Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Device Identity as Yet Untold

Kengo Suzuki
January 24, 2020

Device Identity as Yet Untold

社会のニーズが変化し、企業規模と分野を超えた横断的なビジネス(例: 新興Fintech企業と銀行の連携)が増えています。

それに伴い、ユーザーをエンティティとしたIdentityの活用事例の増加や仕様の拡張が着目されるのは、OpenID Summit Tokyo 2020の開催概要に記載がある通りです。

そんな、ユーザーIdentityの進歩に伴い、増える機微なデータや多様化するトランザクション経路を、エンタープライズはスピーディに且つ安全に管理していく必要があります。
ビジネスの変化とともに、エンタープライズのセキュリティも変化していかなければなりません。

変わるニーズに対応するかの如く、昨今は「ゼロトラスト」などの設計手法が話題になっていますが、セキュリティ対策の中心をネットワークから、各種エンティティ(とIdentity)によせるものです。

その際に無視できないのはデバイスIdentityです。
デバイスもエンティティの1つに違いはないのですが、
ユーザーIdentityに比較して、その管理方法や仕様について語られる機会はそう多くありません。ましてや、エンタープライズ向けでの話は、ほとんど皆無です。

そこで、本セッションでは、エンタープライズにおけるデバイスのIdentity Managementについてお話していきたいと思います。
それにより、参加者の皆様、特にIdentity技術がエンタープライズ・セキュリティのコアになると考えられる方々に、どのようなアプローチ方法があるかお話しします。

具体的には、デバイスの登録、認証方法、検証方法などをアイデンティティ・マネジメントの観点から解説します。
その際に、理想像と事例を紹介することで、既存製品でどこからどこまでのマネジメントが可能かも、明確にしたいと思います。

Kengo Suzuki

January 24, 2020
Tweet

More Decks by Kengo Suzuki

Other Decks in Technology

Transcript

  1. %FWJDF*EFOUJUZ:FU6OUPME

    ΤϯλʔϓϥΠζɾηΩϡϦςΟͱσόΠε*EFOUJUZ

    View Slide

  2. “時代の変化に伴い、(中略)
    周辺の技術・ビジネスも⼤きく変化”
    IUUQTXXXPQFOJEPSKQTVNNJU

    View Slide

  3. *EFOUJUZ'PS&OUFSQSJTF4FDVSJUZ NJO

    %FWJDF*EFOUJUZ.BOBHFNFOU NJO

    $IBMMFOHFT NJO

    $PODMVTJPO NJO

    ໨࣍

    View Slide

  4. *EFOUJUZ'PS
    &OUFSQSJTF4FDVSJUZ

    View Slide

  5. Ϗδωεͷ
    มԽ ओ࣠Λ&OUJUZʹͨ͠
    ΤϯλʔϓϥΠζ
    ηΩϡϦςΟઃܭ
    ͷมԽ
    ڴҖͷ
    มԽ

    View Slide

  6. Ϗδωε؀ڥͷมԽ

    View Slide

  7. 業務データの分散
    σʔλ
    ॏཁͳ
    σʔλ
    ॏཁͳ
    σʔλ
    ۀ຿
    ΞϓϦ
    ۀ຿
    ΞϓϦ
    ॏཁͳ
    σʔλ
    ॏཁͳ
    σʔλ
    جװ
    σʔλ
    جװ
    σʔλ
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ

    View Slide

  8. ڥքͷ࠷దԽ
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ

    View Slide

  9. 業務データの分散の多様化に伴う技術標準

    View Slide

  10. ڴҖͷมԽ

    View Slide

  11. 71/τϯωϧ ॏཁͳσʔλ
    0Oαʔόʔ
    ॏཁͳσʔλ
    0Oαʔόʔ
    ۀ຿Ξ
    ϓϦ
    ۀ຿Ξ
    ϓϦ
    ۀ຿Ξ
    ϓϦ
    ۀ຿Ξ
    ϓϦ
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ
    ڴҖͷ഑ૹख๏ͷଟ༷Խ

    View Slide

  12. ࣌ؒܦաʹΑΔ৴པੑͷ௿Լ
    ॏཁͳσʔλ
    0O
    σʔλ
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ

