同志諸君よ、ゼロトラストを撃て_CloudNativeDays2022

@ken5scal, 2022/11/20
ಉࢤॾ܅ΑɺθϩτϥετΛܸͯ
LayerX CTOࣨ

View Slide

ࣗݾ঺հ
• @ken5scal

• CTOࣨ / Fintechࣄۀ෦

• CTOࣨ: CTO഑ԼͰશࣾԣஅతͳηΩϡϦςΟɾγεςϜͷ։ൃɾӡ༻
• ϙϦγʔ࡞੒ɺࣾ಺ڭҭɺମ੍ߏஙɺ࣮૷ʙӡ༻·Ͱ

• Fintechࣄۀ෦: ෆಈ࢈ؔ࿈ͷۚ༥঎඼ɺࢿ࢈ӡ༻ͷޮ཰Խ

• ݸਓ׆ಈʮSecureཱྀஂʯ

• O’Reilly ʮθϩτϥετωοτϫʔΫʯ؂༁
• ΄΅िץʮ๩͍͠ਓͷͨΊͷηΩϡϦςΟɾΠϯςϦδΣϯεʯ

• PodCastʮSecure Liaisonʯ

View Slide

ΞδΣϯμ
• θϩτϥετͱ͸

• ӡ༻্ͷͿͪ౰ͨͬͨ՝୊

• ॏཁͳ఺ͱ͸ʁ

View Slide

LayerXʹ͓͚ΔηΩϡϦςΟݚम p.1

View Slide

θϩτϥετ͸
ηΩϡϦςΟΛߴΊΔ΋ͷ͔

View Slide

Կͷ੒Ռ΋!!
ಘΒΕ·ͤΜͰͨ͠!!

View Slide

ͱ͍͏ͷ͸ݴ͍ա͕͗ͩ

View Slide

มΘΒͣͦ͜ʹ͍ΔΠϯγσϯτ

View Slide

ΞδΣϯμ
• θϩτϥετͱ͍͏ߟ͑ํ͸
• ੈؒҰൠͷ՝୊

• ӡ༻্ͷͿͪ౰ͨͬͨ՝୊

• ॏཁͳ఺ͱ͸ʁ

View Slide

θϩτϥετͱ͸
• θϩτϥετ͸ɺಛఆͷ࣮૷Λࢦ͢΋ͷͰ͸ͳ͍

• ۀ຿؀ڥ͕ಛఆͷίϯϐϡʔλɺͦͯ͠ݶఆ͞Εͨωοτ
ϫʔΫ͔Βɺ෼ࢄԽ͞ΕͨωοτϫʔΫʹࣾձతɾܦࡁత
ʹγϑτͨ͠؀ڥʹదԠͨ͠γεςϜอޢͷߟ͑ํ

• ؀ڥ͕มΘΕ͹ɺࢿ࢈ɾ੬ऑੑɾڴҖɺϦεΫ΋มΘΔ

• ઃܭݪཧ͸ීว

• 3ཁૉ: ػີੑɺ׬શੑɺՄ༻ੑ

• ઃܭݪଇ: ࠷খݖݶɺ৬຿෼ঠ
https://www.process.st/history-of-saas/

View Slide

θϩτϥετͱ͸
2017 2020 2021 2022
O’Reilly NIST SP800-207 NCSC σδλϧி

View Slide

θϩτϥετͱ͸
2017 2020 2021 2022
• The Network is always assumed to be hostile.

• External and internal threats exists on the network at all times

• Network locality is not suf
fi
cient for decagon trust in a network

• Every device, user, and network
fl
ow is authenticated and authorized

• Policies must be dynamic and calculated from as many sources of data as
possible
• The entire enterprise private network is not considered an
implicit trust zone

• Devices on the network may not be owned of con
fi
gurable by the
enterprise.

• No resource is inherently trusted.

