ユーザー企業における情報システムとセキュリティ #seccamp2019

Ϣʔβʔاۀʹ͓͚Δ৘ใγες
ϜͱηΩϡϦςΟ - શମ૾ฤ
2019/08/10 By @ken5scal

View Slide

ࣗݾ঺հ
- ࣗݾ঺հ: @ken5scal (ླ໦ݚޗ)
- ޷͖ͳٕज़ελοΫ: ೝূɾೝՄ
- ۚ༥ܥɾFintechܥͰେاۀɾελʔτΞοϓ྆ํͰηΩϡϦςΟΛ୲౰
- 2011: NRIηΩϡΞ
- SIer
- ূ݊ձࣾ޲͚MSS αʔϏεͷఏڙ
- 2014: Money Forward
- Ϣʔβʔاۀ
- ࢿ࢈؅ཧɾΫϥ΢υձܭܥFintechελʔτΞοϓ
- 2018: FOLIO
- Ϣʔβʔاۀ
- ূ݊ܥFintechελʔτΞοϓ

View Slide

͋Δ೔…

View Slide

օ༷ͱ໨ઢ߹Θͤ

View Slide

- Who: “ੈͷதΛࣗ෼ͨͪͷྗͰม͍͖͍͑ͯͨͱࢥ͍ͬͯΔํ”
- What: “ࠓճ͸ʮ͖ͪΜͱӡ༻͢Δʯͱ͍͏ࣄΛςʔϚ”
- Howᶃ: “ߴ౓ͳ৘ใηΩϡϦςΟٕज़ͷशಘ”
- Howᶄ: “Ϟϥϧ΍๏཯९कͷҙࣝɺηΩϡϦςΟҙࣝɺ৬ۀҙ
ࣝɺཱࣗతͳֶशҙࣝʢٕज़Ҏ֎ʹඞཁͳٕೳʣʹ͍ͭͯ΋޲্
ͷͨΊͷػձΛఏڙ”
ӡ༻ͱ։ൃτϥοΫ
IUUQTXXXJQBHPKQKJO[BJDBNQ[FOLPLV@DIBSBDUFSJTUJDIUNM
IUUQTXXXJQBHPKQKJO[BJDBNQ[FOLPLV@BCPVUIUNM

View Slide

ੈͷத͕มΘΔͱ͸ʁ

View Slide

View Slide

ͱ͍͏͜ͱͰ͸ͳ͘
ʢݸਓͷҙݟͰ͢ʣ

View Slide

৽͍͠Ձ஋Λ૑ग़͢Δ͜ͱ

View Slide

- ੈքతྲྀΕ
- ୈ4࣍࢈ۀֵ໋ٕज़
- ࠃ಺ͷྲྀΕ
- Connected Industry
- Society 5.0
৽͍͠Ձ஋ͷ૑ग़ͷྲྀΕ

View Slide

ୈ̐࣍࢈ۀֵ໋
IUUQTXXXCSJUBOOJDBDPNUPQJD5IF'PVSUI*OEVTUSJBM3FWPMVUJPO

View Slide

- ࣮ੈքʢϑΟδΧϧۭؒʣʹ͋Δଟ༷
ͳσʔλΛηϯαʔωοτϫʔΫ౳Ͱ
ऩू͠ɺαΠόʔۭؒͰେن໛σʔλ
ॲཧٕज़౳Λۦ࢖ͯ͠෼ੳʗ஌ࣝԽΛ
ߦ͍ɺͦ͜Ͱ૑ग़ͨ͠৘ใʗՁ஋
CPS
IUUQTXXXKFJUBPSKQDQTBCPVU

View Slide

- “զ͕ࠃ͸ɺ੡଄ۀΛ௒͑ͯɺϞϊͱϞ ϊɺਓͱػցɾγ
εςϜɺਓͱٕज़ɺҟͳΔ࢈ۀʹଐ͢Δاۀͱاۀɺੈ
୅Λ௒ ͑ͨਓͱਓɺ੡଄ऀͱফඅऀͳͲɺ༷ʑͳ΋ͷΛ
ͭͳ͛Δ”࢈ۀࣾձ
Connected Industries

View Slide

Connected Industries in ۚ༥
ۚ༥ிϑΟϯςοΫ͸ڞ௨Ձ஋Λ૑଄Ͱ͖Δ͔

View Slide

νϟοτ(LINE) X ূ݊ձࣾ(FOLIO)
ʲ-*/&'JOBODJBMʳ-*/&'JOBODJBMͱ'0-*0ɺʮ-*/&εϚʔτ౤ࢿʯΛຊ೔͔Βఏڙ։࢝

