorized PCs?

Thanks,
Brian

-----Original Message-----
From: Konstantin Khomoutov [mailto:kostix+git@007spb.ru] 
Sent: Wednesday, June 24, 2015 2:31 PM
To: BGaudreault Brian
Cc: git@vger.kernel.org
Subject: Re: Repository Code Security (Plan Text)

On Wed, 24 Jun 2015 18:18:00 +0000
BGaudreault Brian <BGaudreault@edrnet.com> wrote:

> If someone downloads code to their notebook PC and leaves the company, 
> what protection do we have against them not being able to access the 
> local code copy anymore?

What do you mean by "local code"?
That one which is on the notebook?
Then you can do literally nothing except for not allowing cloning your Git repositories onto random computers in the first place.

If you instead mean the copy of code available in the repositories hosted in your enterprise then all you need to do is to somehow terminate the access of that employee who's left to those repositories.
(This assumes they're accessible from the outside; if they aren't, the problem simply do not exist.)

RE: Repository Code Security (Plan Text)

[David Lang]

On Wed, 24 Jun 2015, BGaudreault Brian wrote:

> Thanks.  Yes, I meant that "local code" is code pulled down to a person's PC, so we don't want them to leave the company with access to this code.  So we can only prevent this scenario by running GitLab in our environment instead of running GitHub in the cloud?  Would removing a GitHub account from the GitHub repository prevent them from accessing the code on their PC?
>
> How do you prevent private GitHub repositories from being pulled down to unauthorized PCs?

policy, you say that it's against policy for someone to put company info on a 
personal machine.

You probably run your own repository that's only available within your network 
(or over your VPN) rather than using a cloud service like github (you may want 
to check with github to see if they can lock down a private repo to only be 
accessed from specific IP addresses)

you will also need to make sure that people don't plug personal laptops into 
your corporate network, and that they don't use personal phones to access 
company e-mail.

The bottom line is that it's no different from preventing them from having 
access to any other sensitive data in your company. What measures do you have in 
place to keep them from taking sensitive Word Docs or spreadsheets when they 
leave? do the same thing to deal with their access to code.

David Lang

> Thanks,
> Brian
>
> -----Original Message-----
>
> On Wed, 24 Jun 2015 18:18:00 +0000
> BGaudreault Brian <BGaudreault@edrnet.com> wrote:
>
>> If someone downloads code to their notebook PC and leaves the company,
>> what protection do we have against them not being able to access the
>> local code copy anymore?
>
> What do you mean by "local code"?
> That one which is on the notebook?
> Then you can do literally nothing except for not allowing cloning your Git repositories onto random computers in the first place.
>
> If you instead mean the copy of code available in the repositories hosted in your enterprise then all you need to do is to somehow terminate the access of that employee who's left to those repositories.
> (This assumes they're accessible from the outside; if they aren't, the problem simply do not exist.)
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Repository Code Security (Plan Text)

[David Turner]

What most companies do is this: they issue their employees computers,
and then when the employee leaves, they take the computers away.  Of
course, someone could have copied the code before leaving the company.
The typical remedy for this is a contract saying "don't do that".  But I
guess some companies just go straight to the FBI see e.g.:
https://en.wikipedia.org/wiki/Sergey_Aleynikov

There is no technological solution that will prevent someone from
accessing something that lives on their own computer (just ask the movie
and music industries, which tried to find one for about twenty years).  

On Wed, 2015-06-24 at 18:59 +0000, BGaudreault Brian wrote:
> Thanks.  Yes, I meant that "local code" is code pulled down to a person's PC, so we don't want them to leave the company with access to this code.  So we can only prevent this scenario by running GitLab in our environment instead of running GitHub in the cloud?  Would removing a GitHub account from the GitHub repository prevent them from accessing the code on their PC?
> 
> How do you prevent private GitHub repositories from being pulled down to unauthorized PCs?
> 
> Thanks,
> Brian
> 
> -----Original Message-----
> From: Konstantin Khomoutov [mailto:kostix+git@007spb.ru] 
> Sent: Wednesday, June 24, 2015 2:31 PM
> To: BGaudreault Brian
> Cc: git@vger.kernel.org
> Subject: Re: Repository Code Security (Plan Text)
> 
> On Wed, 24 Jun 2015 18:18:00 +0000
> BGaudreault Brian <BGaudreault@edrnet.com> wrote:
> 
> > If someone downloads code to their notebook PC and leaves the company, 
> > what protection do we have against them not being able to access the 
> > local code copy anymore?
> 
> What do you mean by "local code"?
> That one which is on the notebook?
> Then you can do literally nothing except for not allowing cloning your Git repositories onto random computers in the first place.
> 
> If you instead mean the copy of code available in the repositories hosted in your enterprise then all you need to do is to somehow terminate the access of that employee who's left to those repositories.
> (This assumes they're accessible from the outside; if they aren't, the problem simply do not exist.)
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: Repository Code Security (Plan Text)