• Not all enterprise resources are on enterprise-owned infrastructure

• Remote enterprise subjects and assets cannot fully trust their local network
connection

• Assets and work
fl
ows moving between enterprise and non enterprise
infrastructure should have a consistent security and posture

View Slide

θϩτϥετͱ͸
2017 2020 2021 2022
• Know your architecture including users, devices, services and data

• Know your user, service, and device identities

• Assess user behavior, service and device health

• Use policies to authorize requests

• Authenticate and authorize everywhere

• Focus your monitoring on users, devices and services

• Don’t trust any network, including your own

• Choose services which have been designed for zero trust
• ϦιʔεΛ
ࣝผ͠ɺಛఆͰ͖Δঢ়ଶʹ͢Δ

• ओମͷ
਎ݩ֬ೝɾ౰ਓೝূΛ࣮ࢪ͢Δ

• ωοτϫʔΫΛอޢ͢Δ

• Ϧιʔεͷঢ়ଶΛ
֬ೝ͢Δ

• ΞΫηε੍ޚϙϦγʔͰධՁ͠ɺΞΫηε؅ཧΛ͢Δ

• ϦιʔεͱΞΫηεΛ
؍ଌ͢Δ

View Slide

θϩτϥετͱ͸
2017 2020 2021 2022
• The Network is always assumed to be hostile.

• External and internal threats exists on the network at all times

• Network locality is not suf
fi
cient for decagon trust in a network

• Every device, user, and network
fl
ow is authenticated and
authorized
• Policies must be dynamic and calculated from as many sources of data
as possible
• The entire enterprise private network is not considered an implicit trust zone

• Devices on the network may not be owned of con
fi
gurable by the enterprise.

• No resource is inherently trusted.

• Not all enterprise resources are on enterprise-owned infrastructure

• Remote enterprise subjects and assets cannot fully trust their local network
connection

• Assets and work
fl
ows moving between enterprise and non enterprise
infrastructure should have a consistent security and
posture

View Slide

θϩτϥετͱ͸
2017 2020 2021 2022
• Know your architecture including users, devices, services and data

• Know your user, service, and device identities

• Assess user behavior, service and device health

• Use policies to authorize requests

• Authenticate and authorize everywhere

• Focus your monitoring on users, devices and services

• Don’t trust any network, including your own

• Choose services which have been designed for zero trust
• ϦιʔεΛ
ࣝผ͠ɺಛఆͰ͖Δঢ়ଶʹ͢Δ