    View Slide

  13. ηΩϡϦςΟઃܭͷมԽ

    View Slide

  14. ࣮૷ͷมԽ
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ
    w ΤϯςΟςΟݕূͱ૊Έ߹Θͤʮ*EFOUJUZ$FOUSJDʯʮ"MXBZT7FSJGZʯ
    w ࠷খݖݶͷݪଇʮ-FBTU1SJWJMFHF"DDFTTʯ
    w ৵֐ͷ૝ఆͱ෧͡ࠐΊʮ#SFBDI$POUBJONFOUʯ

    View Slide

  15. ຊ೔ͷϑΥʔΧε
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ
    ͪ͜Β͸ྑ͘࿩͞ΕΔ

    View Slide

  16. ຊ೔ͷϑΥʔΧε
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ
    σόΠε*EFOUJUZ
    *O&OUFSQSJTF

    View Slide

  17. *NQMFNFOUBUJPOPG%FWJDF*EFOUJUZ.BOBHFNFOU
    %FWJDF*EFOUJUZ*O3FBM-JGF
    $IBMMFOHFJO%FWJDF*EFOUJUZ
    ,FZ5BLFBXBZ

    View Slide

  18. !LFOTDBM ,FOHP4V[VLJ

    $BSFFS
    4FDVSJUZ7FOEPSʢ.44ʣ
    'JOUFDI4UBSUVQY
    8PSLT
    4FDVSJUZ *OGP4ZTUFN 43&
    'PDVT
    %JHJUBM*EFOUJUZ
    #MPDLDIBJO
    8IPBN*
    09:44~10:00

    View Slide

  19. %FWJDF*EFOUJUZ.HNU

    View Slide

  20. *40*&$"GSBNFXPSLGPSJEFOUJUZ
    NBOBHFNFOU
    8IJDIQBSUPG%FWJDF*EFOUJUZ.HNU
    IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

    View Slide

  21. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D
    -JGFDZDMF

    View Slide

  22. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    *EFOUJUZ3FHJTUFS
    *OWFOUPSZ

    View Slide

  23. lUIFDSFBUJPOPGPOFPSNPSFJEFOUJUJFTGPSUIFFOUJUZz
    UZQJDBMMZDPNQSJTFTUIFDPMMFDUJPOBOEWBMJEBUJPOPG
    JEFOUJUZJOGPSNBUJPO
    &OSPMMNFOU
    IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&$

    View Slide

  24. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D
    w 3FHJTUSBUJPO
    w *EFOUJUZ1SPPpOH

    View Slide

  25. 4JNQMF3FHJTUSBUJPO
    %FWJDF7FOEPS *5BENJO
    1VSDIBTF
    FOSPMM
    SFHJTUSBUJPO
    %FMJWFS
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF

    View Slide

  26. #FUUFS3FHJTUSBUJPO1SPDFTT
    7FOEPS
    1VSDIBTF
    FOSPMM
    SFHJTUSBUJPO
    %FMJWFS
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF
    *OJUJBM#PPU
    3FHJTUSBUJPO
    4FSWJDF
    OPUJGZ

    View Slide

  27. &YBNQMFT

    View Slide

  28. ⾒出し
    IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO
    Registration in Mac (DEP)

    View Slide

  29. Registration in Microsoft (Autopilot)
    IUUQTNZJHOJUFUFDIDPNNVOJUZNJDSPTPGUDPNTFTTJPOT

    View Slide

  30. *EFOUJUZ1SPPpOH
    %FWJDF7FOEPS *5BENJO
    1VSDIBTF
    FOSPMM
    SFHJTUSBUJPO
    %FMJWFS
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF
    1SPPG*EFOUJUZBUIFSF

    View Slide

  31. *EFOUJUZ"TTVSBODF-FWFM *"-
    JO/*4541
    FOUJUZͷΞΠσϯςΟςΟ৘ใ͕ਖ਼͔֬
    *EFOUJUZ1SPPpOH3FRVJSFNFOU

    View Slide

  32. 51. NBZCF5&&

    - セキュアな暗号プロセッ
    サーの国際標準
    - ブート時のソフトウェア
    監査(pltaform integrity)
    - 機密データの保管、暗号
    鍵の管理