[BGaudreault Brian]

Hi David Lang,

I'm sorry, but I'm confused by your first two responses.  Am I not contacting Git when I e-mail this e-mail address?  You sound like you don't know exactly how GitHub works.  Should I be contacting someone else for GitHub support?

Thanks,
Brian

-----Original Message-----
From: David Lang [mailto:david@lang.hm] 
Sent: Wednesday, June 24, 2015 3:20 PM
To: BGaudreault Brian
Cc: Konstantin Khomoutov; git@vger.kernel.org
Subject: RE: Repository Code Security (Plan Text)

On Wed, 24 Jun 2015, BGaudreault Brian wrote:

> Thanks.  Yes, I meant that "local code" is code pulled down to a person's PC, so we don't want them to leave the company with access to this code.  So we can only prevent this scenario by running GitLab in our environment instead of running GitHub in the cloud?  Would removing a GitHub account from the GitHub repository prevent them from accessing the code on their PC?
>
> How do you prevent private GitHub repositories from being pulled down to unauthorized PCs?

policy, you say that it's against policy for someone to put company info on a personal machine.

You probably run your own repository that's only available within your network (or over your VPN) rather than using a cloud service like github (you may want to check with github to see if they can lock down a private repo to only be accessed from specific IP addresses)

you will also need to make sure that people don't plug personal laptops into your corporate network, and that they don't use personal phones to access company e-mail.

The bottom line is that it's no different from preventing them from having access to any other sensitive data in your company. What measures do you have in place to keep them from taking sensitive Word Docs or spreadsheets when they leave? do the same thing to deal with their access to code.

David Lang

> Thanks,
> Brian
>
> -----Original Message-----
>
> On Wed, 24 Jun 2015 18:18:00 +0000
> BGaudreault Brian <BGaudreault@edrnet.com> wrote:
>
>> If someone downloads code to their notebook PC and leaves the 
>> company, what protection do we have against them not being able to 
>> access the local code copy anymore?
>
> What do you mean by "local code"?
> That one which is on the notebook?
> Then you can do literally nothing except for not allowing cloning your Git repositories onto random computers in the first place.
>
> If you instead mean the copy of code available in the repositories hosted in your enterprise then all you need to do is to somehow terminate the access of that employee who's left to those repositories.
> (This assumes they're accessible from the outside; if they aren't, the 
> problem simply do not exist.)
> --
> To unsubscribe from this list: send the line "unsubscribe git" in the 
> body of a message to majordomo@vger.kernel.org More majordomo info at  
> http://vger.kernel.org/majordomo-info.html
>

Re: Repository Code Security (Plan Text)

[David Turner]

Git is not GitHub (any more than a cat is a cathouse).  Git is a piece
of software; GitHub is a hosting service for Git.  Contact GitHub for
GitHub support.