• ओମͷ
਎ݩ֬ೝɾ౰ਓೝূΛ࣮ࢪ͢Δ

• ωοτϫʔΫΛอޢ͢Δ

• Ϧιʔεͷঢ়ଶΛ
֬ೝ͢Δ

• ΞΫηε੍ޚϙϦγʔͰධՁ͠ɺΞΫηε؅ཧΛ͢Δ

• ϦιʔεͱΞΫηεΛ
؍ଌ͢Δ

View Slide

θϩτϥετͱ͸
• σδλϧΞΠσϯςΟςΟͱϙϦγʔʹΑΔΞΫηε੍ޚʹΑΔʮ࠷খݖ
ݶʯͱʮ৬຿෼ঠʯͷ࣮ݱ

• ͜ͷߟ͑ํΛ࣠ʹɺϦεΫରࡦΛ͍ͯͨ͠

• ϦεΫ = ൃੜ֬཰ x Өڹ౓

• ൃੜ֬཰ = ڴҖ x ੬ऑੑ

• Өڹ౓ = ࢿ࢈΍ۀ຿ͷಛੑ

View Slide

౰ࣾͷ੒௕ͱ
Ψόφϯεഊ๺ͷྺ࢙
※ಛʹϦεΫ͸ݦࡏԽ͍ͯ͠·ͤΜ…yet

View Slide

LayerXʹ͓͚Δθϩτϥετ
• 2020೥ஈ֊͔Βਪਐ͍ͯͨ͠

• ֩ͱͳΔσδλϧɾΞΠσϯςΟςΟʹண໨ͨ͠࠷খݖݶͷ๏ଇɺ৬຿෼ঠ΋ਐΊ͍ͯͨ

• ϦεΫΛ௿ݮ͢ΔͨΊͷɺࢿ࢈؅ཧɺ੬ऑੑ؅ཧɺڴҖʹ͍ͭͯ΋ԼهͷΑ͏ʹ

• αʔϏεج൫͸AWS GuardDutyɺࣾ಺ج൫͸Microsoftͷෆਖ਼ݕ஌ɺ୺຤؅ཧͰ༧๷

• AWSͷSecurityHub΍GCPͷSecurity Command CenterʹΑΔܧଓతݕࠪ

• ि࣍ͷ֬ೝʹΑΓɺ֤νʔϜ΁ͷ஫ҙשى

• ةݥͳ΋ͷ͸SlackʹΑΔ௨஌

• λάʹΑΔϦιʔεͷ؅ཧ

• ͦͷଞɺSaaS͸৹ࠪΛ͖ͬͪΓ

• ࣗಈԽ΋ඞཁे෼ʹ཈͍͑ͯͨ

• ͕…

View Slide

View Slide

ηΩϡϦςΟΛҡ࣋ɾ؅ཧ͢ΔͨΊͷ׆ಈͱഊ๺ͷྺ࢙
• ྫɿΞΫηε੍ޚ

• IdPʹΑΔID৘ใͷϑΣσϨʔγϣϯ

• άϧʔϓΛ໾ׂͱݟཱͯͨRBAC

• ໾৬ɺ৬຿ɺνʔϜɺ৘ใ۠෼౳Ͱ੾Δ

• ੩తͳϙϦγʔʹΑΔΞΫηε࣌ͷίϯςΫε
τΛऔΓࠐΉ

• Ϣʔβʔ΍σόΠε্ʹηΩϡϦςΟϦεΫ
͕ٙΘΕ͍ͯͳ͍͔

• ಛఆͷΞΫηεͷΈʹMFA࠶ೝূΛཁٻ͢Δ
Ϣʔβʔ
άϧʔϓ

A

ʢRole A)
Ϧιʔε
ᶃΞΫηε
ϙϦγʔ
ᶄॴଐ֬ೝ
ᶆΞΫηεՄ൱ɾద༻
֎෦

σʔλιʔε
ᶅΞΫηείϯςΫετͷ

֬ೝ
0άϧʔϓϝϯόʔ؅ཧ
ϝϯόʔ௥Ճ

View Slide

૊৫֦େɾଟ༷Խʹ൐͏άϧʔϓͷΧϯϒϦΞେരൃ
• ໾৬ɺ৬຿ɺνʔϜɺ৘ใ۠෼͕രൃతʹ૿Ճ

• νʔϜมߋɺݚम࣮ࢪΛ͢Δ͚ͩͰมߋର৅ͷάϧʔ
ϓ͕̍̌ۙ͋͘Δ

• ඞͣΧόʔ͖͠Ε͍͍ͯͳ͍ΧςΰϦ͕Ͱ͖ɺͦͷͨͼ
ʹ໋໊نଇͷରԠʹ௥ΘΕΔ

• ಛఆͷ໾৬ x ಛఆͷνʔϜͷ৔߹ʹ͍Ε͍ͨάϧʔϓͷ
؅ཧ͕ࠔ೉

• άϧʔϓʹΑΔΞΫηε੍ޚ͸݁ہɺॊೈੑ͕௿͍

View Slide

ࠓޙͷऔ૊ᶃɿݖݶ؅ཧͱϙϦγʔͷਁಁɾܧଓ
• ϢʔβʔɺσόΠεɺαʔϏε͋Δ͍͸ΞΫηεઌ৐ΓιʔεʹଐੑΛ෇༩
͠ɺͦΕΛ΋ͱʹϙϦγʔͰಈతͳΞΫηε੍ޚΛ࣮ࢪ͢ΔʢABACʣ