    View Slide

  33. 51. NBZCF5&&

    View Slide

  34. &OEPSTFNFOU,FZ
    SPPUPG5SVTU
    OFWFSMFBWFT51.
    *EFOUJGZVOJRVF51.
    51.BOE&OEPSTFNFOU,FZ

    View Slide

  35. &YBNQMFJO.JDSPTPGU

    View Slide

  36. IUUQTEPDTNJDSPTPGUDPNKBKQB[VSFJPUEQTDPODFQUTUQNBUUFTUBUJPO

    View Slide

  37. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM

    View Slide

  38. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM
    *5BENJO0S
    1SPWJTJPOJOH4FSWJDF

    View Slide

  39. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM
    *5BENJO0S
    1SPWJTJPOJOH4FSWJDF
    &OEPSTFNFOU
    1VCMJD,FZ

    View Slide

  40. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM
    *5BENJO0S
    1SPWJTJPOJOH4FSWJDF
    $PNQBSFQSFSFHJTUFSFE
    QVCLFZTJHOFECZWFOEPS
    &OEPSTFNFOU
    1VCMJD,FZ
    7BMJEBUFEVTJOH
    QVCLFZDFSUJpDBUF

    View Slide

  41. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM
    *5BENJO0S
    1SPWJTJPOJOH4FSWJDF
    $IBMMFOHFBOE3FTQPOTF
    &OEPSTFNFOU
    1VCMJD,FZ
    $IBMMFOHFBOE3FTQPOTF

    View Slide




  42. (தུ)

    v="s7+hJsgnlFQ+Jf4O7WZEh9AcZcJ9EXIBGeUSkzRXDkrSt2UBJ0P
    1FmA8V8PTp/
    TbY3dmn5IG1Z2spHlrGmu1AshGHlZyIMFPUeMN91/+mM3lqWsHOrOM
    HjGvZrdMCJxi3sXAqs16bo5BFoNWXHXZyCwWQ3204chGlOzm309hKV
    +l90t7ciqzfpaA2D7UcyYy8xHm0qbuI1pNaHYkP5mmdyKn5eoHtpNT
    Y0zjVf+ZtZIJ6N2/
    VydcZ5olmSG2BRe5xxZhbYILkprzyit5ayPXmUlTYm5MV6zbuZYMeU
    0hu4HetDAL6G0XZQz+UH/ufuvEBCe44Q/uz2UdXlgQ0cfpTQ==" />
    (தུ)
    https://www.anoopcnair.com/windows-autopilot-behind-the-scenes-secrets/
    .JDSPTPGU*OUVOF"VUPQJMPU

    View Slide

  43. &YBNQMFJO"QQMF

    View Slide

  44. /PUFYBDUMZ51.CVUTIBSFT
    TJNJMBSGVODUJPOBMJUJFT
    lUIFIBSEXBSFSPPUPGUSVTU
    GPSTFDVSFCPPUl
    lUIFMPXFTUMFWFMPGTPGUXBSF
    BSFO`UUBNQFSFEXJUIz
    "QQMF54FDVSJUZ5JQ
    IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"[email protected]@[email protected][email protected]

    View Slide

  45. "QQMF54FDVSJUZ5JQ
    IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"[email protected]@[email protected][email protected]
    NBJOUBJOTUIFJOUFHSJUZ
    PGJUTTFDVSJUZ
    GVODUJPOTFWFOJGUIF
    NBD04LFSOFMIBT
    CFFODPNQSPNJTFE

    View Slide

  46. "QQMF54FDVSJUZ5JQ
    IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"[email protected]@[email protected][email protected]
    .BDVOJRVF*% 6*%
    "&4CJU
    LFZCVSOFEBUNBOVGBDUVSF

    View Slide

  47. ⾒出し
    IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO
    Not quite sure how DEP uses UID

    View Slide

  48. .BJOUFOBODF
    lBOVQEBUFPGUIFJOGPSNBUJPOJOUIFJEFOUJUZSFHJTUFS
    GPSBOFOUJUZz

    View Slide

  49. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

    View Slide

  50. - repository of identities
    - more like inventory
    - continuously monitor and record
    state of the device
    Identity Register (Inventory)
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF

    View Slide

  51. Different characteristics from human!

    View Slide

  52. Different characteristics from human!

    View Slide

  53. Different characteristics from human!

    View Slide

  54. Different characteristics from human!

    View Slide

  55. Different characteristics from human!

    View Slide

  56. - Observed attributes
    - Manually configured attributes
    Two types of attributes

