ISO/IEC 27001 Control 8.4: Access to source code

Control

Read and write access to source code, development tools and software libraries should be appropriately managed.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

MidPoint can manage access control setting of source code management systems, CI/CD and testing platforms and other software development systems.

Implementation Details

Strong provisioning capabilities of midPoint, together with appropriate ConnId connectors, can be used to manage access control in numerous software development systems and platforms. MidPoint can control access of individual developers to specific source code repositories in source code management systems, pipelines in continuous integration and delivery (CI/CD) platforms, testing environments and all other systems related to software development. Access to the software development tooling can be controlled in an automated way, using policy-driven role-based access control (PD-RBAC), based on each personnel's role. Developers can gain access to individual repositories, pipelines and environments based on their membership in teams or projects, their access level (read/write) determined by their position or role in the project. Fine-grained access control for setting up access levels can be implemented using relation parameter, together with parametric inducements in archetypes corresponding to source code repositories. Access that is automatically granted using PD-RBAC mechanism is automatically adjusted or revoked when the membership, position or role of the developer changes. Access to source code repositories can be seamlessly integrated with project management, automatically creating source code repositories and granting permissions for project members, revoking permissions when members leave the project. Similarly, access to source code can be managed for suppliers, contractors and consultants, granting access as they join a project and revoking it when they leave. Automation provided by PD-RBAC mechanisms makes sure that the access will be reliably revoked, keeping risks manageable. Access request and approval processes can be used to manage exceptions to the rules, access certification process can be used to remove unnecessary access. When needed, special-purpose personas can be created for "testing identities", identities of quality assurance engineers that group testing accounts (as opposed to their ordinary user accounts). MidPoint audit trail records all changes in permissions, including source code access right changes.

Implementation Notes

  • Process known as "pull request", described as "authorization procedure" by the control, is implemented by source code management platforms. MidPoint does not take part in this process directly. However midPoint can control permissions to allow certain team members to review and merge pull requests, "authorizing" source code changes.

  • MidPoint can be especially helpful for controlling access to testing environments, especially of there are copies of production data. Testing environments are notorious for lax management of assess rights and poor cleanup of access permissions after test. MidPoint can manage access permissions of quality assurance staff and scan the systems for testing accounts that are not accounted for.

Rationale

MidPoint is necessary to manage access control to source code and other software development tools and platforms at scale. While access to a small set of source code repositories can be managed manually, manual management becomes infeasible as the organization grows. Large number of organizational units, team, activities and projects present various needs for source code management and permissions. Excessive access rights for source code repositories may remain unnoticed for years, yet they pose a serious security risk. Management of source code repository access has to be automated - especially revocation of access rights. This problem is especially emphasized in large software development companies or IT consultancies that conduct large number of projects, many of them are relatively short-lived. Frequent change of staff assignments, moving people between projects, engagement of suppliers/contractor/consultants and similar dynamic business behavior requires strong identity governance platform to operate in a secure manner.

Was this page helpful?
YES NO
Thanks for your feedback