$30 off During Our Annual Pro Sale. View Details »

同志諸君よ、ゼロトラストを撃て_CloudNativeDays2022

Kengo Suzuki
November 22, 2022

 同志諸君よ、ゼロトラストを撃て_CloudNativeDays2022

O’Reilly Japanから翻訳されたゼロトラスト・ネットワークが発刊され3年が経過しました。当初は、まさしく本カンファレンスのHPが言及するように、「物理的・時間的な距離を超えた」環境を想定したセキュリティ上の考え方でした。しかし、皆様も3年間のインシデントなどからお気づきの通り、ゼロトラストの適用は従来のセキュリティ・レベルを単純に強化するものではありません。昨今の事例を振り返りつつ、充足させていかねばならないポイントを技術事例も含めお話いたします

Kengo Suzuki

November 22, 2022
Tweet

More Decks by Kengo Suzuki

Other Decks in Technology

Transcript

  1. @ken5scal, 2022/11/20
    ಉࢤॾ܅ΑɺθϩτϥετΛܸͯ
    LayerX CTOࣨ

    View Slide

  2. ࣗݾ঺հ
    • @ken5scal

    • CTOࣨ / Fintechࣄۀ෦

    • CTOࣨ: CTO഑ԼͰશࣾԣஅతͳηΩϡϦςΟɾγεςϜͷ։ൃɾӡ༻
    • ϙϦγʔ࡞੒ɺࣾ಺ڭҭɺମ੍ߏஙɺ࣮૷ʙӡ༻·Ͱ

    • Fintechࣄۀ෦: ෆಈ࢈ؔ࿈ͷۚ༥঎඼ɺࢿ࢈ӡ༻ͷޮ཰Խ

    • ݸਓ׆ಈʮSecureཱྀஂʯ

    • O’Reilly ʮθϩτϥετωοτϫʔΫʯ؂༁
    • ΄΅िץʮ๩͍͠ਓͷͨΊͷηΩϡϦςΟɾΠϯςϦδΣϯεʯ

    • PodCastʮSecure Liaisonʯ

    View Slide

  3. ΞδΣϯμ
    • θϩτϥετͱ͸

    • ӡ༻্ͷͿͪ౰ͨͬͨ՝୊

    • ॏཁͳ఺ͱ͸ʁ

    View Slide

  4. LayerXʹ͓͚ΔηΩϡϦςΟݚम p.1

    View Slide

  5. θϩτϥετ͸
    ηΩϡϦςΟΛߴΊΔ΋ͷ͔

    View Slide

  6. Կͷ੒Ռ΋!!
    ಘΒΕ·ͤΜͰͨ͠!!

    View Slide

  7. ͱ͍͏ͷ͸ݴ͍ա͕͗ͩ

    View Slide

  8. มΘΒͣͦ͜ʹ͍ΔΠϯγσϯτ

    View Slide

  9. ΞδΣϯμ
    • θϩτϥετͱ͍͏ߟ͑ํ͸
    • ੈؒҰൠͷ՝୊

    • ӡ༻্ͷͿͪ౰ͨͬͨ՝୊

    • ॏཁͳ఺ͱ͸ʁ

    View Slide

  10. θϩτϥετͱ͸
    • θϩτϥετ͸ɺಛఆͷ࣮૷Λࢦ͢΋ͷͰ͸ͳ͍

    • ۀ຿؀ڥ͕ಛఆͷίϯϐϡʔλɺͦͯ͠ݶఆ͞Εͨωοτ
    ϫʔΫ͔Βɺ෼ࢄԽ͞ΕͨωοτϫʔΫʹࣾձతɾܦࡁత
    ʹγϑτͨ͠؀ڥʹదԠͨ͠γεςϜอޢͷߟ͑ํ

