Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
ゼロトラスト導入支援ってどんなことやってるの?
Search
fnifni
April 15, 2022
Technology
0
52
ゼロトラスト導入支援ってどんなことやってるの?
奈良先端技術大学院大学の卒業制作を行ってるチームに話した内容です
当該チームは、既存の企業にゼロトラストを導入することについてのホワイトペーパーを作るという目的を持っているとのことでした。
fnifni
April 15, 2022
Tweet
Share
More Decks by fnifni
See All by fnifni
生成AIのガバナンスの全体像と現実解
fnifni
1
120
生成AIのガバナンスとこれから
fnifni
0
110
AWS re:Inforce 2024 に コミュニティから登壇してきた話
fnifni
0
27
COM224: How organizations are actually applying AWS security best practices
fnifni
0
33
BsidesTokyo2024_AWSセキュリティの ベストプラクティスに関する 利用実態調査のレポートの紹介
fnifni
0
24
re:Inforce2024-recap_英語力ゴミカスでもフル英語登壇を乗り切る成功メソッド
fnifni
0
100
信頼ルールはGoogle Drive共有の孫の手になるか?
fnifni
0
220
ログの話
fnifni
0
55
re:Inforce 2021 ReCap
fnifni
0
180
Other Decks in Technology
See All in Technology
re:Invent2024のIaC周りのアップデート&セッションの共有/around-re-invent-2024-iac-updates
tomoki10
0
990
How to be an AWS Community Builder | 君もAWS Community Builderになろう!〜2024 冬 CB募集直前対策編?!〜
coosuke
PRO
2
2.6k
AI時代のデータセンターネットワーク
lycorptech_jp
PRO
1
250
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
52k
Tailwind CSSとAtomic Designで実現する効率的な Web 開発の事例
toranoana
1
310
AIのコンプラは何故しんどい?
shujisado
1
180
Snowflake女子会#3 Snowpipeの良さを5分で語るよ
lana2548
0
190
Amazon Bedrock Knowledge BasesがGraphRAGに対応!! ・・・それってつまりどういうコト!? をチョット深堀ってみる
tokushun
0
200
Oracle Database Release and Support Timelines 2024/12/11
wmo6hash
0
300
ガバメントクラウドのセキュリティ対策事例について
fujisawaryohei
0
320
2024年のModern Data Stackを振り返ろう~分野別の目玉アップデート情報まとめ~
sagara
0
630
Classmethod_regrowth_2024_tokyo_security_identity_governance_summary
hiashisan
0
970
Featured
See All Featured
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Making the Leap to Tech Lead
cromwellryan
133
9k
The World Runs on Bad Software
bkeepers
PRO
65
11k
How To Stay Up To Date on Web Technology
chriscoyier
789
250k
For a Future-Friendly Web
brad_frost
175
9.4k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.8k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Agile that works and the tools we love
rasmusluckow
328
21k
Testing 201, or: Great Expectations
jmmastey
40
7.1k
Embracing the Ebb and Flow
colly
84
4.5k
RailsConf 2023
tenderlove
29
930
Optimizing for Happiness
mojombo
376
70k
Transcript
What is the support for introducing Zero Trust like? It's
a universal story, after all. By Hirokazu Yoshida / At NARA INSTITUTE of SCIENCE and TECHNOLOGY / 2022.4.13
θϩτϥετಋೖࢧԉͬͯ ͲΜͳײ͡ͳͷʁ ݁ہɺීวతͳͳΜͩΑ ٢ాͻΖ͔ͣ / ಸྑઌՊֶٕज़େֶӃେֶ / 2022.4.13
Hirokazu Yoshida @ CloudNative Inc. Job : Security Engineer Community
: Security-JAWS Handle Name : fnifni Who am I !?
