Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Device Identity as Yet Untold

Kengo Suzuki
January 24, 2020

Device Identity as Yet Untold

社会のニーズが変化し、企業規模と分野を超えた横断的なビジネス(例: 新興Fintech企業と銀行の連携)が増えています。

それに伴い、ユーザーをエンティティとしたIdentityの活用事例の増加や仕様の拡張が着目されるのは、OpenID Summit Tokyo 2020の開催概要に記載がある通りです。

そんな、ユーザーIdentityの進歩に伴い、増える機微なデータや多様化するトランザクション経路を、エンタープライズはスピーディに且つ安全に管理していく必要があります。
ビジネスの変化とともに、エンタープライズのセキュリティも変化していかなければなりません。

変わるニーズに対応するかの如く、昨今は「ゼロトラスト」などの設計手法が話題になっていますが、セキュリティ対策の中心をネットワークから、各種エンティティ(とIdentity)によせるものです。

その際に無視できないのはデバイスIdentityです。
デバイスもエンティティの1つに違いはないのですが、
ユーザーIdentityに比較して、その管理方法や仕様について語られる機会はそう多くありません。ましてや、エンタープライズ向けでの話は、ほとんど皆無です。

そこで、本セッションでは、エンタープライズにおけるデバイスのIdentity Managementについてお話していきたいと思います。
それにより、参加者の皆様、特にIdentity技術がエンタープライズ・セキュリティのコアになると考えられる方々に、どのようなアプローチ方法があるかお話しします。

具体的には、デバイスの登録、認証方法、検証方法などをアイデンティティ・マネジメントの観点から解説します。
その際に、理想像と事例を紹介することで、既存製品でどこからどこまでのマネジメントが可能かも、明確にしたいと思います。

Kengo Suzuki

January 24, 2020
Tweet

More Decks by Kengo Suzuki

Other Decks in Technology

Transcript

  1. %FWJDF*EFOUJUZ:FU6OUPME

    ΤϯλʔϓϥΠζɾηΩϡϦςΟͱσόΠε*EFOUJUZ

    View full-size slide

  2. “時代の変化に伴い、(中略)
    周辺の技術・ビジネスも⼤きく変化”
    IUUQTXXXPQFOJEPSKQTVNNJU

    View full-size slide

  3. *EFOUJUZ'PS&OUFSQSJTF4FDVSJUZ NJO

    %FWJDF*EFOUJUZ.BOBHFNFOU NJO

    $IBMMFOHFT NJO

    $PODMVTJPO NJO

    ໨࣍

    View full-size slide

  4. *EFOUJUZ'PS
    &OUFSQSJTF4FDVSJUZ

    View full-size slide

  5. Ϗδωεͷ
    มԽ ओ࣠Λ&OUJUZʹͨ͠
    ΤϯλʔϓϥΠζ
    ηΩϡϦςΟઃܭ
    ͷมԽ
    ڴҖͷ
    มԽ

    View full-size slide

  6. Ϗδωε؀ڥͷมԽ

    View full-size slide

  7. 業務データの分散
    σʔλ
    ॏཁͳ
    σʔλ
    ॏཁͳ
    σʔλ
    ۀ຿
    ΞϓϦ
    ۀ຿
    ΞϓϦ
    ॏཁͳ
    σʔλ
    ॏཁͳ
    σʔλ
    جװ
    σʔλ
    جװ
    σʔλ
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ

    View full-size slide

  8. ڥքͷ࠷దԽ
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ

    View full-size slide

  9. 業務データの分散の多様化に伴う技術標準

    View full-size slide

  10. 71/τϯωϧ ॏཁͳσʔλ
    0Oαʔόʔ
    ॏཁͳσʔλ
    0Oαʔόʔ
    ۀ຿Ξ
    ϓϦ
    ۀ຿Ξ
    ϓϦ
    ۀ຿Ξ
    ϓϦ
    ۀ຿Ξ
    ϓϦ
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ
    ڴҖͷ഑ૹख๏ͷଟ༷Խ

    View full-size slide

  11. ࣌ؒܦաʹΑΔ৴པੑͷ௿Լ
    ॏཁͳσʔλ
    0O
    σʔλ
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ

    View full-size slide

  12. ηΩϡϦςΟઃܭͷมԽ

    View full-size slide

  13. ࣮૷ͷมԽ
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ
    w ΤϯςΟςΟݕূͱ૊Έ߹Θͤʮ*EFOUJUZ$FOUSJDʯʮ"MXBZT7FSJGZʯ
    w ࠷খݖݶͷݪଇʮ-FBTU1SJWJMFHF"DDFTTʯ
    w ৵֐ͷ૝ఆͱ෧͡ࠐΊʮ#SFBDI$POUBJONFOUʯ