    • ؀ڥ͕มΘΕ͹ɺࢿ࢈ɾ੬ऑੑɾڴҖɺϦεΫ΋มΘΔ

    • ઃܭݪཧ͸ීว

    • 3ཁૉ: ػີੑɺ׬શੑɺՄ༻ੑ

    • ઃܭݪଇ: ࠷খݖݶɺ৬຿෼ঠ
    https://www.process.st/history-of-saas/

    View Slide

  11. θϩτϥετͱ͸
    2017 2020 2021 2022
    O’Reilly NIST SP800-207 NCSC σδλϧி

    View Slide

  12. θϩτϥετͱ͸
    2017 2020 2021 2022
    O’Reilly NIST SP800-207 NCSC σδλϧி
    • The Network is always assumed to be hostile.


    • External and internal threats exists on the network at all times


    • Network locality is not suf
    fi
    cient for decagon trust in a network


    • Every device, user, and network
    fl
    ow is authenticated and authorized


    • Policies must be dynamic and calculated from as many sources of data as
    possible
    • The entire enterprise private network is not considered an
    implicit trust zone


    • Devices on the network may not be owned of con
    fi
    gurable by the
    enterprise.


    • No resource is inherently trusted.


    • Not all enterprise resources are on enterprise-owned infrastructure


    • Remote enterprise subjects and assets cannot fully trust their local network
    connection


    • Assets and work
    fl
    ows moving between enterprise and non enterprise
    infrastructure should have a consistent security and posture

    View Slide

  13. θϩτϥετͱ͸
    2017 2020 2021 2022
    O’Reilly NIST SP800-207 NCSC σδλϧி
    • Know your architecture including users, devices, services and data


    • Know your user, service, and device identities


    • Assess user behavior, service and device health


    • Use policies to authorize requests


    • Authenticate and authorize everywhere


    • Focus your monitoring on users, devices and services


    • Don’t trust any network, including your own


    • Choose services which have been designed for zero trust
    • ϦιʔεΛ
    ࣝผ͠ɺಛఆͰ͖Δঢ়ଶʹ͢Δ


    • ओମͷ
    ਎ݩ֬ೝɾ౰ਓೝূΛ࣮ࢪ͢Δ


    • ωοτϫʔΫΛอޢ͢Δ


    • Ϧιʔεͷঢ়ଶΛ
    ֬ೝ͢Δ


    • ΞΫηε੍ޚϙϦγʔͰධՁ͠ɺΞΫηε؅ཧΛ͢Δ


    • ϦιʔεͱΞΫηεΛ
    ؍ଌ͢Δ

    View Slide

  14. θϩτϥετͱ͸
    2017 2020 2021 2022
    O’Reilly NIST SP800-207 NCSC σδλϧி
    • The Network is always assumed to be hostile.


    • External and internal threats exists on the network at all times


    • Network locality is not suf
    fi
    cient for decagon trust in a network


    • Every device, user, and network
    fl
    ow is authenticated and
    authorized
    • Policies must be dynamic and calculated from as many sources of data
    as possible
    • The entire enterprise private network is not considered an implicit trust zone


    • Devices on the network may not be owned of con
    fi
    gurable by the enterprise.


    • No resource is inherently trusted.


    • Not all enterprise resources are on enterprise-owned infrastructure


    • Remote enterprise subjects and assets cannot fully trust their local network
    connection


    • Assets and work
    fl
    ows moving between enterprise and non enterprise
    infrastructure should have a consistent security and
    posture

    View Slide

  15. θϩτϥετͱ͸
    2017 2020 2021 2022
    O’Reilly NIST SP800-207 NCSC σδλϧி
    • Know your architecture including users, devices, services and data


    • Know your user, service, and device identities


    • Assess user behavior, service and device health


    • Use policies to authorize requests


    • Authenticate and authorize everywhere


    • Focus your monitoring on users, devices and services


    • Don’t trust any network, including your own


    • Choose services which have been designed for zero trust
    • ϦιʔεΛ
    ࣝผ͠ɺಛఆͰ͖Δঢ়ଶʹ͢Δ


