Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
ゼロトラスト導入支援ってどんなことやってるの?
Search
fnifni
April 15, 2022
Technology
0
65
ゼロトラスト導入支援ってどんなことやってるの?
奈良先端技術大学院大学の卒業制作を行ってるチームに話した内容です
当該チームは、既存の企業にゼロトラストを導入することについてのホワイトペーパーを作るという目的を持っているとのことでした。
fnifni
April 15, 2022
Tweet
Share
More Decks by fnifni
See All by fnifni
生成AIのガバナンスの全体像と現実解
fnifni
2
370
生成AIのガバナンスとこれから
fnifni
0
160
AWS re:Inforce 2024 に コミュニティから登壇してきた話
fnifni
0
45
COM224: How organizations are actually applying AWS security best practices
fnifni
0
60
BsidesTokyo2024_AWSセキュリティの ベストプラクティスに関する 利用実態調査のレポートの紹介
fnifni
0
58
re:Inforce2024-recap_英語力ゴミカスでもフル英語登壇を乗り切る成功メソッド
fnifni
0
120
信頼ルールはGoogle Drive共有の孫の手になるか?
fnifni
0
310
ログの話
fnifni
0
60
re:Inforce 2021 ReCap
fnifni
0
190
Other Decks in Technology
See All in Technology
現場が抱える様々な問題は “組織設計上” の問題によって生じていることがある / Team-oriented Organization Design 20250827
mtx2s
3
790
R-SCoRe: Revisiting Scene Coordinate Regression for Robust Large-Scale Visual Localization
takmin
0
430
広島発!スタートアップ開発の裏側
tsankyo
0
240
Yahoo!広告ビジネス基盤におけるバックエンド開発
lycorptech_jp
PRO
1
270
.NET開発者のためのAzureの概要
tomokusaba
0
230
アジャイルテストで高品質のスプリントレビューを
takesection
0
110
歴代のWeb Speed Hackathonの出題から考えるデグレしないパフォーマンス改善
shuta13
6
600
自社製CMSからmicroCMSへのリプレースがプロダクトグロースを加速させた話
nextbeatdev
0
130
マイクロモビリティシェアサービスを支える プラットフォームアーキテクチャ
grimoh
1
200
[OCI Skill Mapping] AWSユーザーのためのOCI(2025年8月20日開催)
oracle4engineer
PRO
2
140
7月のガバクラ利用料が高かったので調べてみた
techniczna
3
240
小さなチーム 大きな仕事 - 個人開発でAIをフル活用する
himaratsu
0
120
Featured
See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Building an army of robots
kneath
306
46k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.8k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
[RailsConf 2023] Rails as a piece of cake
palkan
56
5.8k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
A designer walks into a library…
pauljervisheath
207