View Slide

IUUQTOFXTQJDLTDPNOFXT

View Slide

- ௒εϚʔτࣾձ
- ʮඞཁͳ΋ͷɾαʔϏεΛɺඞཁͳਓʹɺඞཁͳ࣌ʹɺඞཁͳ͚ͩఏڙ͠ɺࣾձͷ༷ʑ
ͳχʔζʹ͖Ίࡉ͔͘ରԠͰ͖ɺ͋ΒΏΔਓ͕࣭ͷߴ͍αʔϏεΛड͚ΒΕɺ೥ྸɺੑ
ผɺ஍Ҭɺݴޠͱ͍༷ͬͨʑͳҧ͍Λ৐Γӽ͑ɺ׆͖׆͖ͱշదʹ฻Β͢͜ͱ͕Ͱ͖
Δʯࣾձ
- ํ޲ੑ
- ʮ৽ͨͳ֗ʯͮ͘ΓͷࡏΓํͦͷ΋ͷͷݟ௚͠
- γΣΞϦϯάΤίϊϛʔͷਪਐ
- FinTechͷ׆༻ਪਐ
Society 5.0
IUUQXXXTPVNVHPKQKPIPUTVTJOUPLFJXIJUFQBQFSKBIQEGOQEG
IUUQTXXXNFUJHPKQQSFTTQEG

View Slide

- ࢈ۀͳͲطଘͷ࿮૊ΈΛ௒͑Δ࿈ܞ
- ΑΓੜ׆ʹີணͨ͠࿈ܞʹͳΓɺαΠόʔۭؒͱϑΟδΧϧۭ͕ؒ݁߹͖ͯͨ͠
- ෼໺
- ϔϧεέΞ
- Ҡಈʢ෺ྲྀɾҠಈʣ
- αϓϥΠνΣʔϯ
- ۚ༥
ʢ·ͱΊʣ৽͍͠Ձ஋͸Ͳ͜Ͱੜ·Ε͍ͯΔ͔ʁ

View Slide

৽͍͠Ձ஋ͱϦεΫ

View Slide

- ΞϝϦΧͰϑΟϯςοΫ౤ࢿͷओͨΔྖҬ͸༥ࢿͱܾࡁ
- ༥ࢿɿ68ԯυϧ
- ܾࡁ: 19ԯυϧ
৽͍͠Ձ஋ͷܦࡁن໛
IUUQTXXXDBPHPKQLFJ[BJOLO@@IUN

View Slide

ࢢ৔ΛऔΓʹߦ͘ᗐ྽ͳ૪͍

View Slide

Typical concern about platform
markets is that people will
coordinate on a “dominant”
platform.
IUUQTXFCTUBOGPSEFEVdKEMFWJO&DPO-FDUVSF&DPOPNJDTPG1MBUGPSNTQQUY

View Slide

݁Ռ

View Slide

https://piyolog.hatenadiary.jp/entry/2019/06/07/063000
IUUQTQJZPMPHIBUFOBEJBSZKQFOUSZ

View Slide

https://headlines.yahoo.co.jp/hl?a=20190716-00000136-kyodonews-bus_all
IUUQTIFBEMJOFTZBIPPDPKQIM BLZPEPOFXTCVT@BMM

View Slide

IUUQTLPOEFJIBUFCMPKQFOUSZ

View Slide

View Slide

IUUQXXXJUSFTFBSDIBSUCJ[ Q

View Slide

- ࢈ۀͳͲطଘͷ࿮૊ΈΛ௒͑Δ࿈ܞ
IUUQTXXXNFUJHPKQTIJOHJLBJNPOP@JOGP@TFSWJDFTBOHZP@DZCFSXH@TFJEPXH@CVOZBPEBOEBJOJTPQEG@@QEG

View Slide

- 2011:
- Playstation Networkʹର͢ΔSQL InjectionʹΑΔݸਓ৘ใྲྀग़
- 2012:
- ΦϯϥΠϯόϯΫʹର͢ΔϚϯΠϯβϒϥ΢βʹΑΔෆਖ਼ૹۚ
- 2014:
- ϕωοη ͷ಺෦൜ߦʹΑΔݸਓ৘ใྲྀग़
- 2015:
- ೥ۚ؅ཧγεςϜαΠόʔ߈ܸ ʹΑΔݸਓ৘ใྲྀग़
- 2018:
- Ծ૝௨՟औҾॴ͔Βͷ҉߸ࢿ࢈ྲྀग़
- 2019:
- ΩϟογϡϨεαʔϏεʹ͓͚Δෆਖ਼ߪೖ
৽͍͠Ձ஋ͱϦεΫݦࡏԽͷྫ

