Upgrade to Pro — share decks privately, control downloads, hide ads and more …

同志諸君よ、ゼロトラストを撃て_CloudNativeDays2022

Kengo Suzuki
November 22, 2022

 同志諸君よ、ゼロトラストを撃て_CloudNativeDays2022

O’Reilly Japanから翻訳されたゼロトラスト・ネットワークが発刊され3年が経過しました。当初は、まさしく本カンファレンスのHPが言及するように、「物理的・時間的な距離を超えた」環境を想定したセキュリティ上の考え方でした。しかし、皆様も3年間のインシデントなどからお気づきの通り、ゼロトラストの適用は従来のセキュリティ・レベルを単純に強化するものではありません。昨今の事例を振り返りつつ、充足させていかねばならないポイントを技術事例も含めお話いたします

Kengo Suzuki

November 22, 2022
Tweet

More Decks by Kengo Suzuki

Other Decks in Technology

Transcript

  1. ࣗݾ঺հ • @ken5scal • CTOࣨ / Fintechࣄۀ෦ • CTOࣨ: CTO഑ԼͰશࣾԣஅతͳηΩϡϦςΟɾγεςϜͷ։ൃɾӡ༻

    • ϙϦγʔ࡞੒ɺࣾ಺ڭҭɺମ੍ߏஙɺ࣮૷ʙӡ༻·Ͱ • Fintechࣄۀ෦: ෆಈ࢈ؔ࿈ͷۚ༥঎඼ɺࢿ࢈ӡ༻ͷޮ཰Խ • ݸਓ׆ಈʮSecureཱྀஂʯ • O’Reilly ʮθϩτϥετωοτϫʔΫʯ؂༁ • ΄΅िץʮ๩͍͠ਓͷͨΊͷηΩϡϦςΟɾΠϯςϦδΣϯεʯ • PodCastʮSecure Liaisonʯ
  2. θϩτϥετͱ͸ 2017 2020 2021 2022 O’Reilly NIST SP800-207 NCSC σδλϧி

    • The Network is always assumed to be hostile. • External and internal threats exists on the network at all times • Network locality is not suf fi cient for decagon trust in a network • Every device, user, and network fl ow is authenticated and authorized • Policies must be dynamic and calculated from as many sources of data as possible • The entire enterprise private network is not considered an implicit trust zone • Devices on the network may not be owned of con fi gurable by the enterprise. • No resource is inherently trusted. • Not all enterprise resources are on enterprise-owned infrastructure • Remote enterprise subjects and assets cannot fully trust their local network connection • Assets and work fl ows moving between enterprise and non enterprise infrastructure should have a consistent security and posture
  3. θϩτϥετͱ͸ 2017 2020 2021 2022 O’Reilly NIST SP800-207 NCSC σδλϧி

    • Know your architecture including users, devices, services and data • Know your user, service, and device identities • Assess user behavior, service and device health • Use policies to authorize requests • Authenticate and authorize everywhere • Focus your monitoring on users, devices and services • Don’t trust any network, including your own • Choose services which have been designed for zero trust • ϦιʔεΛ ࣝผ͠ɺಛఆͰ͖Δঢ়ଶʹ͢Δ • ओମͷ ਎ݩ֬ೝɾ౰ਓೝূΛ࣮ࢪ͢Δ • ωοτϫʔΫΛอޢ͢Δ • Ϧιʔεͷঢ়ଶΛ ֬ೝ͢Δ • ΞΫηε੍ޚϙϦγʔͰධՁ͠ɺΞΫηε؅ཧΛ͢Δ • ϦιʔεͱΞΫηεΛ ؍ଌ͢Δ
  4. θϩτϥετͱ͸ 2017 2020 2021 2022 O’Reilly NIST SP800-207 NCSC σδλϧி

    • The Network is always assumed to be hostile. • External and internal threats exists on the network at all times • Network locality is not suf fi cient for decagon trust in a network • Every device, user, and network fl ow is authenticated and authorized • Policies must be dynamic and calculated from as many sources of data as possible • The entire enterprise private network is not considered an implicit trust zone • Devices on the network may not be owned of con fi gurable by the enterprise. • No resource is inherently trusted. • Not all enterprise resources are on enterprise-owned infrastructure • Remote enterprise subjects and assets cannot fully trust their local network connection • Assets and work fl ows moving between enterprise and non enterprise infrastructure should have a consistent security and posture
  5. θϩτϥετͱ͸ 2017 2020 2021 2022 O’Reilly NIST SP800-207 NCSC σδλϧி