24k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
139
34k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
Designing Experiences People Love
moore
142
24k
Transcript
What is the support for introducing Zero Trust like? It's
a universal story, after all. By Hirokazu Yoshida / At NARA INSTITUTE of SCIENCE and TECHNOLOGY / 2022.4.13
θϩτϥετಋೖࢧԉͬͯ ͲΜͳײ͡ͳͷʁ ݁ہɺීวతͳͳΜͩΑ ٢ాͻΖ͔ͣ / ಸྑઌՊֶٕज़େֶӃେֶ / 2022.4.13
Hirokazu Yoshida @ CloudNative Inc. Job : Security Engineer Community
: Security-JAWS Handle Name : fnifni Who am I !?
Today's expected audience and their issues • θϩτϥετͷ֓೦͔ͬͯΔʢຊ࣭తʹਖ਼͘͠ཧղ͍ͯ͠Δ͔ผʣ •
θϩτϥετʮಋೖ͢ΔͷʯͱࢥͬͯΔ • ࣾձਓ • طଘͷاۀʹରͯ͠θϩτϥετಋೖਪਐͷضΛৼ͍͖͍ͬͯͨ • ࣗͨͪͰͰ͖ͦ͏ͱࢥ͑ΔɺಋೖϓϩηεͷϗϫΠτϖʔύʔΛ࡞Γ ͍͚ͨͲɺ࣮ࡍͲ͏͍ͬͯ͘ͷ͔Πϝʔδ͕͍ͭͯͳ͍
Attention !!! • ຊࢿྉಥ؏Ͱ࡞ͯ͠·͢ͷͰɺଟগ͓ݟ͍͕ۤ͋͠Δͱ ࢥ͍·͢ɻ • ݸਓͷܦݧଇʹجͮ͘෦ؚ͕·Ε·͢ɻ • ͔͋͠Βͣྃ͝ঝ͍ͩ͘͞ɻ
Today's topic • είʔϓͷ • ϑΝϯμϝϯλϧͳ • θϩτϥετಋೖࢧԉͱ͍ͯͬͯ͘͠ϑΣʔζྫͷ
Today's topicʢRatioʣ • είʔϓͷʢ1ʣ • ϑΝϯμϝϯλϧͳʢ5ʣ • θϩτϥετಋೖࢧԉͱ͍ͯͬͯ͘͠ϑΣʔζྫͷʢ4ʣ
What to talk about today and what not to talk
about • ࠓ͢͜ͱ • طଘاۀͷใγεςϜରͯ͠ɺθϩτϥετΛ৫ΓࠐΜͩγεςϜΛσβ Πϯ͠ɺಋೖ͍ͯͨ͘͠ΊͷϑΝϯμϝϯλϧͳߟ͑ํಋೖɾల։ͷྲྀΕ ʹ͍ͭͯ • ͞ͳ͍͜ͱ • ୯७ͳθϩτϥετͱݺΕΔͷಋೖखॱϢʔεέʔε • ݸผ۩ମతͳΦϖϨʔγϣϯ
Today's topic • είʔϓͷ • ϑΝϯμϝϯλϧͳ • θϩτϥετಋೖࢧԉͱ͍ͯͬͯ͘͠ϑΣʔζྫͷ
Common system architectures in companies
Common system architectures in companies
ϓϩμΫτʹΨνͰ θϩτϥετΛ࣮͍ͯ͠Δͷ PagerDuty θϩτϥετωοτϫʔΫ ― ڥքޚͷݶքΛ͑ΔͨΊͷηΩϡΞͳγεςϜઃܭ 9.10ɹέʔεελσΟɿPagerDutyͷΫϥυʹґଘ͠ͳ͍ωοτϫʔΫ ΑΓ
ࠓ͓͢Δͷ ใγεςϜʹରͯ͠ͷ θϩτϥετಋೖࢧԉͷͰ͢
Today's topic • είʔϓͷ • ϑΝϯμϝϯλϧͳ • θϩτϥετಋೖࢧԉͱ͍ͯͬͯ͘͠ϑΣʔζྫͷ
Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν
Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν
ࣾͷγεςϜΛ ͯ͢θϩτϥετʹ͍ͨ͠ΜͰ͢
Common Misconceptions • શͳθϩτϥετΞʔΩςΫνϟͷಋೖҝ͠ಘͳ͍ • ͦͦɺϏδωεͦͷͷ͕Կ͔Λ৴པ͢ΔϓϩηεͰߏ ͞Ε͍ͯΔ • ϏδωεϓϩηεࣾγεςϜͦͷͷ͔Βɺθϩτϥ ετΛલఏͱͯ͠࡞ΒΕͨͷ͕ɺBeyondCope
Common Misconceptions • શͳθϩτϥετΞʔΩςΫνϟͷಋೖҝ͠ಘͳ͍ • ͦͦɺۀͰ༻͢ΔใγεςϜػثΞϓϦέʔ γϣϯɺαʔϏεɺθϩτϥετલఏͰ࡞ΒΕ͍ͯͳ͍ • Ͱ͖ΔࣄɺγεςϜͷσβΠϯʹɺθϩτϥετͷཁૉΛ ৫ΓࠐΜͩͷΛ࡞Γ্͛Δͱ͍͏͜ͱ