Today's expected audience and their issues • θϩτϥετͷ֓೦͔ͬͯΔʢຊ࣭తʹਖ਼͘͠ཧղ͍ͯ͠Δ͔ผʣ •
θϩτϥετʮಋೖ͢ΔͷʯͱࢥͬͯΔ • ࣾձਓ • طଘͷاۀʹରͯ͠θϩτϥετಋೖਪਐͷضΛৼ͍͖͍ͬͯͨ • ࣗͨͪͰͰ͖ͦ͏ͱࢥ͑ΔɺಋೖϓϩηεͷϗϫΠτϖʔύʔΛ࡞Γ ͍͚ͨͲɺ࣮ࡍͲ͏͍ͬͯ͘ͷ͔Πϝʔδ͕͍ͭͯͳ͍
Attention !!! • ຊࢿྉಥ؏Ͱ࡞ͯ͠·͢ͷͰɺଟগ͓ݟ͍͕ۤ͋͠Δͱ ࢥ͍·͢ɻ • ݸਓͷܦݧଇʹجͮ͘෦ؚ͕·Ε·͢ɻ • ͔͋͠Βͣྃ͝ঝ͍ͩ͘͞ɻ
Today's topic • είʔϓͷ • ϑΝϯμϝϯλϧͳ • θϩτϥετಋೖࢧԉͱ͍ͯͬͯ͘͠ϑΣʔζྫͷ
Today's topicʢRatioʣ • είʔϓͷʢ1ʣ • ϑΝϯμϝϯλϧͳʢ5ʣ • θϩτϥετಋೖࢧԉͱ͍ͯͬͯ͘͠ϑΣʔζྫͷʢ4ʣ
What to talk about today and what not to talk
about • ࠓ͢͜ͱ • طଘاۀͷใγεςϜରͯ͠ɺθϩτϥετΛ৫ΓࠐΜͩγεςϜΛσβ Πϯ͠ɺಋೖ͍ͯͨ͘͠ΊͷϑΝϯμϝϯλϧͳߟ͑ํಋೖɾల։ͷྲྀΕ ʹ͍ͭͯ • ͞ͳ͍͜ͱ • ୯७ͳθϩτϥετͱݺΕΔͷಋೖखॱϢʔεέʔε • ݸผ۩ମతͳΦϖϨʔγϣϯ
Today's topic • είʔϓͷ • ϑΝϯμϝϯλϧͳ • θϩτϥετಋೖࢧԉͱ͍ͯͬͯ͘͠ϑΣʔζྫͷ
Common system architectures in companies
Common system architectures in companies
ϓϩμΫτʹΨνͰ θϩτϥετΛ࣮͍ͯ͠Δͷ PagerDuty θϩτϥετωοτϫʔΫ ― ڥքޚͷݶքΛ͑ΔͨΊͷηΩϡΞͳγεςϜઃܭ 9.10ɹέʔεελσΟɿPagerDutyͷΫϥυʹґଘ͠ͳ͍ωοτϫʔΫ ΑΓ
ࠓ͓͢Δͷ ใγεςϜʹରͯ͠ͷ θϩτϥετಋೖࢧԉͷͰ͢
Today's topic • είʔϓͷ • ϑΝϯμϝϯλϧͳ • θϩτϥετಋೖࢧԉͱ͍ͯͬͯ͘͠ϑΣʔζྫͷ
Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν
Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν
ࣾͷγεςϜΛ ͯ͢θϩτϥετʹ͍ͨ͠ΜͰ͢
Common Misconceptions • શͳθϩτϥετΞʔΩςΫνϟͷಋೖҝ͠ಘͳ͍ • ͦͦɺϏδωεͦͷͷ͕Կ͔Λ৴པ͢ΔϓϩηεͰߏ ͞Ε͍ͯΔ • ϏδωεϓϩηεࣾγεςϜͦͷͷ͔Βɺθϩτϥ ετΛલఏͱͯ͠࡞ΒΕͨͷ͕ɺBeyondCope
Common Misconceptions • શͳθϩτϥετΞʔΩςΫνϟͷಋೖҝ͠ಘͳ͍ • ͦͦɺۀͰ༻͢ΔใγεςϜػثΞϓϦέʔ γϣϯɺαʔϏεɺθϩτϥετલఏͰ࡞ΒΕ͍ͯͳ͍ • Ͱ͖ΔࣄɺγεςϜͷσβΠϯʹɺθϩτϥετͷཁૉΛ ৫ΓࠐΜͩͷΛ࡞Γ্͛Δͱ͍͏͜ͱ
θϩτϥετങ͖ͬͯͨʂ ࠷৽ٕज़ͳΜͰʂ
Common Misconceptions • θϩτϥετΛߏ͢Δٕज़ɺීวతͳٕज़ͷٕज़ͷूੵ • ϑΝΠΞΥʔϧɺূ໌ॻɺ࠷খݖݶͷݪଇɺσόΠεΠϯϕϯ τϦ…etc • θϩτϥετͷจ຺Ͱ͜Ε·Ͱଘࡏ͠ͳ͔ͬͨͷɺ
ࠓଘࡏ͍ͯ͠ͳ͍ʢͦΕͬΆ͍ͷͰ͖ͭͭ͋Δʣ • ৴པͷਪΤϯδϯ
͜Ε͔Βθϩτϥετʂ ڥքޚͳΜ͔͍ΒΜ͔ͬͨΜʂ
Common Misconceptions • ͦͦɺθϩτϥετڥքܕޚΛશ͘൱ఆ͍ͯ͠ͳ͍ • ۀͰѻ͏ίϯϙʔωϯτͷଟ͘θϩτϥετΞʔΩςΫ νϟʹରԠͰ͖ͳ͍ͷ͔Γ • IoTػثɺෳ߹ػɺࢹΧϝϥγεςϜɺ
੍ޚܥγεςϜ…etc