    View full-size slide

  14. ຊ೔ͷϑΥʔΧε
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ
    ͪ͜Β͸ྑ͘࿩͞ΕΔ

    View full-size slide

  15. ຊ೔ͷϑΥʔΧε
    ॏཁͳσʔλ
    0Oαʔόʔ
    σʔλ
    PO
    ֎෦αʔϏε
    σʔλ
    0O୺຤
    σʔλ
    PO
    جװγεςϜ
    σόΠε*EFOUJUZ
    *O&OUFSQSJTF

    View full-size slide

  16. *NQMFNFOUBUJPOPG%FWJDF*EFOUJUZ.BOBHFNFOU
    %FWJDF*EFOUJUZ*O3FBM-JGF
    $IBMMFOHFJO%FWJDF*EFOUJUZ
    ,FZ5BLFBXBZ

    View full-size slide

  17. !LFOTDBM ,FOHP4V[VLJ

    $BSFFS
    4FDVSJUZ7FOEPSʢ.44ʣ
    'JOUFDI4UBSUVQY
    8PSLT
    4FDVSJUZ *OGP4ZTUFN 43&
    'PDVT
    %JHJUBM*EFOUJUZ
    #MPDLDIBJO
    8IPBN*
    09:44~10:00

    View full-size slide

  18. %FWJDF*EFOUJUZ.HNU

    View full-size slide

  19. *40*&$"GSBNFXPSLGPSJEFOUJUZ
    NBOBHFNFOU
    8IJDIQBSUPG%FWJDF*EFOUJUZ.HNU
    IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

    View full-size slide

  20. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D
    -JGFDZDMF

    View full-size slide

  21. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    *EFOUJUZ3FHJTUFS
    *OWFOUPSZ

    View full-size slide

  22. lUIFDSFBUJPOPGPOFPSNPSFJEFOUJUJFTGPSUIFFOUJUZz
    UZQJDBMMZDPNQSJTFTUIFDPMMFDUJPOBOEWBMJEBUJPOPG
    JEFOUJUZJOGPSNBUJPO
    &OSPMMNFOU
    IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&$

    View full-size slide

  23. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D
    w 3FHJTUSBUJPO
    w *EFOUJUZ1SPPpOH

    View full-size slide

  24. 4JNQMF3FHJTUSBUJPO
    %FWJDF7FOEPS *5BENJO
    1VSDIBTF
    FOSPMM
    SFHJTUSBUJPO
    %FMJWFS
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF

    View full-size slide

  25. #FUUFS3FHJTUSBUJPO1SPDFTT
    7FOEPS
    1VSDIBTF
    FOSPMM
    SFHJTUSBUJPO
    %FMJWFS
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF
    *OJUJBM#PPU
    3FHJTUSBUJPO
    4FSWJDF
    OPUJGZ

    View full-size slide

  26. ⾒出し
    IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO
    Registration in Mac (DEP)

    View full-size slide

  27. Registration in Microsoft (Autopilot)
    IUUQTNZJHOJUFUFDIDPNNVOJUZNJDSPTPGUDPNTFTTJPOT

    View full-size slide

  28. *EFOUJUZ1SPPpOH
    %FWJDF7FOEPS *5BENJO
    1VSDIBTF
    FOSPMM
    SFHJTUSBUJPO
    %FMJWFS
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF
    w BUUSJCVUF

    w BUUSJCVUF
    1SPPG*EFOUJUZBUIFSF

    View full-size slide

  29. *EFOUJUZ"TTVSBODF-FWFM *"-
    JO/*4541
    FOUJUZͷΞΠσϯςΟςΟ৘ใ͕ਖ਼͔֬
    *EFOUJUZ1SPPpOH3FRVJSFNFOU

    View full-size slide

  30. 51. NBZCF5&&

    - セキュアな暗号プロセッ
    サーの国際標準
    - ブート時のソフトウェア
    監査(pltaform integrity)
    - 機密データの保管、暗号
    鍵の管理

    View full-size slide

  31. 51. NBZCF5&&

    View full-size slide

  32. &OEPSTFNFOU,FZ
    SPPUPG5SVTU
    OFWFSMFBWFT51.
    *EFOUJGZVOJRVF51.
    51.BOE&OEPSTFNFOU,FZ

    View full-size slide

  33. &YBNQMFJO.JDSPTPGU

    View full-size slide

  34. IUUQTEPDTNJDSPTPGUDPNKBKQB[VSFJPUEQTDPODFQUTUQNBUUFTUBUJPO

    View full-size slide

  35. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM

    View full-size slide

  36. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM
    *5BENJO0S
    1SPWJTJPOJOH4FSWJDF