θϩτϥετങ͖ͬͯͨʂ ࠷৽ٕज़ͳΜͰʂ
Common Misconceptions • θϩτϥετΛߏ͢Δٕज़ɺීวతͳٕज़ͷٕज़ͷूੵ • ϑΝΠΞΥʔϧɺূ໌ॻɺ࠷খݖݶͷݪଇɺσόΠεΠϯϕϯ τϦ…etc • θϩτϥετͷจ຺Ͱ͜Ε·Ͱଘࡏ͠ͳ͔ͬͨͷɺ
ࠓଘࡏ͍ͯ͠ͳ͍ʢͦΕͬΆ͍ͷͰ͖ͭͭ͋Δʣ • ৴པͷਪΤϯδϯ
͜Ε͔Βθϩτϥετʂ ڥքޚͳΜ͔͍ΒΜ͔ͬͨΜʂ
Common Misconceptions • ͦͦɺθϩτϥετڥքܕޚΛશ͘൱ఆ͍ͯ͠ͳ͍ • ۀͰѻ͏ίϯϙʔωϯτͷଟ͘θϩτϥετΞʔΩςΫ νϟʹରԠͰ͖ͳ͍ͷ͔Γ • IoTػثɺෳ߹ػɺࢹΧϝϥγεςϜɺ
੍ޚܥγεςϜ…etc
Δ͖͜ͱ ڥքޚΓͭͭ Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ʹ͚ͯ θϩτϥετͷཁૉΛ৫ΓࠐΜͩγεςϜ ΛσβΠϯ͍ͯ͘͜͠ͱ
Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν
ͲΜͳཱͪҐஔͰ θϩτϥετಋೖࢧԉΛ͍ͬͯΔͷ͔
Mindset • ࣄऀاۀͷ୲ऀͷཱࣗͱࣗΛଅ͠ɺใγεςϜΛίϯ τϩʔϧՄೳͳͷʹ͢Δ • Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ɺ՝ʹର͢ΔਐΊํɺߟ͑ํͷ ΨΠυʢίϯαϧτʹ૬ஊʣ • ୲ऀ͕ࣗखΛಈ͔ͯ͠ɺܦݧ͠ɺվળ͍ͯͨ͘͠Ίͷ
ٕज़ࢧԉ
୲ऀ͕ݴ͍ͬͯΔ͜ͱͷ 7-8ׂ͕ਖ਼͘͠ͳ͍
Examples of common incorrectness • खஈ͕తʹͳͬͯΔύλʔϯ • ʮͳͥͳΒʯ͕ͳ͘ɺ͍͖ͳΓํ๏͔Βೖ͍ͬͯΔ • θϩτϥετΛಋೖ͍ͨ͠ΜͰ͢ʂ
• ΤϞςοτରࡦͰXXXΛ͍͍ͨͰ͢ʂ
Examples of common incorrectness • ࠜڌ͕ബऑͳύλʔϯ • ͋Εɺ͜Εɺͬͨ΄͏͕ྑ͍Ͱ͢ΑͶʢίετ੨ఱҪʣ • ʮͳͥͳΒʯ͕ͳ͍ͷͰɺ࣮ͨ͠ࢪࡦΛ֎ͤͳ͘ͳΔ
Examples of common incorrectness • Λಋೖ͢ΕͳΜͱ͔ͳΔɺӡ༻୭͔ʹΒͤΕ͍͍ͱࢥͬͯ ͍Δύλʔϯ • ϕϯμʔͷཆͰ͢Ͷ •
ݪཧओٛͷύλʔϯ • ηΩϡϦςΟͷͨΊʹXXXېࢭ͠·͠ΐ͏ʂ • ͦΕͬͯɺ୭͕ͤʹͳΔΜͰ͔͢ʁ
૬ख͕ΜͰ ૬खͷͨΊʹͳΒͳ͍͜ͱ ܟҙΛ࣋ͬͯ͢Δ
Examples of common unhelpful things • ൺֱදѱ • ୭͔͕࡞ͬͨൺֱදɺݟͨਓͷࣄͳΜ͔ؔͳ͘࡞ΒΕ ͍ͯΔ
• ͦͷʮ˓ʯɺ͋ͳͨʹͱͬͯຊʹʮ˓ʯͰ͔͢ʁ • ࣗʹͱͬͯ˓͔Ͳ͏͔ɺ৮ͬͯΈͳ͍ͱΘ͔Βͳ͍
Examples of common unhelpful things • ൺֱදඞཁѱ • ্ਃ͢Δ্Ͱɺൺֱ͔ͨ͠ʁΛΘΕΔ߹͋Δ •
ࣗͰԖචͳΊͯ࡞ͬͨൺֱද͕࠷ڧ • ٬؍తʁ ͦͦ٬؍తͳൺֱද͕ࣗͨͪʹͲͷΑ͏ʹϑΟοτ͠ ͍ͯΔͳΜͯɺ୭͕આ໌ͯ͘͠ΕΔΜͰ͔͢Ͷʁ
Examples of common unhelpful things • ϕετϓϥΫςΟεͷݬ • ϕετϓϥΫςΟεʮߟ͑ํʯͰ͋ͬͯʮ͜͏Ε͍͍(How To)ʯͰͳ͍
• ࣗͨͪʹͱͬͯԿ͕Ͳͷఔඞཁ͔ΛݟۃΊΔඞཁ͕͋Δ • Ͳ͔͔͜Β͖࣋ͬͯͨHow To͕ɺࣗͨͪʹͱͬͯඞཁेͰ ͋Δͬͯ୭͕આ໌ͯ͘͠ΕΔΜͰ͔͢Ͷʁ
ཁ ࣗͨͪͷ͜ͱͳΜ͔ͩΒࣄ͍ͯͩ͘͠͞ ͱ͍͏͜ͱ
Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν
ϗϥʔετʔϦʔԼࡦ
Limitations of Horror Stories • ໌֬ͳϦεΫ՝ʹରॲͰ͖Δ͕ɺͦΕҎ্͕ͳ͍ • ϦεΫͷ૯ྔܦӦऀͷհࡏͳ͠ʹଌΕͳ͍ • ΏʔͯɺͦΜͳͷى͖Δʁͦ͜·ͰΠϯύΫτ͋Δʁ
ଞࣾͲ͏ͯ͠ΔͷʁΛಥഁͰ͖ͳ͍ • ৽͍͠ϦεΫ͕ੜ·ΕͨΒɺ·ͨ৽͍͠ͷΛങΘͳ͍ͱ͍ ͚ͳ͍ͷʁͱ͍͏ٙ೦Λ১Ͱ͖ͳ͍
Limitations of Horror Stories • θϩτϥετΛಋೖ͢Εղܾ͢Δ͔ผͷ • ڥքޚΛ͔ͬ͠ΓͬͨΓɺ৬ঠΛపఈ͢ΕղܾͰ ͖Δ͋Δ •
θϩτϥετΛಋೖͯ͠ղܾ͠·͠ΐ͏
ϑΝΠφϯεʹΛ͚Δ