    • ओମͷ
    ਎ݩ֬ೝɾ౰ਓೝূΛ࣮ࢪ͢Δ


    • ωοτϫʔΫΛอޢ͢Δ


    • Ϧιʔεͷঢ়ଶΛ
    ֬ೝ͢Δ


    • ΞΫηε੍ޚϙϦγʔͰධՁ͠ɺΞΫηε؅ཧΛ͢Δ


    • ϦιʔεͱΞΫηεΛ
    ؍ଌ͢Δ

    View Slide

  16. θϩτϥετͱ͸
    • σδλϧΞΠσϯςΟςΟͱϙϦγʔʹΑΔΞΫηε੍ޚʹΑΔʮ࠷খݖ
    ݶʯͱʮ৬຿෼ঠʯͷ࣮ݱ

    • ͜ͷߟ͑ํΛ࣠ʹɺϦεΫରࡦΛ͍ͯͨ͠

    • ϦεΫ = ൃੜ֬཰ x Өڹ౓

    • ൃੜ֬཰ = ڴҖ x ੬ऑੑ

    • Өڹ౓ = ࢿ࢈΍ۀ຿ͷಛੑ

    View Slide

  17. ౰ࣾͷ੒௕ͱ
    Ψόφϯεഊ๺ͷྺ࢙
    ※ಛʹϦεΫ͸ݦࡏԽ͍ͯ͠·ͤΜ…yet

    View Slide

  18. LayerXʹ͓͚Δθϩτϥετ
    • 2020೥ஈ֊͔Βਪਐ͍ͯͨ͠

    • ֩ͱͳΔσδλϧɾΞΠσϯςΟςΟʹண໨ͨ͠࠷খݖݶͷ๏ଇɺ৬຿෼ঠ΋ਐΊ͍ͯͨ

    • ϦεΫΛ௿ݮ͢ΔͨΊͷɺࢿ࢈؅ཧɺ੬ऑੑ؅ཧɺڴҖʹ͍ͭͯ΋ԼهͷΑ͏ʹ

    • αʔϏεج൫͸AWS GuardDutyɺࣾ಺ج൫͸Microsoftͷෆਖ਼ݕ஌ɺ୺຤؅ཧͰ༧๷

    • AWSͷSecurityHub΍GCPͷSecurity Command CenterʹΑΔܧଓతݕࠪ

    • ि࣍ͷ֬ೝʹΑΓɺ֤νʔϜ΁ͷ஫ҙשى

    • ةݥͳ΋ͷ͸SlackʹΑΔ௨஌

    • λάʹΑΔϦιʔεͷ؅ཧ

    • ͦͷଞɺSaaS͸৹ࠪΛ͖ͬͪΓ

    • ࣗಈԽ΋ඞཁे෼ʹ཈͍͑ͯͨ

    • ͕…

    View Slide

  19. View Slide

  20. ηΩϡϦςΟΛҡ࣋ɾ؅ཧ͢ΔͨΊͷ׆ಈͱഊ๺ͷྺ࢙
    • ྫɿΞΫηε੍ޚ

    • IdPʹΑΔID৘ใͷϑΣσϨʔγϣϯ

    • άϧʔϓΛ໾ׂͱݟཱͯͨRBAC

    • ໾৬ɺ৬຿ɺνʔϜɺ৘ใ۠෼౳Ͱ੾Δ

    • ੩తͳϙϦγʔʹΑΔΞΫηε࣌ͷίϯςΫε
    τΛऔΓࠐΉ

    • Ϣʔβʔ΍σόΠε্ʹηΩϡϦςΟϦεΫ