• ୭͕ɺͲ͜·ͰଐੑΛ؅ཧ͢Δ͔ɺͱ͍͏੹೚ൣғʹ͍ͭͯٞ࿦த…
Ϣʔβʔ

- ଐੑA

- ଐੑB
άϧʔϓ

A

ʢRole A)
Ϧιʔε

-ଐੑX

-ଐੑY
ᶃάϧʔϓʹґଘ͠ͳ͍

ΞΫηε
ϙϦγʔ
ଐੑʹΑͬͯ
ϝϯόʔ௥Ճ
ᶆΞΫηεՄ൱ɾద༻
֎෦

σʔλιʔε
ᶅΞΫηείϯςΫετͷ

֬ೝ

View Slide

̎ͭͷϙϦγʔ؅ཧ - ಺෦౷੍తͳϙϦγʔ
https://atmarkit.itmedia.co.jp/ait/articles/0204/19/news003.html
಺෦౷੍తͳϙϦγʔ
ʢͬͪ͜ͷ࿩ʣ
CNCFతͳϙϦγʔ͸

Ұൠతʹ͸ΨΠυϥΠ
ϯ΍ϓϩγʔδϟ

• ಺෦త౷੍తͳҙຯͰͷϙϦγʔ͸جຊతʹɺࣗવݴޠʹΑΔυ
ΩϡϝϯςʔγϣϯͰ͋Δ

• ͦͷϙϦγʔ͸ʢԼҐจॻͰ͋Δελϯμʔυ΍ϓϩγʔδϟʹ
Ԋͬͨʣ࣮૷΍ରࡦͱ࿦ཧతʹໃ६͍ͯͯ͠͸ͳΒͳ͍

• ·ͨɺͦͷܨ͕ΓΛূ໌Մೳɾ؂ࠪՄೳͳঢ়ଶʹͯ͠આ໌੹೚Λ
Ռͨ͞Ͷ͹ͳΒͳ͍

• ͜ͷඞཁੑʹ͸ҟ࿦͸গͳ͍Ͱ͋Ζ͏

• ͨͩɺݱࡏͷϙϦγʔɺ࣮૷ɾରࡦ·Ͱͷ౷੍ʹ͸࣮ޮੑ΍ӡ༻
ʹ͓͍ͯ՝୊͕͋Δ

• ྨࣅ͢Δෳ਺ͷن੍ͷଘࡏͱɺͦΕʹ൐͏ໃ६΍؅ཧͷෳࡶ͞

• ্Ґن੍ͷߋ৽ʹ͋Θ֤ͤͨछ౷੍ͷߋ৽

• ৘ใγεςϜࣗମͷෳࡶੑͷ૿Ճ

• ͜ΕΒʹ൐͏ϖʔύʔϫʔΫͷ޻਺૿େ
๏ྩ
ۀքඪ४

View Slide

ηΩϡϦςΟରࡦɾ࣮૷ʹ಺෦౷੍ϙϦγʔʹؔ͢ΔϝλσʔλΛ͚ͭΔ
• OSCAL: Open Security Controls Assessment Language

• ৘ใγεςϜͷηΩϡϦςΟରࡦʢControlʣΛఆٛ͠ɺͦΕʹج͍ͮͯධՁ
͢ΔͨΊͷඪ४Խ͞Εͨσʔλத৺ͷධՁϑϨʔϜϫʔΫ

w .BDIJOFSFBEBCMFͳදݱʹΑΔ୤ϝλೝ஌γεςϜ
w ๏ن੍ɾϑϨʔϜϫʔΫͳͲϋΠϨϕϧͳཁ݅ͱ࣮૷ͷτϨʔαϏϦςΟΛ
֬อ
w ܧଓతͳݕࠪɾධՁ
https://pages.nist.gov/OSCAL/

View Slide

$POUSPM-BZFS
$POUSPM-BZFS
*NQMFNFOUBUJPO-BZFS "TTFTTNFOU-BZFS

View Slide

"
catalog": {

"uuid": "fa8f6772-40a9-4976-b7fd-e95c5b9ee037",

"metadata": {

"title": "
FedRAMP Rev 4 Low Baseline",

"published": "2021-02-05T00:00:00.000-04:00",

"last-modified": "2021-10-13T18:23:58.261729Z",

"version": "fedramp1.1.0-oscal1.0.0",

"oscal-version": "1.0.0",

"links": [

{

"href": "FedRAMP_rev4_LOW-baseline_profile.xml",

"rel": "resolution-source"