    • Know your architecture including users, devices, services and data • Know your user, service, and device identities • Assess user behavior, service and device health • Use policies to authorize requests • Authenticate and authorize everywhere • Focus your monitoring on users, devices and services • Don’t trust any network, including your own • Choose services which have been designed for zero trust • ϦιʔεΛ ࣝผ͠ɺಛఆͰ͖Δঢ়ଶʹ͢Δ • ओମͷ ਎ݩ֬ೝɾ౰ਓೝূΛ࣮ࢪ͢Δ • ωοτϫʔΫΛอޢ͢Δ • Ϧιʔεͷঢ়ଶΛ ֬ೝ͢Δ • ΞΫηε੍ޚϙϦγʔͰධՁ͠ɺΞΫηε؅ཧΛ͢Δ • ϦιʔεͱΞΫηεΛ ؍ଌ͢Δ
  6. LayerXʹ͓͚Δθϩτϥετ • 2020೥ஈ֊͔Βਪਐ͍ͯͨ͠ • ֩ͱͳΔσδλϧɾΞΠσϯςΟςΟʹண໨ͨ͠࠷খݖݶͷ๏ଇɺ৬຿෼ঠ΋ਐΊ͍ͯͨ • ϦεΫΛ௿ݮ͢ΔͨΊͷɺࢿ࢈؅ཧɺ੬ऑੑ؅ཧɺڴҖʹ͍ͭͯ΋ԼهͷΑ͏ʹ • αʔϏεج൫͸AWS GuardDutyɺࣾ಺ج൫͸Microsoftͷෆਖ਼ݕ஌ɺ୺຤؅ཧͰ༧๷

    • AWSͷSecurityHub΍GCPͷSecurity Command CenterʹΑΔܧଓతݕࠪ • ि࣍ͷ֬ೝʹΑΓɺ֤νʔϜ΁ͷ஫ҙשى • ةݥͳ΋ͷ͸SlackʹΑΔ௨஌ • λάʹΑΔϦιʔεͷ؅ཧ • ͦͷଞɺSaaS͸৹ࠪΛ͖ͬͪΓ • ࣗಈԽ΋ඞཁे෼ʹ཈͍͑ͯͨ • ͕…
  7. ηΩϡϦςΟΛҡ࣋ɾ؅ཧ͢ΔͨΊͷ׆ಈͱഊ๺ͷྺ࢙ • ྫɿΞΫηε੍ޚ • IdPʹΑΔID৘ใͷϑΣσϨʔγϣϯ • άϧʔϓΛ໾ׂͱݟཱͯͨRBAC • ໾৬ɺ৬຿ɺνʔϜɺ৘ใ۠෼౳Ͱ੾Δ •

    ੩తͳϙϦγʔʹΑΔΞΫηε࣌ͷίϯςΫε τΛऔΓࠐΉ • Ϣʔβʔ΍σόΠε্ʹηΩϡϦςΟϦεΫ ͕ٙΘΕ͍ͯͳ͍͔ • ಛఆͷΞΫηεͷΈʹMFA࠶ೝূΛཁٻ͢Δ Ϣʔβʔ άϧʔϓ A ʢRole A) Ϧιʔε ᶃΞΫηε ϙϦγʔ ᶄॴଐ֬ೝ ᶆΞΫηεՄ൱ɾద༻ ֎෦ σʔλιʔε ᶅΞΫηείϯςΫετͷ ֬ೝ 0άϧʔϓϝϯόʔ؅ཧ ϝϯόʔ௥Ճ
  8. ࠓޙͷऔ૊ᶃɿݖݶ؅ཧͱϙϦγʔͷਁಁɾܧଓ • ϢʔβʔɺσόΠεɺαʔϏε͋Δ͍͸ΞΫηεઌ৐ΓιʔεʹଐੑΛ෇༩ ͠ɺͦΕΛ΋ͱʹϙϦγʔͰಈతͳΞΫηε੍ޚΛ࣮ࢪ͢ΔʢABACʣ • ୭͕ɺͲ͜·ͰଐੑΛ؅ཧ͢Δ͔ɺͱ͍͏੹೚ൣғʹ͍ͭͯٞ࿦த… Ϣʔβʔ - ଐੑA -