    ͕ٙΘΕ͍ͯͳ͍͔

    • ಛఆͷΞΫηεͷΈʹMFA࠶ೝূΛཁٻ͢Δ
    Ϣʔβʔ
    άϧʔϓ


    A


    ʢRole A)
    Ϧιʔε
    ᶃΞΫηε
    ϙϦγʔ
    ᶄॴଐ֬ೝ
    ᶆΞΫηεՄ൱ɾద༻
    ֎෦


    σʔλιʔε
    ᶅΞΫηείϯςΫετͷ


    ֬ೝ
    0άϧʔϓϝϯόʔ؅ཧ
    ϝϯόʔ௥Ճ

    View Slide

  21. ૊৫֦େɾଟ༷Խʹ൐͏άϧʔϓͷΧϯϒϦΞେരൃ
    • ໾৬ɺ৬຿ɺνʔϜɺ৘ใ۠෼͕രൃతʹ૿Ճ

    • νʔϜมߋɺݚम࣮ࢪΛ͢Δ͚ͩͰมߋର৅ͷάϧʔ
    ϓ͕̍̌ۙ͋͘Δ

    • ඞͣΧόʔ͖͠Ε͍͍ͯͳ͍ΧςΰϦ͕Ͱ͖ɺͦͷͨͼ
    ʹ໋໊نଇͷରԠʹ௥ΘΕΔ

    • ಛఆͷ໾৬ x ಛఆͷνʔϜͷ৔߹ʹ͍Ε͍ͨάϧʔϓͷ
    ؅ཧ͕ࠔ೉

    • άϧʔϓʹΑΔΞΫηε੍ޚ͸݁ہɺॊೈੑ͕௿͍

    View Slide

  22. ࠓޙͷऔ૊ᶃɿݖݶ؅ཧͱϙϦγʔͷਁಁɾܧଓ
    • ϢʔβʔɺσόΠεɺαʔϏε͋Δ͍͸ΞΫηεઌ৐ΓιʔεʹଐੑΛ෇༩
    ͠ɺͦΕΛ΋ͱʹϙϦγʔͰಈతͳΞΫηε੍ޚΛ࣮ࢪ͢ΔʢABACʣ

    • ୭͕ɺͲ͜·ͰଐੑΛ؅ཧ͢Δ͔ɺͱ͍͏੹೚ൣғʹ͍ͭͯٞ࿦த…
    Ϣʔβʔ


    - ଐੑA


    - ଐੑB
    άϧʔϓ


    A


    ʢRole A)
    Ϧιʔε


    -ଐੑX


    -ଐੑY
    ᶃάϧʔϓʹґଘ͠ͳ͍


    ΞΫηε
    ϙϦγʔ
    ଐੑʹΑͬͯ
    ϝϯόʔ௥Ճ
    ᶆΞΫηεՄ൱ɾద༻
    ֎෦


    σʔλιʔε
    ᶅΞΫηείϯςΫετͷ


    ֬ೝ

    View Slide

  23. ̎ͭͷϙϦγʔ؅ཧ - ಺෦౷੍తͳϙϦγʔ
    https://atmarkit.itmedia.co.jp/ait/articles/0204/19/news003.html
    ಺෦౷੍తͳϙϦγʔ
    ʢͬͪ͜ͷ࿩ʣ
    CNCFతͳϙϦγʔ͸