    View full-size slide

  37. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM
    *5BENJO0S
    1SPWJTJPOJOH4FSWJDF
    &OEPSTFNFOU
    1VCMJD,FZ

    View full-size slide

  38. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM
    *5BENJO0S
    1SPWJTJPOJOH4FSWJDF
    $PNQBSFQSFSFHJTUFSFE
    QVCLFZTJHOFECZWFOEPS
    &OEPSTFNFOU
    1VCMJD,FZ
    7BMJEBUFEVTJOH
    QVCLFZDFSUJpDBUF

    View full-size slide

  39. /*4541BIUUQTQBHFTOJTUHPWTQBIUNM
    *5BENJO0S
    1SPWJTJPOJOH4FSWJDF
    $IBMMFOHFBOE3FTQPOTF
    &OEPSTFNFOU
    1VCMJD,FZ
    $IBMMFOHFBOE3FTQPOTF

    View full-size slide




  40. (தུ)

    v="s7+hJsgnlFQ+Jf4O7WZEh9AcZcJ9EXIBGeUSkzRXDkrSt2UBJ0P
    1FmA8V8PTp/
    TbY3dmn5IG1Z2spHlrGmu1AshGHlZyIMFPUeMN91/+mM3lqWsHOrOM
    HjGvZrdMCJxi3sXAqs16bo5BFoNWXHXZyCwWQ3204chGlOzm309hKV
    +l90t7ciqzfpaA2D7UcyYy8xHm0qbuI1pNaHYkP5mmdyKn5eoHtpNT
    Y0zjVf+ZtZIJ6N2/
    VydcZ5olmSG2BRe5xxZhbYILkprzyit5ayPXmUlTYm5MV6zbuZYMeU
    0hu4HetDAL6G0XZQz+UH/ufuvEBCe44Q/uz2UdXlgQ0cfpTQ==" />
    (தུ)
    https://www.anoopcnair.com/windows-autopilot-behind-the-scenes-secrets/
    .JDSPTPGU*OUVOF"VUPQJMPU

    View full-size slide

  41. &YBNQMFJO"QQMF

    View full-size slide

  42. /PUFYBDUMZ51.CVUTIBSFT
    TJNJMBSGVODUJPOBMJUJFT
    lUIFIBSEXBSFSPPUPGUSVTU
    GPSTFDVSFCPPUl
    lUIFMPXFTUMFWFMPGTPGUXBSF
    BSFO`UUBNQFSFEXJUIz
    "QQMF54FDVSJUZ5JQ
    IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG

    View full-size slide

  43. "QQMF54FDVSJUZ5JQ
    IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG
    NBJOUBJOTUIFJOUFHSJUZ
    PGJUTTFDVSJUZ
    GVODUJPOTFWFOJGUIF
    NBD04LFSOFMIBT
    CFFODPNQSPNJTFE

    View full-size slide

  44. "QQMF54FDVSJUZ5JQ
    IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG
    .BDVOJRVF*% 6*%
    "&4CJU
    LFZCVSOFEBUNBOVGBDUVSF

    View full-size slide

  45. ⾒出し
    IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO
    Not quite sure how DEP uses UID

    View full-size slide

  46. .BJOUFOBODF
    lBOVQEBUFPGUIFJOGPSNBUJPOJOUIFJEFOUJUZSFHJTUFS
    GPSBOFOUJUZz

    View full-size slide

  47. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

    View full-size slide

  48. - repository of identities
    - more like inventory
    - continuously monitor and record
    state of the device
    Identity Register (Inventory)
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF
    w BUUSJCVUF

    View full-size slide

  49. Different characteristics from human!

    View full-size slide

  50. Different characteristics from human!

    View full-size slide

  51. Different characteristics from human!

    View full-size slide

  52. Different characteristics from human!

    View full-size slide

  53. Different characteristics from human!

    View full-size slide

  54. - Observed attributes
    - Manually configured attributes
    Two types of attributes

    View full-size slide

  55. - Observed attributes
    - automatically collected/programmatically
    generated attributes
    - Manually Configured attributes
    Two types of attributes