Δ͖͜ͱ ڥքޚΓͭͭ Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ʹ͚ͯ θϩτϥετͷཁૉΛ৫ΓࠐΜͩγεςϜ ΛσβΠϯ͍ͯ͘͜͠ͱ
Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν
ͲΜͳཱͪҐஔͰ θϩτϥετಋೖࢧԉΛ͍ͬͯΔͷ͔
Mindset • ࣄऀاۀͷ୲ऀͷཱࣗͱࣗΛଅ͠ɺใγεςϜΛίϯ τϩʔϧՄೳͳͷʹ͢Δ • Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ɺ՝ʹର͢ΔਐΊํɺߟ͑ํͷ ΨΠυʢίϯαϧτʹ૬ஊʣ • ୲ऀ͕ࣗखΛಈ͔ͯ͠ɺܦݧ͠ɺվળ͍ͯͨ͘͠Ίͷ
ٕज़ࢧԉ
୲ऀ͕ݴ͍ͬͯΔ͜ͱͷ 7-8ׂ͕ਖ਼͘͠ͳ͍
Examples of common incorrectness • खஈ͕తʹͳͬͯΔύλʔϯ • ʮͳͥͳΒʯ͕ͳ͘ɺ͍͖ͳΓํ๏͔Βೖ͍ͬͯΔ • θϩτϥετΛಋೖ͍ͨ͠ΜͰ͢ʂ
• ΤϞςοτରࡦͰXXXΛ͍͍ͨͰ͢ʂ
Examples of common incorrectness • ࠜڌ͕ബऑͳύλʔϯ • ͋Εɺ͜Εɺͬͨ΄͏͕ྑ͍Ͱ͢ΑͶʢίετ੨ఱҪʣ • ʮͳͥͳΒʯ͕ͳ͍ͷͰɺ࣮ͨ͠ࢪࡦΛ֎ͤͳ͘ͳΔ
Examples of common incorrectness • Λಋೖ͢ΕͳΜͱ͔ͳΔɺӡ༻୭͔ʹΒͤΕ͍͍ͱࢥͬͯ ͍Δύλʔϯ • ϕϯμʔͷཆͰ͢Ͷ •
ݪཧओٛͷύλʔϯ • ηΩϡϦςΟͷͨΊʹXXXېࢭ͠·͠ΐ͏ʂ • ͦΕͬͯɺ୭͕ͤʹͳΔΜͰ͔͢ʁ
૬ख͕ΜͰ ૬खͷͨΊʹͳΒͳ͍͜ͱ ܟҙΛ࣋ͬͯ͢Δ
Examples of common unhelpful things • ൺֱදѱ • ୭͔͕࡞ͬͨൺֱදɺݟͨਓͷࣄͳΜ͔ؔͳ͘࡞ΒΕ ͍ͯΔ
• ͦͷʮ˓ʯɺ͋ͳͨʹͱͬͯຊʹʮ˓ʯͰ͔͢ʁ • ࣗʹͱͬͯ˓͔Ͳ͏͔ɺ৮ͬͯΈͳ͍ͱΘ͔Βͳ͍
Examples of common unhelpful things • ൺֱදඞཁѱ • ্ਃ͢Δ্Ͱɺൺֱ͔ͨ͠ʁΛΘΕΔ߹͋Δ •
ࣗͰԖචͳΊͯ࡞ͬͨൺֱද͕࠷ڧ • ٬؍తʁ ͦͦ٬؍తͳൺֱද͕ࣗͨͪʹͲͷΑ͏ʹϑΟοτ͠ ͍ͯΔͳΜͯɺ୭͕આ໌ͯ͘͠ΕΔΜͰ͔͢Ͷʁ
Examples of common unhelpful things • ϕετϓϥΫςΟεͷݬ • ϕετϓϥΫςΟεʮߟ͑ํʯͰ͋ͬͯʮ͜͏Ε͍͍(How To)ʯͰͳ͍
• ࣗͨͪʹͱͬͯԿ͕Ͳͷఔඞཁ͔ΛݟۃΊΔඞཁ͕͋Δ • Ͳ͔͔͜Β͖࣋ͬͯͨHow To͕ɺࣗͨͪʹͱͬͯඞཁेͰ ͋Δͬͯ୭͕આ໌ͯ͘͠ΕΔΜͰ͔͢Ͷʁ
ཁ ࣗͨͪͷ͜ͱͳΜ͔ͩΒࣄ͍ͯͩ͘͠͞ ͱ͍͏͜ͱ
Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν
ϗϥʔετʔϦʔԼࡦ
Limitations of Horror Stories • ໌֬ͳϦεΫ՝ʹରॲͰ͖Δ͕ɺͦΕҎ্͕ͳ͍ • ϦεΫͷ૯ྔܦӦऀͷհࡏͳ͠ʹଌΕͳ͍ • ΏʔͯɺͦΜͳͷى͖Δʁͦ͜·ͰΠϯύΫτ͋Δʁ
ଞࣾͲ͏ͯ͠ΔͷʁΛಥഁͰ͖ͳ͍ • ৽͍͠ϦεΫ͕ੜ·ΕͨΒɺ·ͨ৽͍͠ͷΛങΘͳ͍ͱ͍ ͚ͳ͍ͷʁͱ͍͏ٙ೦Λ১Ͱ͖ͳ͍
Limitations of Horror Stories • θϩτϥετΛಋೖ͢Εղܾ͢Δ͔ผͷ • ڥքޚΛ͔ͬ͠ΓͬͨΓɺ৬ঠΛపఈ͢ΕղܾͰ ͖Δ͋Δ •
θϩτϥετΛಋೖͯ͠ղܾ͠·͠ΐ͏
ϑΝΠφϯεʹΛ͚Δ
It costs a lot of money to do anything. •
ࠓ·Ͱ͍ͬͯͳ͔ͬͨ͜ͱΛΔͷͰɺجຊతʹίετ૿ • ͍ͭͷλΠϛϯάͰɺͲͷఔͷΩϟογϡΞτ͕ੜ͡Δ ͷ͔ɺܦӦऀͷॏେͳؔ৺ࣄʢΩϟογϡϑϩʔͱ૬ஊʣ • ࡞ͨ͠ϩʔυϚοϓΛجʹɺ͓͕ۚඞཁͳ࣌ظΛఏࣔ͢Δ • ෆཁʹͳΔػثઃඋɺϥΠηϯε͕͋Εɺ৫ΓࠐΉ
