Multi Factor Authentication for GIT software

Multi Factor Authentication for GIT software

[ELFORD, Richard (NHS SOUTH, CENTRAL AND WEST COMMISSIONING SUPPORT UNIT)]

Dear Git

I am writing to enquire about multi factor authentication on cloud hosted software. As part of our ongoing efforts to enhance cybersecurity and protect sensitive data, we are seeking information related to the NHS England Multi-Factor Authentication (MFA) Policy with regards to software products which we have from your company.

Could you please provide us with the following information:

•       Software Name
•       Name of supplier
•       Account Manager name
•       Account Manager email
•       Account Manager Telephone number
•       Name of the person completing the survey
•       Job title of the person completing the survey
•       Contact number of the person completing the survey
•       Is the product Internet facing or HSCN facing
•       What is the System host type
•       What is the location of the data centre(s) used for the provision of the system
•       If the solution has 3rd party elements, what are the geographic locations of the 3rd party data centre(s) used for the provision of the system
•       MFA Status
•       Date of last status check
•       Planned date for implementation of MFA
•       Actual date of MFA functionality deployment
•       Do you have any alternative security mitigation functionality/plans available to address MFA gaps?  (Example: Conditional access)
•       Date mitigation option available
•       Does this system have Admin/Privileged access available for 3rd or 4th parties?
•       How is the system provided?  (Directly from your Organisation / Partly provided by our Org, but has 3rd party elements / 3rd party provided)
•       What is the data classification stored on the system? (Use GDPR examples)
•       Does your organisation hold cyber accreditation directly relevant to the provision of the service (Examples: Cyber Essentials plus, ISO27001, SOC2, DSPT, DTAC, NIST)
•       When is the contract expiry date with SCWCSU
•       Number of users / accounts / licenses supplied
•       When was the last time your product was part of a business continuity and disaster exercise?

We appreciate your prompt response and any relevant documentation you can share. If you have any additional insights or best practices related to MFA, we would be grateful to hear them.

Thank you for your cooperation.


Richard Elford
Business Services Manager | Digital, Data and Technology
NHS South, Central and West
Third Floor - 360 Bristol – Three Six Zero, Marlborough Street, Bristol, BS1 3NX



The information in this email may be confidential and is intended solely for the named addressee(s). If you are not the intended recipient, any disclosure, copying or distribution is prohibited and may be unlawful. Please note that the information contained in this email /attachment(s) may be subject to Public disclosure under the Freedom of Information Act 2000.




************************************************************************************** ******************************

This message may contain confidential information. If you are not the intended recipient please:
i) inform the sender that you have received the message in error before deleting it; and
ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful).
Thank you for your co-operation.

NHSmail is the secure email, collaboration and directory service available for all NHS staff in England. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch visit Joining NHSmail – NHSmail Support<https://support.nhs.net/article-categories/joining-nhsmail/>

Re: Multi Factor Authentication for GIT software

[Konstantin Ryabitsev]

On Tue, Jun 18, 2024 at 12:19:19PM GMT, ELFORD, Richard (NHS SOUTH, CENTRAL AND WEST COMMISSIONING SUPPORT UNIT) wrote:
> Dear Git
> 
> I am writing to enquire about multi factor authentication on cloud hosted
> software. As part of our ongoing efforts to enhance cybersecurity and
> protect sensitive data, we are seeking information related to the NHS
> England Multi-Factor Authentication (MFA) Policy with regards to software
> products which we have from your company.

There is no company, so this questionnaire is not relevant. Git is an
open-source project without any one particular entity "owning" it.

To answer your question specifically, git does not have a builtin
authentication layer -- it relies on the underlying network protocol for this
purpose. Any MFA implementation and enforcement would be dependent on the
protocol used to access git repositories.

I recommend using ssh pre-shared keys on FIDO2-capable tokens -- it's the most
robust and least user-hostile option in my experience.