}

],

"roles": [

{

"id": "prepared-by",

"title": "Document creator"

},

{

"id": "fedramp-pmo",

"title": "The FedRAMP Program Management Office (PMO)",

"short-name": "CSP"

},

{

"id": "fedramp-jab",

"title": "The FedRAMP Joint Authorization Board (JAB)",

"short-name": "CSP"

}

],

"parties": [],

"responsible-parties": []

},

"
groups": [

{

"id": "ac",

"class": "family",

"title": "
Access Control",

"controls": [

{

"id": "ac-1",

"class": "
SP800-53",

"title": "Access Control Policy and Procedures",

"params": [

{

"id": "ac-1_prm_1",

"label": "organization-defined personnel or roles"

},

{

"id": "ac-1_prm_2",

"label": "organization-defined frequency",

"constraints": [

{

"description": "at least every 3 years"

}

]

},

{

"id": "ac-1_prm_3",

"label": "organization-defined frequency",

"constraints": [

{

"description": "at least annually"

}

]

}

],

"props": [

{

"name": "CORE",

"ns": "https://fedramp.gov/ns/oscal",

"value": "true"

},

{ "name": “label", "value": "AC-1"},

{ "name": “sort-id", "value": "ac-01"}

],

"links": [ུ],

"parts": [

{

"id": "ac-1_smt",

"name": "statement",

"prose": "The organization:",

"parts": [

{

"id": "ac-1_smt.a",

"name": "item",

"props": [

{

"name": "label",

"value": "a."

}

],

"prose": "Develops, documents, and disseminates ུ:",

"parts": [

{

"id": "ac-1_smt.a.1",

"name": "item",

"props": [

{

"name": "response-point",

"ns": "https://fedramp.gov/ns/oscal",

"value": "ུ"

},

{

"name": “label”, "value": "1."

}

26

View Slide

"
profile": {

"uuid": "8742196d-86ba-4e72-a411-28867dab43bb",

"metadata": {

"title": "NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE",

"last-modified": "2021-06-08T13:57:33.97549-04:00",

"version": "Final",


"roles": [

{

"id": "creator",

"title": "Document Creator"

},

{

"id": "contact",

"title": "Contact"

}

],

"parties": [

{

"uuid": "984e6c07-b5b6-4ab6-b22b-283609c325e6",

"type": "organization",

"name": "Joint Task Force, Transformation Initiative",

"email-addresses": [

"[email protected]"

],

"addresses": [

{

"addr-lines": [

"National Institute of Standards and Technology",

"Attn: Computer Security Division",

"Information Technology Laboratory",

"100 Bureau Drive (Mail Stop 8930)"

],

"city": "Gaithersburg",

"state": "MD",

"postal-code": "20899-8930"

}

]

}

],

"responsible-parties": [

{

"role-id": "creator",

"party-uuids": [

"984e6c07-b5b6-4ab6-b22b-283609c325e6"

]

},

{

"role-id": "contact",

"party-uuids": [

"984e6c07-b5b6-4ab6-b22b-283609c325e6"

]

}

]

},

"
imports": [

{

"
href": "NIST_SP-800-53_rev5_catalog.xml",

"include-controls": [

{

"with-ids": [

"
ac-1",

"
ac-2",

"
ac-3",

"
ac-7",

“ུ”

]

}

]

}

],

"merge": {

"as-is": true

}

}

}

27

View Slide

{

"
component-definition": {

"uuid": "a7ba800c-a432-44cd-9075-0862cd66da6b",

"metadata": {

"title": "MongoDB Component Definition
Example",

"last-modified": "2001-08-26T23:11:47Z",

"version": "20210826",


"roles": [{"id": "provider","title": "Provider"}],

"parties": [

{

"uuid": "ef7c799a-c50e-49ab-83e0-515e989e6df1",

"type": "organization",

"name": "MongoDB",

"links": [

{

"href": "https://www.mongodb.com",

"rel": "website"