    ଐੑB άϧʔϓ A ʢRole A) Ϧιʔε -ଐੑX -ଐੑY ᶃάϧʔϓʹґଘ͠ͳ͍ ΞΫηε ϙϦγʔ ଐੑʹΑͬͯ ϝϯόʔ௥Ճ ᶆΞΫηεՄ൱ɾద༻ ֎෦ σʔλιʔε ᶅΞΫηείϯςΫετͷ ֬ೝ
  9. ̎ͭͷϙϦγʔ؅ཧ - ಺෦౷੍తͳϙϦγʔ https://atmarkit.itmedia.co.jp/ait/articles/0204/19/news003.html ಺෦౷੍తͳϙϦγʔ ʢͬͪ͜ͷ࿩ʣ CNCFతͳϙϦγʔ͸ Ұൠతʹ͸ΨΠυϥΠ ϯ΍ϓϩγʔδϟ •

    ಺෦త౷੍తͳҙຯͰͷϙϦγʔ͸جຊతʹɺࣗવݴޠʹΑΔυ ΩϡϝϯςʔγϣϯͰ͋Δ • ͦͷϙϦγʔ͸ʢԼҐจॻͰ͋Δελϯμʔυ΍ϓϩγʔδϟʹ Ԋͬͨʣ࣮૷΍ରࡦͱ࿦ཧతʹໃ६͍ͯͯ͠͸ͳΒͳ͍ • ·ͨɺͦͷܨ͕ΓΛূ໌Մೳɾ؂ࠪՄೳͳঢ়ଶʹͯ͠આ໌੹೚Λ Ռͨ͞Ͷ͹ͳΒͳ͍ • ͜ͷඞཁੑʹ͸ҟ࿦͸গͳ͍Ͱ͋Ζ͏ • ͨͩɺݱࡏͷϙϦγʔɺ࣮૷ɾରࡦ·Ͱͷ౷੍ʹ͸࣮ޮੑ΍ӡ༻ ʹ͓͍ͯ՝୊͕͋Δ • ྨࣅ͢Δෳ਺ͷن੍ͷଘࡏͱɺͦΕʹ൐͏ໃ६΍؅ཧͷෳࡶ͞ • ্Ґن੍ͷߋ৽ʹ͋Θ֤ͤͨछ౷੍ͷߋ৽ • ৘ใγεςϜࣗମͷෳࡶੑͷ૿Ճ • ͜ΕΒʹ൐͏ϖʔύʔϫʔΫͷ޻਺૿େ ๏ྩ ۀքඪ४
  10. ηΩϡϦςΟରࡦɾ࣮૷ʹ಺෦౷੍ϙϦγʔʹؔ͢ΔϝλσʔλΛ͚ͭΔ • OSCAL: Open Security Controls Assessment Language • ৘ใγεςϜͷηΩϡϦςΟରࡦʢControlʣΛఆٛ͠ɺͦΕʹج͍ͮͯධՁ

    ͢ΔͨΊͷඪ४Խ͞Εͨσʔλத৺ͷධՁϑϨʔϜϫʔΫ w .BDIJOFSFBEBCMFͳදݱʹΑΔ୤ϝλೝ஌γεςϜ w ๏ن੍ɾϑϨʔϜϫʔΫͳͲϋΠϨϕϧͳཁ݅ͱ࣮૷ͷτϨʔαϏϦςΟΛ ֬อ w ܧଓతͳݕࠪɾධՁ https://pages.nist.gov/OSCAL/
  11. " catalog": { "uuid": "fa8f6772-40a9-4976-b7fd-e95c5b9ee037", "metadata": { "title": " FedRAMP