εςʔΫϗϧμʔΛר͖ࠐΉ
Are you trying to do this with just a few
people? • ܦӦऀΛ͡Ίɺܦཧɺ๏ɺਓࣄɺࣄۀ෦ͱؔΘΒͳ͍ͱਐΜͰ͍͔ͳ͍ • ܦӦऀɿτοϓϚωδϝϯτɺඞཁͳࢿݯͷׂΓͯ • ܦཧɿϑΝΠφϯεपΓɺطଘγεςϜͷࢧ͍पΓ • ๏ɿࣄۀಛੑʹର͢Δ๏తͳ໘ͰͷϑΥϩʔ • ਓࣄɿIDιʔεͱͷ߹ • ࣄۀ෦ɿϢʔεέʔεɺ͍উखɺۀޮͷϑΟʔυόοΫͷๅݿ
γεηΩϡϦςΟ෦͚ͩͰ ਐΊΑ͏ͱ͍ͯ͠·ͤΜ͔ʁ
୭͕Ͳ͏ͤʹͳΔͷ͔ ܞΘΔ୲ऀͷςϯγϣϯ͕ ΞΨΔʹ͠ͳ͍ͱଓ͔ͳ͍
γεηΩϡϦςΟ෦͕ ෦ʹดͬͯ͜͡ࣄ͢Δ࣌ ͱͬ͘ʹऴΘͬͯΔ
Today's topic • είʔϓͷ • ϑΝϯμϝϯλϧͳ • θϩτϥετಋೖࢧԉͱ͍ͯͬͯ͘͠ϑΣʔζྫͷ
general fl ow
How long does it take?
What will you be able to do?
To apply a popular phrase.
ͱɺ·͊શମΛ၆ᛌͯ͠ ਐΊ͍ͯ͘ͱ͍͏͜ͱͰ͢
Α͋͘ΔΞϯνύλʔϯ
anti-pattern • ෦తͳཁૉ͚ͩͰΖ͏ͱ͢Δ͜ͱ • ೝূͱσόΠε੍ޚ͚ͩείʔϓΛߜͬͯΓ͍ͨͰ͢ • ͜ͷͰͰ͖Δͱ͜Ζ͚ͩΓ·͢
AsIsͷώΞϦϯάσβΠϯ͔Β είʔϓ֎ͷ͜ͱ͕ൈ͚མͪΔ
The ones that fall out • ۀͰAndroid͔ͭͬͯΔΜ͚ͩͲྑ͔ͬͨΜ͚ͩͬʁ • ͳ่͠͠Ͱࢲ͑ͪΌͬͯΔΜͩΑͳʔ •
࣮VPNͱͷ৯͍߹Θ͕ͤѱ͍ΜͩΑͶ • ͜ͷͰ͜ͷۀΛͬͪΌͬͯྑ͔ͬͨΜ͚ͩͬʁ • ੍ޚϙΠϯτʹ࿙Ε͕͋ͬͨʢζϨͯͨʣɻɻɻ
෦తʹਐΊΑ͏ͱ͢ΔఏҊΛड͚ೖΕΔͳΒ શମͷσβΠϯΛࣗͰҾ͍ͯ ߹ੑΛϋϯυϦϯά͢Δ͜ͱ
analysis of current situation
What we are doing in our analysis of the current
situation • ϦεΫੳ݁ՌͱϦεΫରԠํͷ֬ೝ • Γ͍ͨ͜ͱɺͳΓ͍ͨ࢟ͷώΞϦϯά • खஈ͕తʹͳͬͯͳ͍͔ͷνΣοΫɺͳͥͳΒͷਂ۷Γ • ۀʹؔΘΔεςʔΫϗϧμʔͷ֬ೝ • ۀҕୗΞϧόΠτͳͲ
What we are doing in our analysis of the current
situation • ݱࡏͷγεςϜߏͱͦͷߏʹࢸͬͨഎܠͷ֬ೝ • IDج൫σόΠεԿΛͬͯΔͷʁ • ࣄॴݿɺͳͲɺͲ͜ͰͲΜͳۀͬͯΔͷʁ • ͲΜͳΩοςΟϯάͯ͠Δʁڞ༗IDͱ͔ͬͯΔʁ • ωοτϫʔΫߏʁ
What we are doing in our analysis of the current
situation • ۀγεςϜSaaSϥΠηϯεͷ • ͍ͭߪೖͯ͠ɺอकඅͲΕ͘Β͍ʁ • ԿͷׂΛՌ͍ͨͯ͠Δͷͳͷʁ • ͲΕ͘Β͍ؾʹೖͬͯΔʁ • SSOՄ൱Θ͔Δͱͳ͓ྑ͠
What we are doing in our analysis of the current
situation • ݱࡏͷηΩϡϦςΟϙϦγʔͷ༰֬ೝ • ఆΊΒΕ͍ͯΔ༰ɺͲͷΑ͏ʹ࣮ɾӡ༻͍ͯ͠Δʁ • ४ڌ͖͢ϨΪϡϨʔγϣϯنఆͷ֬ೝ • σβΠϯʹର͢Δ४ڌੑ୭͕ͲͷΑ͏ʹߦ͏ͷ͔ཧ
What we are doing in our analysis of the current
situation • σʔλͷྲྀ௨ܦ࿏ͷ֬ೝ • ৫ͱͯ͠Ͳͷఔॏཁͳใ͕ɺͲ͜ʹஔ͞Ε͓ͯΓɺ ͩΕ͕ɺͲͷσόΠεΛ༻͍ͯɺͲͷΑ͏ͳܦ࿏ͰΞΫηε ͢Δ͔ • ISMS27002Ͱཧ͞ΕΔσʔλͷΛ֦ு͢Δͷ͕ ൺֱతϦʔζφϒϧ
Formulate overall design
άϥϯυσβΠϯͬͯ ͜͏͍͏ֆΛඳ͚͑͑ΜΖʁ
Is this what the overall design is about?