It costs a lot of money to do anything. •
ࠓ·Ͱ͍ͬͯͳ͔ͬͨ͜ͱΛΔͷͰɺجຊతʹίετ૿ • ͍ͭͷλΠϛϯάͰɺͲͷఔͷΩϟογϡΞτ͕ੜ͡Δ ͷ͔ɺܦӦऀͷॏେͳؔ৺ࣄʢΩϟογϡϑϩʔͱ૬ஊʣ • ࡞ͨ͠ϩʔυϚοϓΛجʹɺ͓͕ۚඞཁͳ࣌ظΛఏࣔ͢Δ • ෆཁʹͳΔػثઃඋɺϥΠηϯε͕͋Εɺ৫ΓࠐΉ
εςʔΫϗϧμʔΛר͖ࠐΉ
Are you trying to do this with just a few
people? • ܦӦऀΛ͡Ίɺܦཧɺ๏ɺਓࣄɺࣄۀ෦ͱؔΘΒͳ͍ͱਐΜͰ͍͔ͳ͍ • ܦӦऀɿτοϓϚωδϝϯτɺඞཁͳࢿݯͷׂΓͯ • ܦཧɿϑΝΠφϯεपΓɺطଘγεςϜͷࢧ͍पΓ • ๏ɿࣄۀಛੑʹର͢Δ๏తͳ໘ͰͷϑΥϩʔ • ਓࣄɿIDιʔεͱͷ߹ • ࣄۀ෦ɿϢʔεέʔεɺ͍উखɺۀޮͷϑΟʔυόοΫͷๅݿ
γεηΩϡϦςΟ෦͚ͩͰ ਐΊΑ͏ͱ͍ͯ͠·ͤΜ͔ʁ
୭͕Ͳ͏ͤʹͳΔͷ͔ ܞΘΔ୲ऀͷςϯγϣϯ͕ ΞΨΔʹ͠ͳ͍ͱଓ͔ͳ͍
γεηΩϡϦςΟ෦͕ ෦ʹดͬͯ͜͡ࣄ͢Δ࣌ ͱͬ͘ʹऴΘͬͯΔ
Today's topic • είʔϓͷ • ϑΝϯμϝϯλϧͳ • θϩτϥετಋೖࢧԉͱ͍ͯͬͯ͘͠ϑΣʔζྫͷ
general fl ow
How long does it take?
What will you be able to do?
To apply a popular phrase.
ͱɺ·͊શମΛ၆ᛌͯ͠ ਐΊ͍ͯ͘ͱ͍͏͜ͱͰ͢
Α͋͘ΔΞϯνύλʔϯ
anti-pattern • ෦తͳཁૉ͚ͩͰΖ͏ͱ͢Δ͜ͱ • ೝূͱσόΠε੍ޚ͚ͩείʔϓΛߜͬͯΓ͍ͨͰ͢ • ͜ͷͰͰ͖Δͱ͜Ζ͚ͩΓ·͢
AsIsͷώΞϦϯάσβΠϯ͔Β είʔϓ֎ͷ͜ͱ͕ൈ͚མͪΔ
The ones that fall out • ۀͰAndroid͔ͭͬͯΔΜ͚ͩͲྑ͔ͬͨΜ͚ͩͬʁ • ͳ่͠͠Ͱࢲ͑ͪΌͬͯΔΜͩΑͳʔ •
࣮VPNͱͷ৯͍߹Θ͕ͤѱ͍ΜͩΑͶ • ͜ͷͰ͜ͷۀΛͬͪΌͬͯྑ͔ͬͨΜ͚ͩͬʁ • ੍ޚϙΠϯτʹ࿙Ε͕͋ͬͨʢζϨͯͨʣɻɻɻ
෦తʹਐΊΑ͏ͱ͢ΔఏҊΛड͚ೖΕΔͳΒ શମͷσβΠϯΛࣗͰҾ͍ͯ ߹ੑΛϋϯυϦϯά͢Δ͜ͱ
analysis of current situation
What we are doing in our analysis of the current
situation • ϦεΫੳ݁ՌͱϦεΫରԠํͷ֬ೝ • Γ͍ͨ͜ͱɺͳΓ͍ͨ࢟ͷώΞϦϯά • खஈ͕తʹͳͬͯͳ͍͔ͷνΣοΫɺͳͥͳΒͷਂ۷Γ • ۀʹؔΘΔεςʔΫϗϧμʔͷ֬ೝ • ۀҕୗΞϧόΠτͳͲ
What we are doing in our analysis of the current
situation • ݱࡏͷγεςϜߏͱͦͷߏʹࢸͬͨഎܠͷ֬ೝ • IDج൫σόΠεԿΛͬͯΔͷʁ • ࣄॴݿɺͳͲɺͲ͜ͰͲΜͳۀͬͯΔͷʁ • ͲΜͳΩοςΟϯάͯ͠Δʁڞ༗IDͱ͔ͬͯΔʁ • ωοτϫʔΫߏʁ
What we are doing in our analysis of the current
situation • ۀγεςϜSaaSϥΠηϯεͷ • ͍ͭߪೖͯ͠ɺอकඅͲΕ͘Β͍ʁ • ԿͷׂΛՌ͍ͨͯ͠Δͷͳͷʁ • ͲΕ͘Β͍ؾʹೖͬͯΔʁ • SSOՄ൱Θ͔Δͱͳ͓ྑ͠
What we are doing in our analysis of the current
situation • ݱࡏͷηΩϡϦςΟϙϦγʔͷ༰֬ೝ • ఆΊΒΕ͍ͯΔ༰ɺͲͷΑ͏ʹ࣮ɾӡ༻͍ͯ͠Δʁ • ४ڌ͖͢ϨΪϡϨʔγϣϯنఆͷ֬ೝ • σβΠϯʹର͢Δ४ڌੑ୭͕ͲͷΑ͏ʹߦ͏ͷ͔ཧ
What we are doing in our analysis of the current
situation • σʔλͷྲྀ௨ܦ࿏ͷ֬ೝ • ৫ͱͯ͠Ͳͷఔॏཁͳใ͕ɺͲ͜ʹஔ͞Ε͓ͯΓɺ ͩΕ͕ɺͲͷσόΠεΛ༻͍ͯɺͲͷΑ͏ͳܦ࿏ͰΞΫηε ͢Δ͔ • ISMS27002Ͱཧ͞ΕΔσʔλͷΛ֦ு͢Δͷ͕ ൺֱతϦʔζφϒϧ
Formulate overall design
άϥϯυσβΠϯͬͯ ͜͏͍͏ֆΛඳ͚͑͑ΜΖʁ
Is this what the overall design is about?