    View Slide

  57. - Observed attributes
    - automatically collected/programmatically
    generated attributes
    - Manually Configured attributes
    Two types of attributes

    View Slide

  58. - Enrolled time
    - last time checked in
    - logged in users
    - HW Info
    - OS version
    - installed SW and its version
    - Disk Encryption Recovery Key
    Examples of Observed Attributes

    View Slide

  59. - Observed data
    - Manually configured attributes
    Two types of attributes

    View Slide

  60. - type of device
    - personally assigned, kiosk, special-case
    - owner of the device
    - vendor/OEM
    - purchased data (asset management related data)
    - device name
    Examples of Manually Configured Attributes

    View Slide

  61. Data Sources
    IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

    View Slide

  62. &YBNQMFT

    View Slide

  63. Observed Attributes Collection from Agent
    IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

    View Slide

  64. - リスト
    - リスト
    - リスト
    - リストの強調⽂字
    - リスト
    Intune (HW Observed Attributes)

    View Slide

  65. Intune (SW Observed Attributes)

    View Slide

  66. Jamf (HW Observed Attributes)

    View Slide

  67. Jamf (SW Observed Attributes)

    View Slide

  68. Manually Configured Attributes(JAMF)

    View Slide

  69. - リスト
    - リスト
    - リスト
    - リストの強調⽂字
    - リスト
    Attributes From EDR
    IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

    View Slide

  70. - リスト
    - リスト
    - リスト
    - リストの強調⽂字
    - リスト
    Attributes from Asset Mgmt
    IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

    View Slide

  71. *EFOUJUZ"EKVTUNFOU
    lBOVQEBUFPGUIFJOGPSNBUJPOJOUIFJEFOUJUZSFHJTUFS
    GPSBOFOUJUZ XIFSFUIFOFXJOGPSNBUJPOHJWFTSJTF
    UPUIFNPEJpDBUJPOPGBDUJWBUJPOJOGPSNBUJPOz

    View Slide

  72. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

    View Slide

  73. *T%FWJDF4UJMM5SVTUGVM
    ॏཁͳσʔλ
    0O
    5SVTUPWFSFMBQTFEUJNF 5SVTUQIZTJDBMMPDBUJPO

    View Slide

  74. %FWJDF)FBMUI$IFDLJOH
    - Verified Boot
    - Measured Boot
    QTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIFXJOEPXTCPPUQSPDFTT

    View Slide

  75. - Secure Boot
    - Trusted Boot
    - ELAM
    Verified Boot
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
    TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
    XJOEPXTCPPUQSPDFTT

    View Slide

  76. - Secure Boot
    - Check integrity of OS Bootloader
    - Check certificate signed to
    Bootloader
    - Trusted Boot
    - ELAM
    Verified Boot
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
    TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
    XJOEPXTCPPUQSPDFTT

    View Slide

  77. - Secure Boot
    - Trusted Boot
    - a series of signature checking
    - ELAM
    Verified Boot
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
    TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
    XJOEPXTCPPUQSPDFTT

    View Slide

  78. - Secure Boot
    - Trusted Boot
    - ELAM
    - Early Launch Anti-Malware
    - examine every boot driver
    - “determine it is on the list of trusted
    drivers”
    Verified Boot
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
    TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
    XJOEPXTCPPUQSPDFTT

    View Slide

  79. - Secure Boot
    - Trusted Boot
    - ELAM
    Verified Boot
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
    TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
    XJOEPXTCPPUQSPDFTT
    $IBJOPG5SVTU
    $IBJOPG5SVTU
    $IBJOPG5SVTU

    View Slide

  80. Measured Boot
    - Generates “measurable”
    artifacts while booting
    - Can be remotely verified
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View Slide

  81. Measured Boot
    - Each boot components takes the hash of
    the next component
    - store the hash in Platform Configuration
    Registers (PCRs)
    - this “measurement” is recorded by Trusted
    Computing Group(TCG) log
    - Send PCR and TCG logs to verification
    component (remote health attestation)
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View Slide