͜ΕɺͨͩͷֆͰ͢
What should be included in the overall design • ϦεΫ՝ɺΓ͍ͨ͜ͱɾͳΓ͍ͨ࢟
• AsIsߏɺToBeߏɺCanBeߏ • σβΠϯίϯηϓτͱ֤ίϯϙʔωϯτͰߦ͏͜ͱ੍ޚͷ֓ཁ • ՝ͱͷϚοϐϯά
What should be included in the overall design • ਐΊΔ্Ͱͷཹҙ
• MDMΓ͑ϢʔβʔӨڹɺηΩϡϦςΟػߏͷΓସ͑ • ϩʔυϚοϓʢ࣮ॱংʣͱεέδϡʔϧ • ߪೖϥΠηϯεҰཡʢֹؚۚΉʣ • ഇغ͢ΔγεςϜͱഇغ࣌ظ
ͳΔ΄Ͳ Θ͔ΒΜ
What should be included in the overall design
What should be included in the overall design
ཁ ٕज़ͷԡ͠ചΓʹͳͬͯ·ͤΜ͔ʁ ͱ͍͏͜ͱ
CanBeߏͬͯʁ
A practical landing place for the time being • ҰඈͼʹToBeߏʹ͍͚ͳ͍͜ͱଟʑ͋Δ
• ͗͢Δεέδϡʔϧɺਫ਼͕ஶ͘͠མͪΔ • ͬͯΈͯɺ͜͏ͩͬͨɾ͜Μͳͣ͡ΌɺΑ͋͘Δ͜ͱ • Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ʹରͯ͠ɺۙͰͨͲΓண͖͍ͨঢ়ଶΛ ࣮ݱͰ͖ΔߏΛCanBeߏͱݺΜͰ·͢
identity control
Why should we have ID control? • త • ՄೳͳݶΓɺҰҙͷIDͰγεςϜར༻Ͱ͖ΔΑ͏ɺIDΛҰݩཧ͢Δ
• ೝূͱೝՄΛҰݩతʹߦ͑ΔΑ͏ʹ͢Δ • ͳͥͳΒ • ୭͕͍ͭԿΛͨ͠ͱ͍͏ϩάʹҙຯΛ࣋ͨͤΔ(൱ೝࢭ) • ۀར༻SaaSͷϢʔβʔཧΛݸผʹߦΘͳ͍ঢ়گΛ࡞Γɺୀ৬ऀ෦֎ऀͷΞΫηεΛ͙
What to do as an identity control ? • ৴པͰ͖ΔIDιʔεͷ֬ೝʢਓࣄDBActive
DirectoryͳͲʣ • ڞ༗IDͷચ͍ग़͠ͱ؇ાஔ • IDιʔε͔ΒIdPͷܨ͗ࠐΈ • SaaSαʔϏεͷSSOઃఆɺϢʔβʔ/άϧʔϓ(σ)ϓϩϏδϣχϯά • ਵͯ͠SaaSଆͷೝՄઃܭ
What to do as an identity control ? • SSO͕Ͱ͖ͳ͍αʔϏεʹରͯ͠ͷ؇ાஔ
• IDάϧʔϓϝϯόʔγοϓͷ୨Է͠ͷΈͮ͘Γ • ۀʹؔΘΔ֎෦εςʔΫϗϧμʔͷIDཧͷΈͮ͘Γ • ߹ʹΑͬͯɺෳͷIdPΛ͍͚Δ͜ͱ͋Δ
device control
Why should we have device control? • త • ۀͰ͏σόΠεΛಛఆ͠ɺඞཁͳ੍ޚΛ৴Ͱ͖Δঢ়ଶΛอূ
͢Δ • ͳͥͳΒ • ηΩϡϦςΟ࠷͍ਫ४ʹ߹ͬͯ͠·͏ͨΊɺඞཁͱఆΊͨ ηΩϡϦςΟઃఆΞϓϦέʔγϣϯΛ࣮֬ʹ৴͢Δඞཁ͕͋Δ
What to do as an device control • طଘσόΠεʹର͢ΔMDMͷΤϯϩʔϧϝϯτ •
ΩοςΟϯάͰ͍ͬͯΔ͜ͱηΩϡϦςΟϙϦγʔʹج੍ͮ͘ ޚػೳͷ੍ݶͷΛMDMͰ • AutoPilotDEPΛ༻͍ͯɺ৽نσόΠεͷθϩλονσϓϩΠ • ࢀߟɿhttps://www.youtube.com/watch?v=Z-7W4T-IOFk