͜ΕɺͨͩͷֆͰ͢
What should be included in the overall design • ϦεΫ՝ɺΓ͍ͨ͜ͱɾͳΓ͍ͨ࢟
• AsIsߏɺToBeߏɺCanBeߏ • σβΠϯίϯηϓτͱ֤ίϯϙʔωϯτͰߦ͏͜ͱ੍ޚͷ֓ཁ • ՝ͱͷϚοϐϯά
What should be included in the overall design • ਐΊΔ্Ͱͷཹҙ
• MDMΓ͑ϢʔβʔӨڹɺηΩϡϦςΟػߏͷΓସ͑ • ϩʔυϚοϓʢ࣮ॱংʣͱεέδϡʔϧ • ߪೖϥΠηϯεҰཡʢֹؚۚΉʣ • ഇغ͢ΔγεςϜͱഇغ࣌ظ
ͳΔ΄Ͳ Θ͔ΒΜ
What should be included in the overall design
What should be included in the overall design
ཁ ٕज़ͷԡ͠ചΓʹͳͬͯ·ͤΜ͔ʁ ͱ͍͏͜ͱ
CanBeߏͬͯʁ
A practical landing place for the time being • ҰඈͼʹToBeߏʹ͍͚ͳ͍͜ͱଟʑ͋Δ
• ͗͢Δεέδϡʔϧɺਫ਼͕ஶ͘͠མͪΔ • ͬͯΈͯɺ͜͏ͩͬͨɾ͜Μͳͣ͡ΌɺΑ͋͘Δ͜ͱ • Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ʹରͯ͠ɺۙͰͨͲΓண͖͍ͨঢ়ଶΛ ࣮ݱͰ͖ΔߏΛCanBeߏͱݺΜͰ·͢
identity control
Why should we have ID control? • త • ՄೳͳݶΓɺҰҙͷIDͰγεςϜར༻Ͱ͖ΔΑ͏ɺIDΛҰݩཧ͢Δ
• ೝূͱೝՄΛҰݩతʹߦ͑ΔΑ͏ʹ͢Δ • ͳͥͳΒ • ୭͕͍ͭԿΛͨ͠ͱ͍͏ϩάʹҙຯΛ࣋ͨͤΔ(൱ೝࢭ) • ۀར༻SaaSͷϢʔβʔཧΛݸผʹߦΘͳ͍ঢ়گΛ࡞Γɺୀ৬ऀ෦֎ऀͷΞΫηεΛ͙
What to do as an identity control ? • ৴པͰ͖ΔIDιʔεͷ֬ೝʢਓࣄDBActive
DirectoryͳͲʣ • ڞ༗IDͷચ͍ग़͠ͱ؇ાஔ • IDιʔε͔ΒIdPͷܨ͗ࠐΈ • SaaSαʔϏεͷSSOઃఆɺϢʔβʔ/άϧʔϓ(σ)ϓϩϏδϣχϯά • ਵͯ͠SaaSଆͷೝՄઃܭ
What to do as an identity control ? • SSO͕Ͱ͖ͳ͍αʔϏεʹରͯ͠ͷ؇ાஔ
• IDάϧʔϓϝϯόʔγοϓͷ୨Է͠ͷΈͮ͘Γ • ۀʹؔΘΔ֎෦εςʔΫϗϧμʔͷIDཧͷΈͮ͘Γ • ߹ʹΑͬͯɺෳͷIdPΛ͍͚Δ͜ͱ͋Δ
device control
Why should we have device control? • త • ۀͰ͏σόΠεΛಛఆ͠ɺඞཁͳ੍ޚΛ৴Ͱ͖Δঢ়ଶΛอূ
͢Δ • ͳͥͳΒ • ηΩϡϦςΟ࠷͍ਫ४ʹ߹ͬͯ͠·͏ͨΊɺඞཁͱఆΊͨ ηΩϡϦςΟઃఆΞϓϦέʔγϣϯΛ࣮֬ʹ৴͢Δඞཁ͕͋Δ
What to do as an device control • طଘσόΠεʹର͢ΔMDMͷΤϯϩʔϧϝϯτ •
ΩοςΟϯάͰ͍ͬͯΔ͜ͱηΩϡϦςΟϙϦγʔʹج੍ͮ͘ ޚػೳͷ੍ݶͷΛMDMͰ • AutoPilotDEPΛ༻͍ͯɺ৽نσόΠεͷθϩλονσϓϩΠ • ࢀߟɿhttps://www.youtube.com/watch?v=Z-7W4T-IOFk