    View full-size slide

  56. - Enrolled time
    - last time checked in
    - logged in users
    - HW Info
    - OS version
    - installed SW and its version
    - Disk Encryption Recovery Key
    Examples of Observed Attributes

    View full-size slide

  57. - Observed data
    - Manually configured attributes
    Two types of attributes

    View full-size slide

  58. - type of device
    - personally assigned, kiosk, special-case
    - owner of the device
    - vendor/OEM
    - purchased data (asset management related data)
    - device name
    Examples of Manually Configured Attributes

    View full-size slide

  59. Data Sources
    IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

    View full-size slide

  60. Observed Attributes Collection from Agent
    IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

    View full-size slide

  61. - リスト
    - リスト
    - リスト
    - リストの強調⽂字
    - リスト
    Intune (HW Observed Attributes)

    View full-size slide

  62. Intune (SW Observed Attributes)

    View full-size slide

  63. Jamf (HW Observed Attributes)

    View full-size slide

  64. Jamf (SW Observed Attributes)

    View full-size slide

  65. Manually Configured Attributes(JAMF)

    View full-size slide

  66. - リスト
    - リスト
    - リスト
    - リストの強調⽂字
    - リスト
    Attributes From EDR
    IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

    View full-size slide

  67. - リスト
    - リスト
    - リスト
    - リストの強調⽂字
    - リスト
    Attributes from Asset Mgmt
    IUUQTTUPSBHFHPPHMFBQJTDPNQVCUPPMTQVCMJDQVCMJDBUJPOEBUBQEGQEG

    View full-size slide

  68. *EFOUJUZ"EKVTUNFOU
    lBOVQEBUFPGUIFJOGPSNBUJPOJOUIFJEFOUJUZSFHJTUFS
    GPSBOFOUJUZ XIFSFUIFOFXJOGPSNBUJPOHJWFTSJTF
    UPUIFNPEJpDBUJPOPGBDUJWBUJPOJOGPSNBUJPOz

    View full-size slide

  69. IUUQTTUBOEBSETJTPPSHJUUG1VCMJDMZ"WBJMBCMF4UBOEBSETJOEFYIUNM*40*&D

    View full-size slide

  70. *T%FWJDF4UJMM5SVTUGVM
    ॏཁͳσʔλ
    0O
    5SVTUPWFSFMBQTFEUJNF 5SVTUQIZTJDBMMPDBUJPO

    View full-size slide

  71. %FWJDF)FBMUI$IFDLJOH
    - Verified Boot
    - Measured Boot
    QTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIFXJOEPXTCPPUQSPDFTT

    View full-size slide

  72. - Secure Boot
    - Trusted Boot
    - ELAM
    Verified Boot
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
    TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
    XJOEPXTCPPUQSPDFTT

    View full-size slide

  73. - Secure Boot
    - Check integrity of OS Bootloader
    - Check certificate signed to
    Bootloader
    - Trusted Boot
    - ELAM
    Verified Boot
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
    TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
    XJOEPXTCPPUQSPDFTT

    View full-size slide

  74. - Secure Boot
    - Trusted Boot
    - a series of signature checking
    - ELAM
    Verified Boot
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
    TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
    XJOEPXTCPPUQSPDFTT

    View full-size slide

  75. - Secure Boot
    - Trusted Boot
    - ELAM
    - Early Launch Anti-Malware
    - examine every boot driver
    - “determine it is on the list of trusted
    drivers”
    Verified Boot
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
    TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
    XJOEPXTCPPUQSPDFTT

    View full-size slide

  76. - Secure Boot
    - Trusted Boot
    - ELAM
    Verified Boot
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXT
    TFDVSJUZJOGPSNBUJPOQSPUFDUJPOTFDVSFUIF
    XJOEPXTCPPUQSPDFTT
    $IBJOPG5SVTU
    $IBJOPG5SVTU
    $IBJOPG5SVTU

    View full-size slide

  77. Measured Boot
    - Generates “measurable”
    artifacts while booting
    - Can be remotely verified
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View full-size slide

  78. Measured Boot
    - Each boot components takes the hash of
    the next component
    - store the hash in Platform Configuration
    Registers (PCRs)
    - this “measurement” is recorded by Trusted
    Computing Group(TCG) log
    - Send PCR and TCG logs to verification
    component (remote health attestation)
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View full-size slide

  79. Measured Boot
    - Each boot components takes the hash of the
    next component
    - store the hash in Platform Configuration
    Registers (PCRs)
    - this “measurement” is recorded by Trusted
    Computing Group(TCG) log
    - Send PCR and TCG logs to verification
    component (remote health attestation)
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View full-size slide