Content Management
Why should we have Content Management? • త • ϑΝΠϧαʔόʔʹ͋ΔσʔλΛΫϥυετϨʔδʹҠߦ͠ɺ
ߴ͍ϨϕϧͷࠪੑͱΞΫηείϯτϩʔϧɺোੑɺརศੑΛڗड͢Δ • ϢʔεέʔεʹΑͬͯɺΫϥυετϨʔδ͕ϑΟοτ͠ͳ͍߹͋Γ • ͳͥͳΒ • ڥքͰकΔ͖ͷΛݮ͡ɺγεͷӡ༻ཧෛ୲Λݮ͡Δ͜ͱ͕Ͱ͖Δ
What to do as a Content Management? • ϑΥϧμߏઃܭɺΞΫηεݖઃܭ •
άϧʔϓϓϩϏδϣχϯάͱ࿈ಈ • Ϣʔεέʔεʹ߹Θͤͨςφϯτઃఆௐ • Ϣʔεέʔε্ɺ·͘͠ͳ͍ಈ࡞ͷ੍ݶઃఆ • ֎෦ڞ༗ํࣜͱͷ߹
What to do as a Content Management? • σʔλҠߦ •
ҠߦݩɾҠߦઌͷϚοϐϯά • πʔϧͷ༻ΛਪʢσʔλҠߦϊϋΛཁ͢Δʣ • ϝʔϧఴϑΝΠϧͷΫϥυετϨʔδอ • Ϣʔβʔपࢿྉ࡞ɺτϨʔχϯάϫʔΫγϣοϓͷ։࠵
Endpoint Protection
Why should we have Endpoint Protection? • త • ΞϯνΟϧεͰରԠͰ͖ͳ͍ΤϯυϙΠϯτͷڴҖΛݕग़
͠ɺରԠ͢Δ • ͳͥͳΒ • ߴԽ͢Δ߈ܸɺϚϧΣΞͰݕग़͢Δ͜ͱࠔͰ͋Γɺ ΠϯςϦδΣϯεΛ׆༻͢Δඞཁ͕͋Δ͔Β
What to do as a Endpoint Protection? • ςφϯτઃఆ •
ར༻͢Δػೳɺར༻͠ͳ͍ػೳͷܾఆɺϩʔϧઃܭ • ॳظల։ • ΦϯϘʔυखॱͷཱ֬ɺ࠷ݶͷػೳಈ࡞֬ೝɾಈ࡞Өڹ֬ೝ • طଘΞϯνϚϧΣΞͷೖΕସ͑ํࣜͷݕ౼
What to do as a Endpoint Protection? • ύΠϩοτల։ •
֤෦͔ΒύΠϩοτϢʔβʔΛืͬͯɺEDRΛಋೖ • ۀӨڹ֬ೝͱνϡʔχϯά • ΞϥʔτରԠͷशख़ͱରԠϑϩʔͷཱ֬ • ࣗࣾͰͷରԠ͕͍͠෦ͷ֬ೝ
What to do as a Endpoint Protection? • SOCࣄۀऀબఆʢΦϓγϣϯʣ •
ࣗࣾͰରԠ͕͍͠෦ʹ͍ͭͯɺରԠͯ͠Β͑ΔSOCࣄۀऀΛ୳͢ • ӡ༻ɺSOCࣄۀऀͰ݁͠ͳ͍͜ͱʹҙ • SOCࣄۀऀτϥΠΞϧӡ༻ʢΦϓγϣϯʣ • ࣮ࡍʹͲͷϨϕϧͰରԠΛͯ͘͠ΕΔ͔ɺͲͷΑ͏ͳΓͱΓ͕ੜ͡Δ͔
What to do as a Endpoint Protection? • ੬ऑੑରԠʢʹΑΔʣ •
৫ͷ੬ऑੑΛಛఆ͠ɺରԠΛཁ͢ΔͷΛஅ͢Δ • OSઃఆΞϓϦέʔγϣϯόʔδϣϯʹجͮ͘੬ऑੑ͕ର • ରԠσόΠε੍ޚͷج൫Λར༻͢Δ
Shadow IT Countermeasures
Why should we have Shadow IT Countermeasures? • త
• ۀͰར༻͍ͯ͠ΔSaaSαʔϏεར༻ͷՄࢹԽͱ੍ޚ • ѱੑίϯςϯπͷΞΫηε੍ݶ • ͳͥͳΒ • Web௨৴ɺσʔλྲྀ௨ͷॏཁͳΩʔϙΠϯτ
What to do as a Shadow IT Countermeasures? • ҠߦઃܭɺઃఆͷҠߦ
• ڥքޚطଘͷηΩϡϦςΟػߏ͕ߦ͍ͬͯΔ੍ޚͷચ͍ग़͠ͱɺ CASB/SWGͷམͱ͠ࠐΈ • σόΠε౷੍ج൫Λ༻͍ͯɺAgentల։ • େ͖͘AgentܕɺAPIܕɺProxyܕͱ͋Δ͕ɺΧόʔൣғͱωοτϫʔΫ τϙϩδͷࣗ༝Λߟྀ͢ΔͱAgentܕ͕ϑΝʔετνϣΠε