Content Management
Why should we have Content Management? • త • ϑΝΠϧαʔόʔʹ͋ΔσʔλΛΫϥυετϨʔδʹҠߦ͠ɺ
ߴ͍ϨϕϧͷࠪੑͱΞΫηείϯτϩʔϧɺোੑɺརศੑΛڗड͢Δ • ϢʔεέʔεʹΑͬͯɺΫϥυετϨʔδ͕ϑΟοτ͠ͳ͍߹͋Γ • ͳͥͳΒ • ڥքͰकΔ͖ͷΛݮ͡ɺγεͷӡ༻ཧෛ୲Λݮ͡Δ͜ͱ͕Ͱ͖Δ
What to do as a Content Management? • ϑΥϧμߏઃܭɺΞΫηεݖઃܭ •
άϧʔϓϓϩϏδϣχϯάͱ࿈ಈ • Ϣʔεέʔεʹ߹Θͤͨςφϯτઃఆௐ • Ϣʔεέʔε্ɺ·͘͠ͳ͍ಈ࡞ͷ੍ݶઃఆ • ֎෦ڞ༗ํࣜͱͷ߹
What to do as a Content Management? • σʔλҠߦ •
ҠߦݩɾҠߦઌͷϚοϐϯά • πʔϧͷ༻ΛਪʢσʔλҠߦϊϋΛཁ͢Δʣ • ϝʔϧఴϑΝΠϧͷΫϥυετϨʔδอ • Ϣʔβʔपࢿྉ࡞ɺτϨʔχϯάϫʔΫγϣοϓͷ։࠵
Endpoint Protection
Why should we have Endpoint Protection? • త • ΞϯνΟϧεͰରԠͰ͖ͳ͍ΤϯυϙΠϯτͷڴҖΛݕग़
͠ɺରԠ͢Δ • ͳͥͳΒ • ߴԽ͢Δ߈ܸɺϚϧΣΞͰݕग़͢Δ͜ͱࠔͰ͋Γɺ ΠϯςϦδΣϯεΛ׆༻͢Δඞཁ͕͋Δ͔Β
What to do as a Endpoint Protection? • ςφϯτઃఆ •
ར༻͢Δػೳɺར༻͠ͳ͍ػೳͷܾఆɺϩʔϧઃܭ • ॳظల։ • ΦϯϘʔυखॱͷཱ֬ɺ࠷ݶͷػೳಈ࡞֬ೝɾಈ࡞Өڹ֬ೝ • طଘΞϯνϚϧΣΞͷೖΕସ͑ํࣜͷݕ౼
What to do as a Endpoint Protection? • ύΠϩοτల։ •
֤෦͔ΒύΠϩοτϢʔβʔΛืͬͯɺEDRΛಋೖ • ۀӨڹ֬ೝͱνϡʔχϯά • ΞϥʔτରԠͷशख़ͱରԠϑϩʔͷཱ֬ • ࣗࣾͰͷରԠ͕͍͠෦ͷ֬ೝ
What to do as a Endpoint Protection? • SOCࣄۀऀબఆʢΦϓγϣϯʣ •
ࣗࣾͰରԠ͕͍͠෦ʹ͍ͭͯɺରԠͯ͠Β͑ΔSOCࣄۀऀΛ୳͢ • ӡ༻ɺSOCࣄۀऀͰ݁͠ͳ͍͜ͱʹҙ • SOCࣄۀऀτϥΠΞϧӡ༻ʢΦϓγϣϯʣ • ࣮ࡍʹͲͷϨϕϧͰରԠΛͯ͘͠ΕΔ͔ɺͲͷΑ͏ͳΓͱΓ͕ੜ͡Δ͔
What to do as a Endpoint Protection? • ੬ऑੑରԠʢʹΑΔʣ •
৫ͷ੬ऑੑΛಛఆ͠ɺରԠΛཁ͢ΔͷΛஅ͢Δ • OSઃఆΞϓϦέʔγϣϯόʔδϣϯʹجͮ͘੬ऑੑ͕ର • ରԠσόΠε੍ޚͷج൫Λར༻͢Δ
Shadow IT Countermeasures
Why should we have Shadow IT Countermeasures? • త
• ۀͰར༻͍ͯ͠ΔSaaSαʔϏεར༻ͷՄࢹԽͱ੍ޚ • ѱੑίϯςϯπͷΞΫηε੍ݶ • ͳͥͳΒ • Web௨৴ɺσʔλྲྀ௨ͷॏཁͳΩʔϙΠϯτ
What to do as a Shadow IT Countermeasures? • ҠߦઃܭɺઃఆͷҠߦ
• ڥքޚطଘͷηΩϡϦςΟػߏ͕ߦ͍ͬͯΔ੍ޚͷચ͍ग़͠ͱɺ CASB/SWGͷམͱ͠ࠐΈ • σόΠε౷੍ج൫Λ༻͍ͯɺAgentల։ • େ͖͘AgentܕɺAPIܕɺProxyܕͱ͋Δ͕ɺΧόʔൣғͱωοτϫʔΫ τϙϩδͷࣗ༝Λߟྀ͢ΔͱAgentܕ͕ϑΝʔετνϣΠε