    Ұൠతʹ͸ΨΠυϥΠ
    ϯ΍ϓϩγʔδϟ


    • ಺෦త౷੍తͳҙຯͰͷϙϦγʔ͸جຊతʹɺࣗવݴޠʹΑΔυ
    ΩϡϝϯςʔγϣϯͰ͋Δ

    • ͦͷϙϦγʔ͸ʢԼҐจॻͰ͋Δελϯμʔυ΍ϓϩγʔδϟʹ
    Ԋͬͨʣ࣮૷΍ରࡦͱ࿦ཧతʹໃ६͍ͯͯ͠͸ͳΒͳ͍

    • ·ͨɺͦͷܨ͕ΓΛূ໌Մೳɾ؂ࠪՄೳͳঢ়ଶʹͯ͠આ໌੹೚Λ
    Ռͨ͞Ͷ͹ͳΒͳ͍

    • ͜ͷඞཁੑʹ͸ҟ࿦͸গͳ͍Ͱ͋Ζ͏

    • ͨͩɺݱࡏͷϙϦγʔɺ࣮૷ɾରࡦ·Ͱͷ౷੍ʹ͸࣮ޮੑ΍ӡ༻
    ʹ͓͍ͯ՝୊͕͋Δ

    • ྨࣅ͢Δෳ਺ͷن੍ͷଘࡏͱɺͦΕʹ൐͏ໃ६΍؅ཧͷෳࡶ͞

    • ্Ґن੍ͷߋ৽ʹ͋Θ֤ͤͨछ౷੍ͷߋ৽

    • ৘ใγεςϜࣗମͷෳࡶੑͷ૿Ճ

    • ͜ΕΒʹ൐͏ϖʔύʔϫʔΫͷ޻਺૿େ
    ๏ྩ
    ۀքඪ४

    View Slide

  24. ηΩϡϦςΟରࡦɾ࣮૷ʹ಺෦౷੍ϙϦγʔʹؔ͢ΔϝλσʔλΛ͚ͭΔ
    • OSCAL: Open Security Controls Assessment Language

    • ৘ใγεςϜͷηΩϡϦςΟରࡦʢControlʣΛఆٛ͠ɺͦΕʹج͍ͮͯධՁ
    ͢ΔͨΊͷඪ४Խ͞Εͨσʔλத৺ͷධՁϑϨʔϜϫʔΫ

    w .BDIJOFSFBEBCMFͳදݱʹΑΔ୤ϝλೝ஌γεςϜ
    w ๏ن੍ɾϑϨʔϜϫʔΫͳͲϋΠϨϕϧͳཁ݅ͱ࣮૷ͷτϨʔαϏϦςΟΛ
    ֬อ
    w ܧଓతͳݕࠪɾධՁ
    https://pages.nist.gov/OSCAL/

    View Slide

  25. $POUSPM-BZFS
    $POUSPM-BZFS
    *NQMFNFOUBUJPO-BZFS "TTFTTNFOU-BZFS

    View Slide



  26. "
    catalog": {


    "uuid": "fa8f6772-40a9-4976-b7fd-e95c5b9ee037",


    "metadata": {


    "title": "
    FedRAMP Rev 4 Low Baseline",


    "published": "2021-02-05T00:00:00.000-04:00",


    "last-modified": "2021-10-13T18:23:58.261729Z",


    "version": "fedramp1.1.0-oscal1.0.0",


    "oscal-version": "1.0.0",


    "links": [


    {


    "href": "FedRAMP_rev4_LOW-baseline_profile.xml",


    "rel": "resolution-source"


    }


    ],


    "roles": [


    {


    "id": "prepared-by",


    "title": "Document creator"


    },


    {


    "id": "fedramp-pmo",


    "title": "The FedRAMP Program Management Office (PMO)",


    "short-name": "CSP"


    },


    {


    "id": "fedramp-jab",


    "title": "The FedRAMP Joint Authorization Board (JAB)",


    "short-name": "CSP"


    }


    ],


    "parties": [],


    "responsible-parties": []


    },


    "
    groups": [


    {


    "id": "ac",


    "class": "family",


    "title": "
    Access Control",


    "controls": [


    {


    "id": "ac-1",


    "class": "
    SP800-53",


    "title": "Access Control Policy and Procedures",


    "params": [


    {


    "id": "ac-1_prm_1",


    "label": "organization-defined personnel or roles"


    },


    {


    "id": "ac-1_prm_2",


    "label": "organization-defined frequency",


    "constraints": [


    {


    "description": "at least every 3 years"


    }


    ]


    },


    {


    "id": "ac-1_prm_3",


    "label": "organization-defined frequency",


    "constraints": [


    {


    "description": "at least annually"


    }


    ]


    }


    ],


    "props": [


    {


    "name": "CORE",


    "ns": "https://fedramp.gov/ns/oscal",


    "value": "true"


    },


    { "name": “label", "value": "AC-1"},


    { "name": “sort-id", "value": "ac-01"}


    ],


    "links": [ུ],


    "parts": [


    {


    "id": "ac-1_smt",


    "name": "statement",


    "prose": "The organization:",


    "parts": [


    {


    "id": "ac-1_smt.a",


    "name": "item",


    "props": [


    {


    "name": "label",


    "value": "a."