    Rev 4 Low Baseline", "published": "2021-02-05T00:00:00.000-04:00", "last-modified": "2021-10-13T18:23:58.261729Z", "version": "fedramp1.1.0-oscal1.0.0", "oscal-version": "1.0.0", "links": [ { "href": "FedRAMP_rev4_LOW-baseline_profile.xml", "rel": "resolution-source" } ], "roles": [ { "id": "prepared-by", "title": "Document creator" }, { "id": "fedramp-pmo", "title": "The FedRAMP Program Management Office (PMO)", "short-name": "CSP" }, { "id": "fedramp-jab", "title": "The FedRAMP Joint Authorization Board (JAB)", "short-name": "CSP" } ], "parties": [], "responsible-parties": [] }, " groups": [ { "id": "ac", "class": "family", "title": " Access Control", "controls": [ { "id": "ac-1", "class": " SP800-53", "title": "Access Control Policy and Procedures", "params": [ { "id": "ac-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "ac-1_prm_2", "label": "organization-defined frequency", "constraints": [ { "description": "at least every 3 years" } ] }, { "id": "ac-1_prm_3", "label": "organization-defined frequency", "constraints": [ { "description": "at least annually" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": “label", "value": "AC-1"}, { "name": “sort-id", "value": "ac-01"} ], "links": [ུ], "parts": [ { "id": "ac-1_smt", "name": "statement", "prose": "The organization:", "parts": [ { "id": "ac-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develops, documents, and disseminates ུ:", "parts": [ { "id": "ac-1_smt.a.1", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "ུ" }, { "name": “label”, "value": "1." } 26
  12. " profile": { "uuid": "8742196d-86ba-4e72-a411-28867dab43bb", "metadata": { "title": "NIST Special

    Publication 800-53 Revision 5 LOW IMPACT BASELINE", "last-modified": "2021-06-08T13:57:33.97549-04:00", "version": "Final", "oscal-version": "1.0.0", "roles": [ { "id": "creator", "title": "Document Creator" }, { "id": "contact", "title": "Contact" } ], "parties": [ { "uuid": "984e6c07-b5b6-4ab6-b22b-283609c325e6", "type": "organization", "name": "Joint Task Force, Transformation Initiative", "email-addresses": [ "[email protected]" ], "addresses": [ { "addr-lines": [ "National Institute of Standards and Technology", "Attn: Computer Security Division", "Information Technology Laboratory", "100 Bureau Drive (Mail Stop 8930)" ], "city": "Gaithersburg", "state": "MD", "postal-code": "20899-8930" } ] } ], "responsible-parties": [ { "role-id": "creator", "party-uuids": [ "984e6c07-b5b6-4ab6-b22b-283609c325e6" ] }, { "role-id": "contact", "party-uuids": [ "984e6c07-b5b6-4ab6-b22b-283609c325e6" ] } ] }, " imports": [ { " href": "NIST_SP-800-53_rev5_catalog.xml", "include-controls": [ { "with-ids": [ " ac-1", " ac-2", " ac-3", " ac-7", “ུ” ] } ] } ], "merge": { "as-is": true } } } 27
  13. { " component-definition": { "uuid": "a7ba800c-a432-44cd-9075-0862cd66da6b", "metadata": { "title": "MongoDB

    Component Definition Example", "last-modified": "2001-08-26T23:11:47Z", "version": "20210826", "oscal-version": "1.0.0", "roles": [{"id": "provider","title": "Provider"}], "parties": [ { "uuid": "ef7c799a-c50e-49ab-83e0-515e989e6df1", "type": "organization", "name": "MongoDB", "links": [ { "href": "https://www.mongodb.com", "rel": "website" }]}] }, " components": [ { "uuid": "91f646c5-b1b6-4786-9ec3-2305a044e217", "type": "software", "title": "MongoDB", "description": "MongoDB is a source-available, cross-platform document- oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas.", "purpose": "Provides a NoSQL database service", "responsible-roles": [ { "role-id": "provider", "party-uuids": [ "ef7c799a-c50e-49ab-83e0-515e989e6df1" ] } ], "protocols": [ { "uuid": "2b4a1b3a-cbc5-4cc8-bde6-7437c28c4e54", "name": "mongodb", "title": "Primary daemon process for the MongoDB system.", "port-ranges": [ { "start": 27017, "end": 27017, "transport": "TCP" } ] }, { "uuid": "99d8d4e5-e734-4e05-a2f9-7353097b8b61", "name": "mongodb-shardsrv", "title": "MongoDB protocol for sharding with shardsrv option.", "port-ranges": [ { "start": 27018, "end": 27018, "transport": "TCP" } ] }, { "uuid": "6fa762f1-09ca-44d5-a94c-cfceb57debd5", "name": "mongodb-configsvr", "title": "MongoDB protocol for configsrv operation.", "port-ranges": [ { "start": 27019, "end": 27019, "transport": "TCP" }]} ], "control-implementations": [ { "uuid": "49f0b690-ed9f-4f32-aae0-625b77aa6d27", "source": "https://github.com/usnistgov/oscal-content/blob/master/ nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE- baseline_profile.xml", "description": "MongoDB control implementations for NIST SP 800-53 revision 5.", "implemented-requirements": [ { "uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee2a0", "control-id": "sc-8.1", "description": "MongoDB supports TLS 1.x to encrypt data in transit, preventing unauthorized disclosure or changes to information during transmission. To implement TLS, set the PEMKeyFile option in the configuration /etc/ mongod.conf to the certificate file's path and restart the the component." }, { "uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee2a0", "control-id": "sa-4.9", "description": "Must ensure that MongoDB only listens for network connections on authorized interfaces by configuring the MongoDB configuration file to limit the services exposure to only the network interfaces on which MongoDB 28
  14. { " system-security-plan": { "uuid": "d197545f-353f-407b-9166-ebf959774c5a", "metadata": { "title": "CSP