What to do as a Shadow IT Countermeasures? • νϡʔχϯά
• ςφϯτࣝผొ • SSL෮߸ʹΑΔӨڹΛड͚ΔSaaSɺWebαʔϏεʹ͍ͭͯɺআ֎ઃఆͳͲ ͷ࣮ࢪ • Ҡߦઃఆͷೖ • ΧςΰϦϑΟϧλϦϯάɺෆ৹ͳυϝΠϯͷଓ੍ݶઃఆͳͲ
What to do as a Shadow IT Countermeasures? • ՄࢹԽ༰ͷ֬ೝ
• SaaSαʔϏεͷར༻ঢ়گ͔ΒɺରԠํΛݕ౼ • ར༻෦ͱͷௐ͢Γ߹Θͤ • ՄࢹԽ݁Ռʹج੍ͮ͘ޚઃఆ
What to do as a Shadow IT Countermeasures? • DLP
• ৫Ͱอޢ͖͢σʔλΛਖ਼نදݱͰఆٛͰ͖Δ͔͕ΧΪ • ϑϦʔϋϯυͰߦ͏ʹ͕ߴ͗͢Δʢݸਓใͱ͔ʣ • ࣄۀಛੑͱσʔλͷྲྀ௨ܦ࿏Λेʹ뱌Ͱ͖Εɺൺֱతγϯ ϓϧʹ͏͜ͱՄೳʢࣙॻɺ֦ுࢠɺϑΝΠϧαΠζͳͲʣ
Breaking away from VPN
Why are you breaking away from VPNs? • త •
ݸʑͷࣾΞϓϦέʔγϣϯΦϯϓϨϛεγεςϜʹରͯ͠ɺ ೝূʹجͮ͘ΞΫηείϯτϩʔϧΛఏڙ͢Δ • ͳͥͳΒ • VPNɺωοτϫʔΫͷΞΫηεڐՄʹରͯ͠ɺIAPΞϓϦ έʔγϣϯʹରͯ͠ɺϢʔβʔ͝ͱͷଓڐՄΛఏڙ͢Δ
What does getting out of a VPN do? • ଓରγεςϜʢ㲈VPNʹґଘ͍ͯ͠ΔγεςϜʣͷચ͍ग़͠
• ϙʔτɺIPΞυϨεɺFQDNɺґଘ͢ΔDNSΛ֬ೝ • ࣾγεςϜͷૄ௨ՄೳͳॴʹίωΫλΛஔ͢Δ • ରγεςϜͷଓݕূ • ཪͰΞΫηε͍ͯ͠ΔURLͳͲͷ͋ͿΓग़͠
What does getting out of a VPN do? • ϩʔϧઃܭ
• ϩʔϧ͝ͱʹར༻͢ΔΞϓϦέʔγϣϯηοτΛఆٛ • ϓϩϏδϣχϯάͨ͠άϧʔϓʹجͮ͘ • ίωΫλνϡʔχϯά • εϧʔϓοτՄ༻ੑͷௐ͕ඞཁͰ͋Ε
What does getting out of a VPN do? • VPNଘஔͷγφϦΦʹ͍ͭͯͷݕ౼ʢΦϓγϣϯʣ
• ߴ͍Մ༻ੑΛཁ͢ΔαʔϏε͕͋ΕɺόοΫΞοϓճઢͱ͠ ͯVPNΛଘஔ͢Δ͜ͱΞϦ • අ༻ΩοςΟϯάɺӡ༻ෛՙͷݮʹͳΒͳ͍ͷͰɺ ϦεΫϚωδϝϯτͱͯ͠ͷஅ͕ඞཁ
log management
Why do you do log management? • త • ֤SaaSηΩϡϦςΟʹࢄΒΔϩάΞϥʔτΛू
͠ɺγεςϜΞϥʔτΛ၆ᛌ͢Δ͜ͱͰରԠ͖͢Πϯγσϯτ ΛݟۃΊΔ • ͳͥͳΒ • ֤ͷϩάͷ૬ޓ֬ೝͷखؒΛݮΒ͠ɺରԠͷࣗಈԽʹܨ͛Δ
What does log management do? • ετʔϦʔͷཱ֬ • ͩΕ͕ɺ୭ʹରͯ͠ɺͲͷΑ͏ͳ͜ͱΛઆ໌Ͱ͖ͨΒউͪͰ͋Δ͔ •
ऩूରϩάͷબผ • ετʔϦʔʹؔΘΔϩάॏཁσʔλΛϗετ͢ΔαʔϏεɺ͓ΑͼϦεΫΞη εϝϯτͷ݁Ռɺൃݟత౷੍ʢϩάʹΑΔݕग़ʣ͕ରԠࡦͱͯ͠ڍ͛ΒΕͨγε ςϜ͕ର • ͳΜͰूɺΞϯνύλʔϯ
What does log management do? • อଘظؒͷܾఆʢن੍๏ྩʹجͮ͘ʣ • ϩάऩूج൫ͷબఆͱܾఆ •