On Wed, 2015-06-24 at 19:53 +0000, BGaudreault Brian wrote:
> Hi David Lang,
> 
> I'm sorry, but I'm confused by your first two responses.  Am I not contacting Git when I e-mail this e-mail address?  You sound like you don't know exactly how GitHub works.  Should I be contacting someone else for GitHub support?
> 
> Thanks,
> Brian
> 
> -----Original Message-----
> From: David Lang [mailto:david@lang.hm] 
> Sent: Wednesday, June 24, 2015 3:20 PM
> To: BGaudreault Brian
> Cc: Konstantin Khomoutov; git@vger.kernel.org
> Subject: RE: Repository Code Security (Plan Text)
> 
> On Wed, 24 Jun 2015, BGaudreault Brian wrote:
> 
> > Thanks.  Yes, I meant that "local code" is code pulled down to a person's PC, so we don't want them to leave the company with access to this code.  So we can only prevent this scenario by running GitLab in our environment instead of running GitHub in the cloud?  Would removing a GitHub account from the GitHub repository prevent them from accessing the code on their PC?
> >
> > How do you prevent private GitHub repositories from being pulled down to unauthorized PCs?
> 
> policy, you say that it's against policy for someone to put company info on a personal machine.
> 
> You probably run your own repository that's only available within your network (or over your VPN) rather than using a cloud service like github (you may want to check with github to see if they can lock down a private repo to only be accessed from specific IP addresses)
> 
> you will also need to make sure that people don't plug personal laptops into your corporate network, and that they don't use personal phones to access company e-mail.
> 
> The bottom line is that it's no different from preventing them from having access to any other sensitive data in your company. What measures do you have in place to keep them from taking sensitive Word Docs or spreadsheets when they leave? do the same thing to deal with their access to code.
> 
> David Lang
> 
> > Thanks,
> > Brian
> >
> > -----Original Message-----
> >
> > On Wed, 24 Jun 2015 18:18:00 +0000
> > BGaudreault Brian <BGaudreault@edrnet.com> wrote:
> >
> >> If someone downloads code to their notebook PC and leaves the 
> >> company, what protection do we have against them not being able to 
> >> access the local code copy anymore?
> >
> > What do you mean by "local code"?
> > That one which is on the notebook?
> > Then you can do literally nothing except for not allowing cloning your Git repositories onto random computers in the first place.
> >
> > If you instead mean the copy of code available in the repositories hosted in your enterprise then all you need to do is to somehow terminate the access of that employee who's left to those repositories.
> > (This assumes they're accessible from the outside; if they aren't, the 
> > problem simply do not exist.)
> > --
> > To unsubscribe from this list: send the line "unsubscribe git" in the 
> > body of a message to majordomo@vger.kernel.org More majordomo info at  
> > http://vger.kernel.org/majordomo-info.html
> >

RE: Repository Code Security (Plan Text)

[David Lang]

On Wed, 24 Jun 2015, BGaudreault Brian wrote:

> Hi David Lang,
>
> I'm sorry, but I'm confused by your first two responses.  Am I not contacting 
> Git when I e-mail this e-mail address?  You sound like you don't know exactly 
> how GitHub works.  Should I be contacting someone else for GitHub support?

git is the opensource distributed version control software that github uses as 
part of their offering. This is the mailing list used by the developers of git. 
Very few of the developers here work for github.

For github support, you will need to contact the company github.

David Lang

> Thanks,
> Brian
>
> -----Original Message-----
> From: David Lang [mailto:david@lang.hm]
> Sent: Wednesday, June 24, 2015 3:20 PM
> To: BGaudreault Brian
> Cc: Konstantin Khomoutov; git@vger.kernel.org
> Subject: RE: Repository Code Security (Plan Text)
>
> On Wed, 24 Jun 2015, BGaudreault Brian wrote:
>
>> Thanks.  Yes, I meant that "local code" is code pulled down to a person's PC, so we don't want them to leave the company with access to this code.  So we can only prevent this scenario by running GitLab in our environment instead of running GitHub in the cloud?  Would removing a GitHub account from the GitHub repository prevent them from accessing the code on their PC?
>>
>> How do you prevent private GitHub repositories from being pulled down to unauthorized PCs?
>
> policy, you say that it's against policy for someone to put company info on a personal machine.
>
> You probably run your own repository that's only available within your network (or over your VPN) rather than using a cloud service like github (you may want to check with github to see if they can lock down a private repo to only be accessed from specific IP addresses)
>
> you will also need to make sure that people don't plug personal laptops into your corporate network, and that they don't use personal phones to access company e-mail.
>
> The bottom line is that it's no different from preventing them from having access to any other sensitive data in your company. What measures do you have in place to keep them from taking sensitive Word Docs or spreadsheets when they leave? do the same thing to deal with their access to code.
>
> David Lang
>
>> Thanks,
>> Brian
>>
>> -----Original Message-----
>>
>> On Wed, 24 Jun 2015 18:18:00 +0000
>> BGaudreault Brian <BGaudreault@edrnet.com> wrote:
>>
>>> If someone downloads code to their notebook PC and leaves the
>>> company, what protection do we have against them not being able to
>>> access the local code copy anymore?
>>
>> What do you mean by "local code"?
>> That one which is on the notebook?
>> Then you can do literally nothing except for not allowing cloning your Git repositories onto random computers in the first place.
>>
>> If you instead mean the copy of code available in the repositories hosted in your enterprise then all you need to do is to somehow terminate the access of that employee who's left to those repositories.
>> (This assumes they're accessible from the outside; if they aren't, the
>> problem simply do not exist.)
>> --
>> To unsubscribe from this list: send the line "unsubscribe git" in the
>> body of a message to majordomo@vger.kernel.org More majordomo info at
>> http://vger.kernel.org/majordomo-info.html
>>
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