  82. Measured Boot
    - Each boot components takes the hash of the
    next component
    - store the hash in Platform Configuration
    Registers (PCRs)
    - this “measurement” is recorded by Trusted
    Computing Group(TCG) log
    - Send PCR and TCG logs to verification
    component (remote health attestation)
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View Slide

  83. Measured Boot
    - Each boot components takes the hash of the
    next component
    - store the hash in Platform Configuration
    Registers (PCRs)
    - this “measurement” is recorded by
    Trusted Computing Group(TCG) log
    - Send PCR and TCG logs to verification
    component (remote health attestation)
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View Slide

  84. Measured Boot
    - Each boot components takes the hash of the next
    component
    - store the hash in Platform Configuration Registers
    (PCRs)
    - this “measurement” is recorded by Trusted
    Computing Group(TCG) log
    - Send PCR and TCG logs to verification
    component (remote health attestation)
    - PCR is digitally signed (PCR Quote)
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View Slide

  85. &YBNQMFT

    View Slide

  86. Microsoft (TPM and Intune)
    - Secure Boot (Verified Boot)
    - Just like normal secure boot
    - Measured Boot
    - integrate with Windows 10 Device Guard
    - Uses AIK(Attestation Identity Key)/AK(Attestation Key)
    certificate to form PCR quote
    - certificate is issued by Microsoft Cloud
    - Intune(UEM/MDM) has own remote health attestation service
    - Parses the properties of TCG logs and compare to signed PCR
    values
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View Slide

  87. 7FSJGZJOUFHSJUZPGOFYU
    CPPUJOHDPNQPOFOUT
    NPSFMJLFUSVTUFECPPU
    TPGBSOPTJHOPGNFBTVSFE
    CPPU
    "QQMF 5DIJQ

    IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"[email protected]@[email protected][email protected]

    View Slide

  88. 4VNNBSZ
    %FWJDF*EFOUJUZ.BOBHFNFOUVTJOH*40*&$
    &OSPMMNFOU
    3FHJTUSBUJPOTFSWJDFT
    51.GPSJEFOUJUZQSPPpOH
    .BJOUFOBODF
    "UUSJCVUFTGPSNBJOUFOBODF
    *EFOUJUZ"EKVTUNFOU
    4FDVSF#PPU
    .FBTVSF#PPU

    View Slide

  89. $IBMMFOHFT

    View Slide

  90. -BDLPGTUBOEBSEHVJEFMJOFT
    -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
    JOWFOUPSZ
    6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
    -JGFDZDMF
    .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF
    PSHDPNNVOJUJFT
    $IBMMFOHFT

    View Slide

  91. -BDLPGTUBOEBSEHVJEFMJOFT
    -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
    JOWFOUPSZ
    6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
    -JGFDZDMF
    .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF
    PSHDPNNVOJUJFT
    $IBMMFOHFT

    View Slide

  92. -BDLPGTUBOEBSEHVJEFMJOFT
    -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
    JOWFOUPSZ
    6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
    -JGFDZDMF
    .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF
    PSHDPNNVOJUJFT
    $IBMMFOHFT

    View Slide

  93. -BDLPGTUBOEBSEHVJEFMJOFT
    -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
    JOWFOUPSZ
    6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
    -JGFDZDMF
    .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF
    PSHDPNNVOJUJFT
    $IBMMFOHFT

    View Slide

  94. -BDLPGTUBOEBSEHVJEFMJOFT
    -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
    JOWFOUPSZ
    6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
    -JGFDZDMF
    .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUP
    NVMUJQMFPSHDPNNVOJUJFT
    $IBMMFOHFT

    View Slide

  95. $PODMVTJPO

    View Slide

  96. 5IF$IBOHFEFNBOETVTUPGPDVTPO*EFOUJUZ
    JODMVEJOHUIF%FWJDF
    EFWJDFJEFOUJUZJOFOUFSQSJTFTFDVSJUZOFFETUPCF
    NBOBHFEUIPSPVHIMZBOEGSFRVFOUMZ
    FTQFDJBMMZEVSJOHFOSPMMNFOUBOENBJOUFOBODF
    %FWFMPQJOHTUBOEBSETJTUIFOFYUTUFQ -FUNFLOPX
    $PODMVTJPO

    View Slide

  97. 5IBOLZPV

    View Slide

  98. View Slide