    }


    ],


    "prose": "Develops, documents, and disseminates ུ:",


    "parts": [


    {


    "id": "ac-1_smt.a.1",


    "name": "item",


    "props": [


    {


    "name": "response-point",


    "ns": "https://fedramp.gov/ns/oscal",


    "value": "ུ"


    },


    {


    "name": “label”, "value": "1."


    }


    26

    View Slide



  27. "
    profile": {


    "uuid": "8742196d-86ba-4e72-a411-28867dab43bb",


    "metadata": {


    "title": "NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE",


    "last-modified": "2021-06-08T13:57:33.97549-04:00",


    "version": "Final",


    "oscal-version": "1.0.0",


    "roles": [


    {


    "id": "creator",


    "title": "Document Creator"


    },


    {


    "id": "contact",


    "title": "Contact"


    }


    ],


    "parties": [


    {


    "uuid": "984e6c07-b5b6-4ab6-b22b-283609c325e6",


    "type": "organization",


    "name": "Joint Task Force, Transformation Initiative",


    "email-addresses": [


    "[email protected]"


    ],


    "addresses": [


    {


    "addr-lines": [


    "National Institute of Standards and Technology",


    "Attn: Computer Security Division",


    "Information Technology Laboratory",


    "100 Bureau Drive (Mail Stop 8930)"


    ],


    "city": "Gaithersburg",


    "state": "MD",


    "postal-code": "20899-8930"


    }


    ]


    }


    ],


    "responsible-parties": [


    {


    "role-id": "creator",


    "party-uuids": [


    "984e6c07-b5b6-4ab6-b22b-283609c325e6"


    ]


    },


    {


    "role-id": "contact",


    "party-uuids": [


    "984e6c07-b5b6-4ab6-b22b-283609c325e6"


    ]


    }


    ]


    },


    "
    imports": [


    {


    "
    href": "NIST_SP-800-53_rev5_catalog.xml",


    "include-controls": [


    {


    "with-ids": [


    "
    ac-1",


    "
    ac-2",


    "
    ac-3",


    "
    ac-7",


    “ུ”


    ]


    }


    ]


    }


    ],


    "merge": {


    "as-is": true


    }


    }


    }


    27

    View Slide

  28. {


    "
    component-definition": {


    "uuid": "a7ba800c-a432-44cd-9075-0862cd66da6b",


    "metadata": {


    "title": "MongoDB Component Definition
    Example",


    "last-modified": "2001-08-26T23:11:47Z",


    "version": "20210826",


    "oscal-version": "1.0.0",


    "roles": [{"id": "provider","title": "Provider"}],


    "parties": [


    {


    "uuid": "ef7c799a-c50e-49ab-83e0-515e989e6df1",


    "type": "organization",


    "name": "MongoDB",


    "links": [


    {


    "href": "https://www.mongodb.com",


    "rel": "website"


    }]}]


    },


    "
    components": [


    {


    "uuid": "91f646c5-b1b6-4786-9ec3-2305a044e217",


    "type": "software",


    "title": "MongoDB",


    "description": "MongoDB is a source-available, cross-platform document-
    oriented database program. Classified as a NoSQL database program, MongoDB uses
    JSON-like documents with optional schemas.",


    "purpose": "Provides a NoSQL database service",


    "responsible-roles": [


    {


    "role-id": "provider",


    "party-uuids": [


    "ef7c799a-c50e-49ab-83e0-515e989e6df1"


    ]


