Not just flightless birds: How EMUs secure and scale identity and access management for your GitHub Enterprise
GitHub Enterprise has evolved to support the needs of enterprise administrators, corporate security teams, and individual developers who contribute to open source.
To understand what Enterprise Managed Users (EMUs) are and the value they can bring, we have to look back at the history of GitHub.
In 2008, GitHub was created to allow developers to share their source code with the world. The primary focus was on sharing repositories quickly and easily. As the platform grew, organizations began to adopt GitHub and to build out a presence for their business. These organizations had different needs than individual developers—they wanted enterprise features, such as integration with their identity providers and clear delineation between company and public content. GitHub Enterprise was launched over 10 years ago to be the enterprise-ready version of GitHub.com at that time.
Fast forward to today. GitHub is the complete developer platform used by over 90 million developers and counting. GitHub Enterprise Cloud (GHEC), GitHub’s SaaS enterprise offering, is secured by the best-in-class security team in the industry and trusted by companies around the world. The enterprise has the responsibility to protect identity and data isolation. Security, observability, and compliance are top of mind for administrators, or “enterprise owners” as we call them at GitHub, and there is an increasing emphasis on keeping your account secure.
As we’ve evolved together, GitHub has made exciting updates to become the complete, integrated platform for developers.
GHEC has always allowed users to continue to use their single personal GitHub.com account everywhere—whether working with open source projects, personal repositories, or at work (with linked SAML identities, if an administrator sets up that connection.) This “bring your own account” model means a seamless transition between work and personal contexts for developers. For administrators, it allows you as the owner to organize your users and keep track of who is in the account.
However, at the same time, it can be a challenge for administrators to track who their users are. Additionally, corporate security teams often desire additional guardrails against their users accidentally exposing private content, via more separation between open source and personal GitHub.com activities and using their enterprise plan.
The value of EMUs
To support these requirements, GitHub has evolved to meet those additional security needs of organizations of all sizes. In 2021, GHEC added the EMU model. EMUs allow an enterprise to provision standardized accounts for their users from their identity provider, standardizing usernames, display names, and email addresses. With this new model, the identity provider becomes the single source of truth for user access and account management. Administrators can also scale access and role management by linking groups in the identity provider to GitHub teams when using the EMU model. Increased scale, seamless management, and compliance are the focus of EMU to allow for a complete administrative platform.
The EMU model also adds more guardrails to protect your organization’s sensitive content. EMU users cannot create public repositories, write any content outside of the enterprise, or collaborate with other users and enterprises on GitHub when logged into their EMU managed account. They may only contribute to your enterprise’s organizations and repositories, which provides extra security and separation between work and personal contexts.
Choosing the EMU model
Next, we’ll walk you through why you might choose an EMU model, and if it is right for your enterprise.
You should consider adopting the EMU user model if any of the following statements resonate for your organization’s needs:
- You want to use your identity provider as the single source of truth for managing GitHub user access.
- You want full end-to-end ownership of the accounts your users use in your enterprise.
- You want IdP-synced display names and email addresses, with usernames that are standardized to an enterprise attribute.
- You need more stringent separation between the GitHub accounts users use at work and for personal/open source.
- You need additional guardrails and policies to prevent accidental leaks of sensitive content into publicly-visible areas of GitHub.com.
The “bring your own account” model of GHEC may still be the right option for many GHEC customers, particularly those whose developers contribute consistently to open source at work and require write capability to the public parts of GitHub.com.
More details on EMU unique capabilities and caveats can be found in our documentation.
For customers already using GitHub (of any implementation or plan type) moving to the EMU model does require a migration process, which should also be part of your consideration.
The EMU model simplifies managing and understanding who users are in the enterprise context, and it gives administrators and end users more peace of mind with increased security and greater separation between work and personal GitHub accounts. Talk to your GitHub account team to discuss further if you think EMUs would be a good fit for your work on GitHub.
To learn more
Read more about Enterprise Managed Users in our documentation.
Stay tuned to the blog for more information and updates on enhancements to the EMU model.
Tags:
Written by
Related posts
Enhance build security and reach SLSA Level 3 with GitHub Artifact Attestations
Learn how GitHub Artifact Attestations can enhance your build security and help your organization achieve SLSA Level 3. This post breaks down the basics of SLSA, explains the importance of artifact attestations, and provides a step-by-step guide to securing your build process.
Streamlining your MLOps pipeline with GitHub Actions and Arm64 runners
Explore how Arm’s optimized performance and cost-efficient architecture, coupled with PyTorch, can enhance machine learning operations, from model training to deployment and learn how to leverage CI/CD for machine learning workflows, while reducing time, cost, and errors in the process.
GitHub Enterprise: The best migration path from AWS CodeCommit
AWS CodeCommit is discontinuing new customer access and will no longer introduce new features. Learn how to migrate to GitHub Enterprise and why it’s the best option for you.