RE: Repository Code Security (Plan Text)

[BGaudreault Brian]

Ok, thanks.  I didn't realize there was a difference!  I thought Git SCM ran GitHub.  I haven't yet read this clear distinction.  Of course I wasn't the one who chose GitHub in the first place.

-----Original Message-----
From: David Turner [mailto:dturner@twopensource.com] 
Sent: Wednesday, June 24, 2015 4:00 PM
To: BGaudreault Brian
Cc: David Lang; Konstantin Khomoutov; git@vger.kernel.org
Subject: Re: Repository Code Security (Plan Text)

Git is not GitHub (any more than a cat is a cathouse).  Git is a piece of software; GitHub is a hosting service for Git.  Contact GitHub for GitHub support.


On Wed, 2015-06-24 at 19:53 +0000, BGaudreault Brian wrote:
> Hi David Lang,
> 
> I'm sorry, but I'm confused by your first two responses.  Am I not contacting Git when I e-mail this e-mail address?  You sound like you don't know exactly how GitHub works.  Should I be contacting someone else for GitHub support?
> 
> Thanks,
> Brian
> 
> -----Original Message-----
> From: David Lang [mailto:david@lang.hm]
> Sent: Wednesday, June 24, 2015 3:20 PM
> To: BGaudreault Brian
> Cc: Konstantin Khomoutov; git@vger.kernel.org
> Subject: RE: Repository Code Security (Plan Text)
> 
> On Wed, 24 Jun 2015, BGaudreault Brian wrote:
> 
> > Thanks.  Yes, I meant that "local code" is code pulled down to a person's PC, so we don't want them to leave the company with access to this code.  So we can only prevent this scenario by running GitLab in our environment instead of running GitHub in the cloud?  Would removing a GitHub account from the GitHub repository prevent them from accessing the code on their PC?
> >
> > How do you prevent private GitHub repositories from being pulled down to unauthorized PCs?
> 
> policy, you say that it's against policy for someone to put company info on a personal machine.
> 
> You probably run your own repository that's only available within your 
> network (or over your VPN) rather than using a cloud service like 
> github (you may want to check with github to see if they can lock down 
> a private repo to only be accessed from specific IP addresses)
> 
> you will also need to make sure that people don't plug personal laptops into your corporate network, and that they don't use personal phones to access company e-mail.
> 
> The bottom line is that it's no different from preventing them from having access to any other sensitive data in your company. What measures do you have in place to keep them from taking sensitive Word Docs or spreadsheets when they leave? do the same thing to deal with their access to code.
> 
> David Lang
> 
> > Thanks,
> > Brian
> >
> > -----Original Message-----
> >
> > On Wed, 24 Jun 2015 18:18:00 +0000
> > BGaudreault Brian <BGaudreault@edrnet.com> wrote:
> >
> >> If someone downloads code to their notebook PC and leaves the 
> >> company, what protection do we have against them not being able to 
> >> access the local code copy anymore?
> >
> > What do you mean by "local code"?
> > That one which is on the notebook?
> > Then you can do literally nothing except for not allowing cloning your Git repositories onto random computers in the first place.
> >
> > If you instead mean the copy of code available in the repositories hosted in your enterprise then all you need to do is to somehow terminate the access of that employee who's left to those repositories.
> > (This assumes they're accessible from the outside; if they aren't, 
> > the problem simply do not exist.)
> > --
> > To unsubscribe from this list: send the line "unsubscribe git" in 
> > the body of a message to majordomo@vger.kernel.org More majordomo 
> > info at http://vger.kernel.org/majordomo-info.html
> >