    IaaS System Security Plan", "last-modified": "2021-06-08T13:57:35.068496-04:00", "version": "0.1", "oscal-version": "1.0.0", "roles": [ུ], "parties": [ { "uuid": "11111111-0000-4000-9000-100000000001", "type": "person" } ] }, " import-profile": { "href": "../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline_profile.json" }, "system-characteristics": { "system-ids": [ { "id": "csp_iaas_system" } ], "system-name": "Leveraged IaaS System", "description": "An example of three customers leveraging an authorized SaaS (ུ)“, "security-sensitivity-level": "low", " system-information": { "information-types": [ { "title": "System and Network Monitoring", "description": "This IaaS system handles information pertaining to audit events.", "categorizations": [ { "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", "information-type-ids": ["C.3.5.8"] } ], "confidentiality-impact": { "base": "fips-199-moderate", "selected": "fips-199-low", "adjustment-justification": "This impact has been adjusted to low ʢུ)” }, "integrity-impact": { "base": "fips-199-moderate", "selected": "fips-199-low", "adjustment-justification": "This impact has been adjusted to low ུ” }, "availability-impact": { "base": "fips-199-moderate", "selected": "fips-199-low", "adjustment-justification": "This impact has been adjusted to low.ɹུ" } } ] }, " security-impact-level": { "security-objective-confidentiality": "fips-199-low", "security-objective-integrity": "fips-199-low", "security-objective-availability": "fips-199-low" }, "status": { "state": "operational" }, "authorization-boundary": { "description": "The hardware and software supporting the virtualized infrastructure supporting the IaaS." }, "remarks": "Most system-characteristics content does not support the example, and is included to meet the minimum SSP syntax requirements." }, " system-implementation": { "users": [ { "uuid": "11111111-0000-4000-9000-200000000001", "role-ids": [ "admin" ], "authorized-privileges": [ { "title": "Administrator", "functions-performed": ["Manages the components within the IaaS."] }]} ], "components": [ { "uuid": "cfbc1d9d-e772-47a4-aed5-1b902339eab2", "type": "this-system", "title": "This System", "description": "The system described by this SSP.\n\nThis text was auto-generated by the OSCAL M3-RC1 data upgrade converter.", "status": { "state": "operational" }}, { "uuid": "11111111-0000-4000-9001-000000000002", "type": "software", "title": "Application", "description": "An application within the IaaS, exposed to SaaS customersུ", "props": [{"name": “implementation-point”, "value": "system"}], "status": {"state": "operational"}, "responsible-roles": [ { "role-id": "admin", "party-uuids": ["11111111-0000-4000-9000-100000000001" ] }]}] }, " control-implementation": { "description": "This is a collection of control responses.", "implemented-requirements": [ { "uuid": "11111111-0000-4000-9009-002000000000", "control-id": "ac-2", "set-parameters": [ { "param-id": "ac-2_prm_1", 29
  15. ηΩϡϦςΟΛҡ࣋ɾ؅ཧ͢ΔͨΊͷ׆ಈͱഊ๺ͷྺ࢙ • ࢿ࢈؅ཧ͓Αͼ੬ऑੑ؅ཧ • AWSͷSecurityHub΍GCPͷSecurity Command CenterʹΑΔ࣮ݱ • ि࣍Ͱ໨ݟ֬ೝʹΑΓɺ֤νʔϜ΁ͷ஫ҙשى •

    ةݥͳ΋ͷ͸SlackʹΑΔ௨஌ • λάʹΑΔϦιʔεͷ؅ཧ • ͦͷଞɺSaaS͸৹ࠪΛ͖ͬͪΓ • ૊৫֦େɾଟ༷Խʹ൐͏ϦιʔεͷΧϯϒϦΞେരൃ •