Profile Applicability:
Level 1
Description:
All new members must be invited to the organization or repositories using email addresses that are approved and controlled by the company (e.g., corporate domain emails). This restriction helps ensure that only authorized personnel with verified identities can gain access, reducing the risk of unauthorized access via personal or unverified email accounts.
Rationale:
Limiting invitations to company-approved email addresses strengthens identity assurance, improves access control, and reduces the risk of external or malicious users gaining entry. It supports compliance with corporate policies and regulatory requirements concerning user management.
Impact:
Pros:
Enhances security by restricting membership to verified corporate users.
Reduces risk of unauthorized access and insider threats.
Simplifies user management and auditing.
Cons:
May delay onboarding if external collaborators require access.
Requires coordination for exceptions or external vendor access.
Default value:
By default, some platforms may allow invitations to any email address without restriction.
Audit:
Review membership invitation logs to verify that all new users were invited via company-approved email domains. Check policies and platform settings enforcing this control.
Remediation:
Configure invitation restrictions based on email domain in platform settings. Communicate policy to administrators and team leads. Establish procedures for handling external collaborators securely.
References:
GitHub Organization Email Domain Restrictions: https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/managing-organization-settings/enforcing-email-verification-for-organization-members
GitLab Group Membership Restrictions: https://docs.gitlab.com/ee/user/group/settings/#allowed-email-domains
CIS Controls v8, Control 5 - Account Management: https://www.cisecurity.org/controls/account-management/