-K

Re: Multi Factor Authentication for GIT software

[Konstantin Khomoutov]

On Tue, Jun 18, 2024 at 09:41:05AM -0400, Konstantin Ryabitsev wrote:

> On Tue, Jun 18, 2024 at 12:19:19PM GMT, ELFORD, Richard (NHS SOUTH, CENTRAL
> AND WEST COMMISSIONING SUPPORT UNIT) wrote:
[...]
> > I am writing to enquire about multi factor authentication on cloud hosted
> > software.
> > protect sensitive data, we are seeking information related to the NHS
> > England Multi-Factor Authentication (MFA) Policy with regards to software
> > products which we have from your company.
> 
> There is no company, so this questionnaire is not relevant. Git is an
> open-source project without any one particular entity "owning" it.

Richard, I'd like to make a remark. May be - just may be - you're confusing
Git and Github or GitLab. Git is a free and open source (F/OSS) piece of
software, while Github and GitLab (and a plethora of others) are Git hosting
solutions which host Git repositories "in the cloud". They use Git but have
no other relation to it.

So you might want to first check with your IT personnel to make it absolutely
sure what really is the issue to discuss: Git-based solutions maintained by
NHS itself or Git-based solutions provided by 3rd parties. In the latter case,
the questions like yours should probably be directed to these parties.

RE: Multi Factor Authentication for GIT software

[ELFORD, Richard (NHS SOUTH, CENTRAL AND WEST COMMISSIONING SUPPORT UNIT)]

Hi Konstantin

That is very helpful - thank you.

I will pick this up with our IT people and find out what use cases we have, and then get in touch with any third parties as you say.

I really, really appreciate your advice.



Best regards

Richard Elford
Business Services Manager | Digital, Data and Technology
NHS South, Central and West
Third Floor - 360 Bristol – Three Six Zero, Marlborough Street, Bristol, BS1 3NX

Call me on MS Teams T: 07785 601602 E: richard.elford@nhs.net



-----Original Message-----
From: Konstantin Khomoutov <kostix@bswap.ru>
Sent: Tuesday, June 18, 2024 3:57 PM
To: ELFORD, Richard (NHS SOUTH, CENTRAL AND WEST COMMISSIONING SUPPORT UNIT) <richard.elford@nhs.net>
Cc: git@vger.kernel.org; Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Subject: Re: Multi Factor Authentication for GIT software

[You don't often get email from kostix@bswap.ru. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

This message originated from outside of NHSmail. Please do not click links or open attachments unless you recognise the sender and know the content is safe.

On Tue, Jun 18, 2024 at 09:41:05AM -0400, Konstantin Ryabitsev wrote:

> On Tue, Jun 18, 2024 at 12:19:19PM GMT, ELFORD, Richard (NHS SOUTH,
> CENTRAL AND WEST COMMISSIONING SUPPORT UNIT) wrote:
[...]
> > I am writing to enquire about multi factor authentication on cloud
> > hosted software.
> > protect sensitive data, we are seeking information related to the
> > NHS England Multi-Factor Authentication (MFA) Policy with regards to
> > software products which we have from your company.
>
> There is no company, so this questionnaire is not relevant. Git is an
> open-source project without any one particular entity "owning" it.

Richard, I'd like to make a remark. May be - just may be - you're confusing Git and Github or GitLab. Git is a free and open source (F/OSS) piece of software, while Github and GitLab (and a plethora of others) are Git hosting solutions which host Git repositories "in the cloud". They use Git but have no other relation to it.

So you might want to first check with your IT personnel to make it absolutely sure what really is the issue to discuss: Git-based solutions maintained by NHS itself or Git-based solutions provided by 3rd parties. In the latter case, the questions like yours should probably be directed to these parties.



************************************************************************************** ******************************

This message may contain confidential information. If you are not the intended recipient please:
i) inform the sender that you have received the message in error before deleting it; and
ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful).
Thank you for your co-operation.

NHSmail is the secure email, collaboration and directory service available for all NHS staff in England. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch visit Joining NHSmail – NHSmail Support<https://support.nhs.net/article-categories/joining-nhsmail/>