    }


    ],


    "protocols": [


    {


    "uuid": "2b4a1b3a-cbc5-4cc8-bde6-7437c28c4e54",


    "name": "mongodb",


    "title": "Primary daemon process for the MongoDB system.",


    "port-ranges": [


    {


    "start": 27017,


    "end": 27017,


    "transport": "TCP"


    }


    ]


    },


    {


    "uuid": "99d8d4e5-e734-4e05-a2f9-7353097b8b61",


    "name": "mongodb-shardsrv",


    "title": "MongoDB protocol for sharding with shardsrv option.",


    "port-ranges": [


    {


    "start": 27018,


    "end": 27018,


    "transport": "TCP"


    }


    ]


    },


    {


    "uuid": "6fa762f1-09ca-44d5-a94c-cfceb57debd5",


    "name": "mongodb-configsvr",


    "title": "MongoDB protocol for configsrv operation.",


    "port-ranges": [


    {


    "start": 27019,


    "end": 27019,


    "transport": "TCP"


    }]}


    ],


    "control-implementations": [


    {


    "uuid": "49f0b690-ed9f-4f32-aae0-625b77aa6d27",


    "source": "https://github.com/usnistgov/oscal-content/blob/master/
    nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-
    baseline_profile.xml",


    "description": "MongoDB control implementations for NIST SP 800-53
    revision 5.",


    "implemented-requirements": [


    {


    "uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee2a0",


    "control-id": "sc-8.1",


    "description": "MongoDB supports TLS 1.x to encrypt data in
    transit, preventing unauthorized disclosure or changes to information during
    transmission. To implement TLS, set the PEMKeyFile option in the configuration /etc/
    mongod.conf to the certificate file's path and restart the the component."


    },


    {


    "uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee2a0",


    "control-id": "sa-4.9",


    "description": "Must ensure that MongoDB only listens for network
    connections on authorized interfaces by configuring the MongoDB configuration file
    to limit the services exposure to only the network interfaces on which MongoDB
    28

    View Slide

  29. {


    "
    system-security-plan": {


    "uuid": "d197545f-353f-407b-9166-ebf959774c5a",


    "metadata": {


    "title": "CSP IaaS System Security Plan",


    "last-modified": "2021-06-08T13:57:35.068496-04:00",


    "version": "0.1",


    "oscal-version": "1.0.0",


    "roles": [ུ],


    "parties": [


    {


    "uuid": "11111111-0000-4000-9000-100000000001",


    "type": "person"


    }


    ]


    },


    "
    import-profile": {


    "href": "../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline_profile.json"


    },


    "system-characteristics": {


    "system-ids": [


    {


    "id": "csp_iaas_system"


    }


    ],


    "system-name": "Leveraged IaaS System",


    "description": "An example of three customers leveraging an authorized SaaS (ུ)“,


    "security-sensitivity-level": "low",


    "
    system-information": {


    "information-types": [


    {


    "title": "System and Network Monitoring",


    "description": "This IaaS system handles information pertaining to audit events.",


    "categorizations": [


    {


    "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1",


    "information-type-ids": ["C.3.5.8"]


    }


    ],


    "confidentiality-impact": {


    "base": "fips-199-moderate",


    "selected": "fips-199-low",


    "adjustment-justification": "This impact has been adjusted to low ʢུ)”


    },


    "integrity-impact": {


    "base": "fips-199-moderate",


    "selected": "fips-199-low",


    "adjustment-justification": "This impact has been adjusted to low ུ”


    },


    "availability-impact": {


    "base": "fips-199-moderate",


    "selected": "fips-199-low",


    "adjustment-justification": "This impact has been adjusted to low.ɹུ"


    }


    }


    ]


    },


    "
    security-impact-level": {


    "security-objective-confidentiality": "fips-199-low",


    "security-objective-integrity": "fips-199-low",


    "security-objective-availability": "fips-199-low"


    },


    "status": {


    "state": "operational"


    },


    "authorization-boundary": {


    "description": "The hardware and software supporting the virtualized infrastructure
    supporting the IaaS."