  80. Measured Boot
    - Each boot components takes the hash of the
    next component
    - store the hash in Platform Configuration
    Registers (PCRs)
    - this “measurement” is recorded by
    Trusted Computing Group(TCG) log
    - Send PCR and TCG logs to verification
    component (remote health attestation)
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View full-size slide

  81. Measured Boot
    - Each boot components takes the hash of the next
    component
    - store the hash in Platform Configuration Registers
    (PCRs)
    - this “measurement” is recorded by Trusted
    Computing Group(TCG) log
    - Send PCR and TCG logs to verification
    component (remote health attestation)
    - PCR is digitally signed (PCR Quote)
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View full-size slide

  82. Microsoft (TPM and Intune)
    - Secure Boot (Verified Boot)
    - Just like normal secure boot
    - Measured Boot
    - integrate with Windows 10 Device Guard
    - Uses AIK(Attestation Identity Key)/AK(Attestation Key)
    certificate to form PCR quote
    - certificate is issued by Microsoft Cloud
    - Intune(UEM/MDM) has own remote health attestation service
    - Parses the properties of TCG logs and compare to signed PCR
    values
    IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZUISFBUQSPUFDUJPOQSPUFDUIJHIWBMVFBTTFUTCZ
    DPOUSPMMJOHUIFIFBMUIPGXJOEPXTCBTFEEFWJDFT

    View full-size slide

  83. 7FSJGZJOUFHSJUZPGOFYU
    CPPUJOHDPNQPOFOUT
    NPSFMJLFUSVTUFECPPU
    TPGBSOPTJHOPGNFBTVSFE
    CPPU
    "QQMF 5DIJQ

    IUUQTXXXBQQMFDPNFVSPNBDTIBSFEEPDT"QQMF@5@4FDVSJUZ@$IJQ@0WFSWJFXQEG

    View full-size slide

  84. 4VNNBSZ
    %FWJDF*EFOUJUZ.BOBHFNFOUVTJOH*40*&$
    &OSPMMNFOU
    3FHJTUSBUJPOTFSWJDFT
    51.GPSJEFOUJUZQSPPpOH
    .BJOUFOBODF
    "UUSJCVUFTGPSNBJOUFOBODF
    *EFOUJUZ"EKVTUNFOU
    4FDVSF#PPU
    .FBTVSF#PPU

    View full-size slide

  85. -BDLPGTUBOEBSEHVJEFMJOFT
    -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
    JOWFOUPSZ
    6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
    -JGFDZDMF
    .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF
    PSHDPNNVOJUJFT
    $IBMMFOHFT

    View full-size slide

  86. -BDLPGTUBOEBSEHVJEFMJOFT
    -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
    JOWFOUPSZ
    6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
    -JGFDZDMF
    .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF
    PSHDPNNVOJUJFT
    $IBMMFOHFT

    View full-size slide

  87. -BDLPGTUBOEBSEHVJEFMJOFT
    -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
    JOWFOUPSZ
    6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
    -JGFDZDMF
    .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF
    PSHDPNNVOJUJFT
    $IBMMFOHFT

    View full-size slide

  88. -BDLPGTUBOEBSEHVJEFMJOFT
    -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
    JOWFOUPSZ
    6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
    -JGFDZDMF
    .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUPNVMUJQMF
    PSHDPNNVOJUJFT
    $IBMMFOHFT

    View full-size slide

  89. -BDLPGTUBOEBSEHVJEFMJOFT
    -BDLPG"1*DPOOFDUJOHEBUBGSPNTPVSDFTBOE
    JOWFOUPSZ
    6ONBUDIFE4PGUXBSF-JGFDZDMFBOE)BSEXBSF
    -JGFDZDMF
    .BOBHJOHGSFFMBODFS`TEFWJDFTCFMPOHJOHUP
    NVMUJQMFPSHDPNNVOJUJFT
    $IBMMFOHFT

    View full-size slide

  90. 5IF$IBOHFEFNBOETVTUPGPDVTPO*EFOUJUZ
    JODMVEJOHUIF%FWJDF
    EFWJDFJEFOUJUZJOFOUFSQSJTFTFDVSJUZOFFETUPCF
    NBOBHFEUIPSPVHIMZBOEGSFRVFOUMZ
    FTQFDJBMMZEVSJOHFOSPMMNFOUBOENBJOUFOBODF
    %FWFMPQJOHTUBOEBSETJTUIFOFYUTUFQ -FUNFLOPX
    $PODMVTJPO

    View full-size slide