}]}]

},

"
components": [

{

"uuid": "91f646c5-b1b6-4786-9ec3-2305a044e217",

"type": "software",

"title": "MongoDB",

"description": "MongoDB is a source-available, cross-platform document-
oriented database program. Classified as a NoSQL database program, MongoDB uses
JSON-like documents with optional schemas.",

"purpose": "Provides a NoSQL database service",

"responsible-roles": [

{

"role-id": "provider",

"party-uuids": [

"ef7c799a-c50e-49ab-83e0-515e989e6df1"

]

}

],

"protocols": [

{

"uuid": "2b4a1b3a-cbc5-4cc8-bde6-7437c28c4e54",

"name": "mongodb",

"title": "Primary daemon process for the MongoDB system.",

"port-ranges": [

{

"start": 27017,

"end": 27017,

"transport": "TCP"

}

]

},

{

"uuid": "99d8d4e5-e734-4e05-a2f9-7353097b8b61",

"name": "mongodb-shardsrv",

"title": "MongoDB protocol for sharding with shardsrv option.",

"port-ranges": [

{

"start": 27018,

"end": 27018,

"transport": "TCP"

}

]

},

{

"uuid": "6fa762f1-09ca-44d5-a94c-cfceb57debd5",

"name": "mongodb-configsvr",

"title": "MongoDB protocol for configsrv operation.",

"port-ranges": [

{

"start": 27019,

"end": 27019,

"transport": "TCP"

}]}

],

"control-implementations": [

{

"uuid": "49f0b690-ed9f-4f32-aae0-625b77aa6d27",

"source": "https://github.com/usnistgov/oscal-content/blob/master/
nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-
baseline_profile.xml",

"description": "MongoDB control implementations for NIST SP 800-53
revision 5.",

"implemented-requirements": [

{

"uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee2a0",

"control-id": "sc-8.1",

"description": "MongoDB supports TLS 1.x to encrypt data in
transit, preventing unauthorized disclosure or changes to information during
transmission. To implement TLS, set the PEMKeyFile option in the configuration /etc/
mongod.conf to the certificate file's path and restart the the component."

},

{

"uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee2a0",

"control-id": "sa-4.9",

"description": "Must ensure that MongoDB only listens for network
connections on authorized interfaces by configuring the MongoDB configuration file
to limit the services exposure to only the network interfaces on which MongoDB
28

View Slide

{

"
system-security-plan": {

"uuid": "d197545f-353f-407b-9166-ebf959774c5a",

"metadata": {

"title": "CSP IaaS System Security Plan",

"last-modified": "2021-06-08T13:57:35.068496-04:00",

"version": "0.1",


"roles": [ུ],

"parties": [

{

"uuid": "11111111-0000-4000-9000-100000000001",

"type": "person"

}

]

},

"
import-profile": {

"href": "../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline_profile.json"

},

"system-characteristics": {

"system-ids": [

{

"id": "csp_iaas_system"

}

],

"system-name": "Leveraged IaaS System",

"description": "An example of three customers leveraging an authorized SaaS (ུ)“,

"security-sensitivity-level": "low",

"
system-information": {

"information-types": [

{

"title": "System and Network Monitoring",

"description": "This IaaS system handles information pertaining to audit events.",

"categorizations": [

{

"system": "https://doi.org/10.6028/NIST.SP.800-60v2r1",

"information-type-ids": ["C.3.5.8"]

}

],

"confidentiality-impact": {

"base": "fips-199-moderate",

"selected": "fips-199-low",

"adjustment-justification": "This impact has been adjusted to low ʢུ)”

},

"integrity-impact": {



"adjustment-justification": "This impact has been adjusted to low ུ”

},

"availability-impact": {



"adjustment-justification": "This impact has been adjusted to low.ɹུ"

}

}

]

},

"
security-impact-level": {

"security-objective-confidentiality": "fips-199-low",

"security-objective-integrity": "fips-199-low",

"security-objective-availability": "fips-199-low"

},

"status": {

"state": "operational"

},

"authorization-boundary": {

"description": "The hardware and software supporting the virtualized infrastructure
supporting the IaaS."