ϩάऩूରͱͷܨ͗ࠐΈ͕༰қͳ͕͋Δ͔ • ϑΝʔετνϣΠεɺΫϥυܕSIEM • Ͱ͖ΕɺεϞʔϧελʔτՄೳͳΛબఆ
What does log management do? • ֤αʔϏεͱSIEMͱͷܨ͗ࠐΈ • ຯͰҰ൪ॏ͍ɻ҆қʹ࡞ΓࠐΈʹΔͷې •
ϩʔϧઃܭ • ϩά୭ʹͰݟΒΕͯྑ͍ͷͰͳ͍
What does log management do? • ݕग़ϩδοΫͷ࡞ • ετʔϦʔϦεΫΞηεϝϯτͷ݁Ռʹجͮ͘࡞ΓࠐΈ •
ࣗಈରԠɺઌͣ௨͔Β • ରԠΛ͍ͯ͘͠தͰɺ͓ܾ·ΓͷରԠ༰ΛࣗಈԽ͍ͯ͘͠ • ΤϯϦονϝϯτɺՃௐࠪͳͲ
What does log management do? • ՄࢹԽςϯϓϨʔτͷ࡞ • ετʔϦʔϦεΫΞηεϝϯτͷ݁Ռʹجͮ͘࡞ΓࠐΈ •
ࢹઃఆ • ՝ۚঢ়گɺϩάྲྀೖঢ়گɺΫΤϦʔ࣮ߦঢ়گ…etc
ͱɺ·͊ ʮθϩτϥετಋೖࢧԉʯ ͜Μͳײ͡ͰਐΊ͍ͯ͘༁Ͱ͢
conclusion • Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ΛجʹɺʮͳͥͳΒʯΛ໌֬ʹͯ͠ɺ ใγεςϜͷσβΠϯʹθϩτϥετͷཁૉΛ৫ΓࠐΜͰ͍͘ • ࣮ʹ͋ͨͬͯઐ͕ࣝඞཁ͕ͩɺࣗͰखΛಈ͔ͯ͠ɺܦݧ ͱϑΟʔυόοΫʹج͍ͮͯίϯτϩʔϧ͍ͯ͘͠Α͏ʹ͠ͳ͍ ͱɺखʹෛ͑ͳ͍ʹͳΔ • ಛผͳ͜ͱ͕ͳ͚ΕɺID౷੍ˠσόΠε౷੍͔Β࢝ΊΔ
͓ͳ͔͍ͬͺ͍Ͱ͔͢ʁ
One more things
θϩτϥετಋೖͷ͜͏ଆ
ബʑצ͍͍ͮͯΔͱࢥ͍·͕͢ ͋Γͱ͋ΒΏΔใ͕ू·͖ͬͯ·͢
Things that have gathered when you notice them • ͷΠϯϕϯτϦใʢ୭ͷεϚϗʹͲͷΞϓϦ͕ೖͬͯΔʁʣ
• WebӾཡใʢ୭͕͍ͭͲΜͳαΠτʹΞΫηεͨ͠ʣ • ςΩετใʢ୭͕ͲΜͳϫʔυΛߘ͔ͨ͠ͳʣ • Ґஔใʢ୭ͷσόΠεͲ͜ʹ͋Δʁʣ
ݸਓใͬͯͬͯΔʁ
Yes. These are private information • ID౷੍͞Εͨੈք؍Ͱɺ΄ͱΜͲͷσʔλʢϩάʣʹUPNϝʔϧΞυϨεʹඥ͘ • ۀͰ༻͢ΔใγεςϜͷϞχλϦϯάɺใηΩϡϦςΟ࿑ಇऀͷ৬ઐ೦ٛ ͷݟ͔Βɺۀ্ͷඞཁੑ͕ೝΊΒΕΔ
• ଞํͰɺࣄۀऀʹͱͬͯࣝผ͞ΕͨIDͱݸਓͱͷর߹༰қͰ͋Δ͜ͱ͔Βɺ͜ΕΒͷσʔλ ݸਓࣝผੑΛ༗͠ɺݸਓใʹ֘͢Δ͜ͱ͕ҰൠతͰ͋Δ • ैͬͯɺϞχλϦϯάݸਓใอޢ๏ͷن੍ରͰ͋Δͱ͍͑Δ • ϞχλϦϯάɺϓϥΠόγʔਓ֨ݖͷ৵ʹΑΔଛഛঈٻૌুͰ૪ΘΕΔ͜ͱ͋Δ શຊใॲཧֶशৼڵڠձ ൛ ݸਓใอޢ࢜ೝఆࢼݧ ެೝςΩετୈ2൛ 571ʙ572ทΑΓൈਮʢҰ෦ཁʣ
Yes. These are private information https://www.meti.go.jp/policy/it_policy/privacy/050805_guideline.pdf
ཁ ϞχλϦϯάͰಘͨใɺ ݸਓใͱͯ͠ར༻ൣғΛ໌֬ʹͯ͠ ར༻͢Δͱ͍͏͜ͱ
ͯ͞ɺੈͷதθϩτϥετͱڣΜͰ͍Δ ϕϯμʔ͕ྊᬚͯ͠·͕͢
͜ͷ͜ͱʹݴٴ͠ͳ͍ͷ ͳͥͰ͠ΐ͏͔Ͷʁ
Έͳ͞Μͷ॓ʹ͓͖ͯ͠·͢˒
Thank you !