What to do as a Shadow IT Countermeasures? • νϡʔχϯά
• ςφϯτࣝผొ • SSL෮߸ʹΑΔӨڹΛड͚ΔSaaSɺWebαʔϏεʹ͍ͭͯɺআ֎ઃఆͳͲ ͷ࣮ࢪ • Ҡߦઃఆͷೖ • ΧςΰϦϑΟϧλϦϯάɺෆ৹ͳυϝΠϯͷଓ੍ݶઃఆͳͲ
What to do as a Shadow IT Countermeasures? • ՄࢹԽ༰ͷ֬ೝ
• SaaSαʔϏεͷར༻ঢ়گ͔ΒɺରԠํΛݕ౼ • ར༻෦ͱͷௐ͢Γ߹Θͤ • ՄࢹԽ݁Ռʹج੍ͮ͘ޚઃఆ
What to do as a Shadow IT Countermeasures? • DLP
• ৫Ͱอޢ͖͢σʔλΛਖ਼نදݱͰఆٛͰ͖Δ͔͕ΧΪ • ϑϦʔϋϯυͰߦ͏ʹ͕ߴ͗͢Δʢݸਓใͱ͔ʣ • ࣄۀಛੑͱσʔλͷྲྀ௨ܦ࿏Λेʹ뱌Ͱ͖Εɺൺֱతγϯ ϓϧʹ͏͜ͱՄೳʢࣙॻɺ֦ுࢠɺϑΝΠϧαΠζͳͲʣ
Breaking away from VPN
Why are you breaking away from VPNs? • త •
ݸʑͷࣾΞϓϦέʔγϣϯΦϯϓϨϛεγεςϜʹରͯ͠ɺ ೝূʹجͮ͘ΞΫηείϯτϩʔϧΛఏڙ͢Δ • ͳͥͳΒ • VPNɺωοτϫʔΫͷΞΫηεڐՄʹରͯ͠ɺIAPΞϓϦ έʔγϣϯʹରͯ͠ɺϢʔβʔ͝ͱͷଓڐՄΛఏڙ͢Δ
What does getting out of a VPN do? • ଓରγεςϜʢ㲈VPNʹґଘ͍ͯ͠ΔγεςϜʣͷચ͍ग़͠
• ϙʔτɺIPΞυϨεɺFQDNɺґଘ͢ΔDNSΛ֬ೝ • ࣾγεςϜͷૄ௨ՄೳͳॴʹίωΫλΛஔ͢Δ • ରγεςϜͷଓݕূ • ཪͰΞΫηε͍ͯ͠ΔURLͳͲͷ͋ͿΓग़͠
What does getting out of a VPN do? • ϩʔϧઃܭ
• ϩʔϧ͝ͱʹར༻͢ΔΞϓϦέʔγϣϯηοτΛఆٛ • ϓϩϏδϣχϯάͨ͠άϧʔϓʹجͮ͘ • ίωΫλνϡʔχϯά • εϧʔϓοτՄ༻ੑͷௐ͕ඞཁͰ͋Ε
What does getting out of a VPN do? • VPNଘஔͷγφϦΦʹ͍ͭͯͷݕ౼ʢΦϓγϣϯʣ
• ߴ͍Մ༻ੑΛཁ͢ΔαʔϏε͕͋ΕɺόοΫΞοϓճઢͱ͠ ͯVPNΛଘஔ͢Δ͜ͱΞϦ • අ༻ΩοςΟϯάɺӡ༻ෛՙͷݮʹͳΒͳ͍ͷͰɺ ϦεΫϚωδϝϯτͱͯ͠ͷஅ͕ඞཁ
log management
Why do you do log management? • త • ֤SaaSηΩϡϦςΟʹࢄΒΔϩάΞϥʔτΛू
͠ɺγεςϜΞϥʔτΛ၆ᛌ͢Δ͜ͱͰରԠ͖͢Πϯγσϯτ ΛݟۃΊΔ • ͳͥͳΒ • ֤ͷϩάͷ૬ޓ֬ೝͷखؒΛݮΒ͠ɺରԠͷࣗಈԽʹܨ͛Δ
What does log management do? • ετʔϦʔͷཱ֬ • ͩΕ͕ɺ୭ʹରͯ͠ɺͲͷΑ͏ͳ͜ͱΛઆ໌Ͱ͖ͨΒউͪͰ͋Δ͔ •
ऩूରϩάͷબผ • ετʔϦʔʹؔΘΔϩάॏཁσʔλΛϗετ͢ΔαʔϏεɺ͓ΑͼϦεΫΞη εϝϯτͷ݁Ռɺൃݟత౷੍ʢϩάʹΑΔݕग़ʣ͕ରԠࡦͱͯ͠ڍ͛ΒΕͨγε ςϜ͕ର • ͳΜͰूɺΞϯνύλʔϯ
What does log management do? • อଘظؒͷܾఆʢن੍๏ྩʹجͮ͘ʣ • ϩάऩूج൫ͷબఆͱܾఆ •