},

"remarks": "Most system-characteristics content does not support the example, and is included
to meet the minimum SSP syntax requirements."

},

"
system-implementation": {

"users": [

{

"uuid": "11111111-0000-4000-9000-200000000001",

"role-ids": [

"admin"

],

"authorized-privileges": [

{

"title": "Administrator",

"functions-performed": ["Manages the components within the IaaS."]

}]}

],

"components": [

{

"uuid": "cfbc1d9d-e772-47a4-aed5-1b902339eab2",

"type": "this-system",

"title": "This System",

"description": "The system described by this SSP.\n\nThis text was auto-generated by the
OSCAL M3-RC1 data upgrade converter.",

"status": {

"state": "operational"

}},

{

"uuid": "11111111-0000-4000-9001-000000000002",

"type": "software",

"title": "Application",

"description": "An application within the IaaS, exposed to SaaS customersུ",

"props": [{"name": “implementation-point”, "value": "system"}],

"status": {"state": "operational"},

"responsible-roles": [

{

"role-id": "admin",

"party-uuids": ["11111111-0000-4000-9000-100000000001" ]

}]}]

},

"
control-implementation": {

"description": "This is a collection of control responses.",

"implemented-requirements": [

{

"uuid": "11111111-0000-4000-9009-002000000000",

"control-id": "ac-2",

"set-parameters": [

{

"param-id": "ac-2_prm_1",

29

View Slide

ηΩϡϦςΟΛҡ࣋ɾ؅ཧ͢ΔͨΊͷ׆ಈͱഊ๺ͷྺ࢙
• ࢿ࢈؅ཧ͓Αͼ੬ऑੑ؅ཧ

• AWSͷSecurityHub΍GCPͷSecurity Command CenterʹΑΔ࣮ݱ

• ि࣍Ͱ໨ݟ֬ೝʹΑΓɺ֤νʔϜ΁ͷ஫ҙשى

• ةݥͳ΋ͷ͸SlackʹΑΔ௨஌

• λάʹΑΔϦιʔεͷ؅ཧ

• ͦͷଞɺSaaS͸৹ࠪΛ͖ͬͪΓ

• ૊৫֦େɾଟ༷Խʹ൐͏ϦιʔεͷΧϯϒϦΞେരൃ

•

View Slide

·ͱΊ
• θϩτϥετ͸ηΩϡϦςΟରࡦͰ͸ͳ͘ɺಛఆͷۀ຿؀ڥʹ͓͚Δࢦ਑Ͱ͋Γߟ͑
ํͰ͋Δ

• ֤૊৫͸ɺͦͷߟ͑ํΛ࣠ʹηΩϡϦςΟରࡦΛ͢Δ

• LXͰ͸θϩτϥετʹૣ͍ஈ֊͔ΒऔΓ૊ΈɺΞΫηε੍ޚΛ

• ͔͠͠ɺ૊৫֦େͱͱ΋ʹΑΓੵۃతͳࣗಈԽͷϑΣʔζʹೖ͖ͬͯͨ

• θϩτϥετͷࢦ਑͸ҡ࣋

• ͦͷͨΊͷ՝୊ͷҰͭʹ಺෦౷੍తͳϙϦγʔͷܧଓతͳӡ༻ɾద༻͕͋Δ

• OSCALͷΑ͏ʹͦ͏͍ͬͨऔΓ૊ΈΛॏཁࢹ͢Δைྲྀ͕΍΍͋Δ

View Slide

View Slide

ੋඇɺMeetyͰ

ଓ͖Λ

https://meety.net/matches/
SunJOdvBKMrT

View Slide

同志諸君よ、ゼロトラストを撃て_CloudNativeDays2022

同志諸君よ、ゼロトラストを撃て_CloudNativeDays2022

Kengo Suzuki

More Decks by Kengo Suzuki

Other Decks in Technology

Featured

Transcript