    },


    "remarks": "Most system-characteristics content does not support the example, and is included
    to meet the minimum SSP syntax requirements."


    },


    "
    system-implementation": {


    "users": [


    {


    "uuid": "11111111-0000-4000-9000-200000000001",


    "role-ids": [


    "admin"


    ],


    "authorized-privileges": [


    {


    "title": "Administrator",


    "functions-performed": ["Manages the components within the IaaS."]


    }]}


    ],


    "components": [


    {


    "uuid": "cfbc1d9d-e772-47a4-aed5-1b902339eab2",


    "type": "this-system",


    "title": "This System",


    "description": "The system described by this SSP.\n\nThis text was auto-generated by the
    OSCAL M3-RC1 data upgrade converter.",


    "status": {


    "state": "operational"


    }},


    {


    "uuid": "11111111-0000-4000-9001-000000000002",


    "type": "software",


    "title": "Application",


    "description": "An application within the IaaS, exposed to SaaS customersུ",


    "props": [{"name": “implementation-point”, "value": "system"}],


    "status": {"state": "operational"},


    "responsible-roles": [


    {


    "role-id": "admin",


    "party-uuids": ["11111111-0000-4000-9000-100000000001" ]


    }]}]


    },


    "
    control-implementation": {


    "description": "This is a collection of control responses.",


    "implemented-requirements": [


    {


    "uuid": "11111111-0000-4000-9009-002000000000",


    "control-id": "ac-2",


    "set-parameters": [


    {


    "param-id": "ac-2_prm_1",


    29

    View Slide

  30. ηΩϡϦςΟΛҡ࣋ɾ؅ཧ͢ΔͨΊͷ׆ಈͱഊ๺ͷྺ࢙
    • ࢿ࢈؅ཧ͓Αͼ੬ऑੑ؅ཧ

    • AWSͷSecurityHub΍GCPͷSecurity Command CenterʹΑΔ࣮ݱ

    • ि࣍Ͱ໨ݟ֬ೝʹΑΓɺ֤νʔϜ΁ͷ஫ҙשى

    • ةݥͳ΋ͷ͸SlackʹΑΔ௨஌

    • λάʹΑΔϦιʔεͷ؅ཧ

    • ͦͷଞɺSaaS͸৹ࠪΛ͖ͬͪΓ

    • ૊৫֦େɾଟ༷Խʹ൐͏ϦιʔεͷΧϯϒϦΞେരൃ


    View Slide

  31. ·ͱΊ
    • θϩτϥετ͸ηΩϡϦςΟରࡦͰ͸ͳ͘ɺಛఆͷۀ຿؀ڥʹ͓͚Δࢦ਑Ͱ͋Γߟ͑
    ํͰ͋Δ

    • ֤૊৫͸ɺͦͷߟ͑ํΛ࣠ʹηΩϡϦςΟରࡦΛ͢Δ

    • LXͰ͸θϩτϥετʹૣ͍ஈ֊͔ΒऔΓ૊ΈɺΞΫηε੍ޚΛ

    • ͔͠͠ɺ૊৫֦େͱͱ΋ʹΑΓੵۃతͳࣗಈԽͷϑΣʔζʹೖ͖ͬͯͨ

    • θϩτϥετͷࢦ਑͸ҡ࣋

    • ͦͷͨΊͷ՝୊ͷҰͭʹ಺෦౷੍తͳϙϦγʔͷܧଓతͳӡ༻ɾద༻͕͋Δ

    • OSCALͷΑ͏ʹͦ͏͍ͬͨऔΓ૊ΈΛॏཁࢹ͢Δைྲྀ͕΍΍͋Δ

    View Slide

  32. View Slide

  33. ੋඇɺMeetyͰ


    ଓ͖Λ


    https://meety.net/matches/
    SunJOdvBKMrT

    View Slide