ϩάऩूରͱͷܨ͗ࠐΈ͕༰қͳ͕͋Δ͔ • ϑΝʔετνϣΠεɺΫϥυܕSIEM • Ͱ͖ΕɺεϞʔϧελʔτՄೳͳΛબఆ
What does log management do? • ֤αʔϏεͱSIEMͱͷܨ͗ࠐΈ • ຯͰҰ൪ॏ͍ɻ҆қʹ࡞ΓࠐΈʹΔͷې •
ϩʔϧઃܭ • ϩά୭ʹͰݟΒΕͯྑ͍ͷͰͳ͍
What does log management do? • ݕग़ϩδοΫͷ࡞ • ετʔϦʔϦεΫΞηεϝϯτͷ݁Ռʹجͮ͘࡞ΓࠐΈ •
ࣗಈରԠɺઌͣ௨͔Β • ରԠΛ͍ͯ͘͠தͰɺ͓ܾ·ΓͷରԠ༰ΛࣗಈԽ͍ͯ͘͠ • ΤϯϦονϝϯτɺՃௐࠪͳͲ
What does log management do? • ՄࢹԽςϯϓϨʔτͷ࡞ • ετʔϦʔϦεΫΞηεϝϯτͷ݁Ռʹجͮ͘࡞ΓࠐΈ •
ࢹઃఆ • ՝ۚঢ়گɺϩάྲྀೖঢ়گɺΫΤϦʔ࣮ߦঢ়گ…etc
ͱɺ·͊ ʮθϩτϥετಋೖࢧԉʯ ͜Μͳײ͡ͰਐΊ͍ͯ͘༁Ͱ͢
conclusion • Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ΛجʹɺʮͳͥͳΒʯΛ໌֬ʹͯ͠ɺ ใγεςϜͷσβΠϯʹθϩτϥετͷཁૉΛ৫ΓࠐΜͰ͍͘ • ࣮ʹ͋ͨͬͯઐ͕ࣝඞཁ͕ͩɺࣗͰखΛಈ͔ͯ͠ɺܦݧ ͱϑΟʔυόοΫʹج͍ͮͯίϯτϩʔϧ͍ͯ͘͠Α͏ʹ͠ͳ͍ ͱɺखʹෛ͑ͳ͍ʹͳΔ • ಛผͳ͜ͱ͕ͳ͚ΕɺID౷੍ˠσόΠε౷੍͔Β࢝ΊΔ
͓ͳ͔͍ͬͺ͍Ͱ͔͢ʁ
One more things
θϩτϥετಋೖͷ͜͏ଆ
ബʑצ͍͍ͮͯΔͱࢥ͍·͕͢ ͋Γͱ͋ΒΏΔใ͕ू·͖ͬͯ·͢
Things that have gathered when you notice them • ͷΠϯϕϯτϦใʢ୭ͷεϚϗʹͲͷΞϓϦ͕ೖͬͯΔʁʣ
• WebӾཡใʢ୭͕͍ͭͲΜͳαΠτʹΞΫηεͨ͠ʣ • ςΩετใʢ୭͕ͲΜͳϫʔυΛߘ͔ͨ͠ͳʣ • Ґஔใʢ୭ͷσόΠεͲ͜ʹ͋Δʁʣ
ݸਓใͬͯͬͯΔʁ
Yes. These are private information • ID౷੍͞Εͨੈք؍Ͱɺ΄ͱΜͲͷσʔλʢϩάʣʹUPNϝʔϧΞυϨεʹඥ͘ • ۀͰ༻͢ΔใγεςϜͷϞχλϦϯάɺใηΩϡϦςΟ࿑ಇऀͷ৬ઐ೦ٛ ͷݟ͔Βɺۀ্ͷඞཁੑ͕ೝΊΒΕΔ
• ଞํͰɺࣄۀऀʹͱͬͯࣝผ͞ΕͨIDͱݸਓͱͷর߹༰қͰ͋Δ͜ͱ͔Βɺ͜ΕΒͷσʔλ ݸਓࣝผੑΛ༗͠ɺݸਓใʹ֘͢Δ͜ͱ͕ҰൠతͰ͋Δ • ैͬͯɺϞχλϦϯάݸਓใอޢ๏ͷن੍ରͰ͋Δͱ͍͑Δ • ϞχλϦϯάɺϓϥΠόγʔਓ֨ݖͷ৵ʹΑΔଛഛঈٻૌুͰ૪ΘΕΔ͜ͱ͋Δ શຊใॲཧֶशৼڵڠձ ൛ ݸਓใอޢ࢜ೝఆࢼݧ ެೝςΩετୈ2൛ 571ʙ572ทΑΓൈਮʢҰ෦ཁʣ
Yes. These are private information https://www.meti.go.jp/policy/it_policy/privacy/050805_guideline.pdf
ཁ ϞχλϦϯάͰಘͨใɺ ݸਓใͱͯ͠ར༻ൣғΛ໌֬ʹͯ͠ ར༻͢Δͱ͍͏͜ͱ
ͯ͞ɺੈͷதθϩτϥετͱڣΜͰ͍Δ ϕϯμʔ͕ྊᬚͯ͠·͕͢
͜ͷ͜ͱʹݴٴ͠ͳ͍ͷ ͳͥͰ͠ΐ͏͔Ͷʁ
Έͳ͞Μͷ॓ʹ͓͖ͯ͠·͢˒
Thank you !