View Slide

- 2011:
- Playstation Networkʹର͢ΔSQL InjectionʹΑΔݸਓ৘ใྲྀग़
- 2012:
- ΦϯϥΠϯόϯΫʹର͢ΔϚϯΠϯβϒϥ΢βʹΑΔෆਖ਼ૹۚ
- 2014:
- ϕωοη ͷ಺෦൜ߦʹΑΔݸਓ৘ใྲྀग़
- 2015:
- ೥ۚ؅ཧγεςϜαΠόʔ߈ܸ ʹΑΔݸਓ৘ใྲྀग़
- 2018:
- Ծ૝௨՟औҾॴ͔Βͷ҉߸ࢿ࢈ྲྀग़
- 2019:
- ΩϟογϡϨεαʔϏεʹ͓͚Δෆਖ਼ߪೖ
৽͍͠Ձ஋ͱϦεΫݦࡏԽͷྫ
ݦࡏԽ·Ͱͷεϐʔυ૿Ճ

View Slide

IUUQTXXXFOJTBFVSPQBFVQVCMJDBUJPOTFOJTBUISFBUMBOETDBQFSFQPSU
IUUQTXXXJQBHPKQTFDVSJUZWVMOUISFBUTIUNM
৽͍͠Ձ஋ͱมԽ͢ΔڴҖ

View Slide

Ձ஋͕มԽ͢ΔʹͭΕ
ϦεΫ͕৽͘͠ੜ·ΕΔɹor
ϦεΫͷେ͖͕͞มԽ͢Δ

View Slide

ੈͷதΛม͑ͳ͕Β
͖ͪΜͱӡ༻͍ͯ͘͠ͱ͸ʁ

View Slide

ᶃΠϊϕʔγϣϯΛ࠷଎Խͭͭ͠
ᶄՁ஋Λ࠷େԽͭͭ͠ɺ
ᶅϦεΫΛ࠷খԽ͢ΔࢪࡦΛ࣮ߦ͢Δ

View Slide

ࠓ೔ͷΰʔϧ

View Slide

- ʮੈͷதΛม͑Δʯͱʮ͖ͪΜͱӡ༻͢ΔʯΛཱ྆͢Δͨ
Ίͷશମ૾Λ೺Ѳ͢Δ
- ূ݊ձࣾΛέʔεελσΟͱ͢Δ
- ࣌୅എܠͱͱ΋ʹมΘΓͭͭ͋Δઃܭํ਑Λ೺Ѳ͢Δ
- BeyondCorpͷ঺հ
ࠓ೔ͷΰʔϧ

View Slide

ͱݴ͓ͬͨ࿩Λ͍͖ͤͯͨͩ͞·͢
- 2011: NRIηΩϡΞ
- SIer
- Ϣʔβʔاۀ
- 2018: FOLIO
- Ϣʔβʔاۀ

View Slide

- 2011: NRIηΩϡΞ
- SIer
- Ϣʔβʔاۀ
- 2018: FOLIO
- Ϣʔβʔاۀ
ͱݴ͓ͬͨ࿩Λ͍͖ͤͯͨͩ͞·͢
ূ݊ۀքͷཱ৔͔Βɺ
Ͳ͏ελʔτΞοϓͰʮͪΌΜͱӡ༻͢Δʯ͔
͓࿩͍͖ͤͯͨͩ͞·͢ɻ

View Slide

- 2011:
- NRIηΩϡΞ ূ݊ձࣾ޲͚MSS
- 2018: FOLIOʢݱ৬ʣ
ٕज़ॻయͳͲͰಉਓࢽग़ͯ͠·͢

View Slide

ΑΖ͓͘͠ئ͍͠·͢

View Slide

- 3ࣾʹ7೥΄Ͳ͔͍ͨ͜͠ͱ͕ͳ͍
- Fintechɾۚ༥ͷதͰ΋ɺ2छ΄Ͳ͔͠ܦݧͳ͠
- ͕ͨͬͯ͠ɺҰൠతͳ಺༰ͱ͸ݴ͍೉͍
஫ҙ

View Slide

- ʮੈͷதΛม͑Δʯͱʮ͖ͪΜͱӡ༻͢ΔʯΛཱ྆͢Δͨ
Ίͷશମ૾Λ೺Ѳ͢Δ
- ূ݊ձࣾΛέʔεελσΟͱ͢Δ
- ࣌୅എܠͱͱ΋ʹมΘΓͭͭ͋Δઃܭํ਑Λ೺Ѳ͢Δ
- BeyondCorpͷ঺հ
ࠓ೔ͷΰʔϧʢ࠶ܝʣ

View Slide

ηΩϡϦςΟཁ݅શମ૾
๏ྩɾج४ɾࢦ਑
αΠόʔηΩϡϦςΟઓུ
ηΩϡϦςΟઃܭ
αΠόʔηΩϡϦςΟઓज़ɾ࣮૷
ઓུʢػີੑʣ ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ

View Slide

ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑
ઓུʢػີੑʣ
ηΩϡϦςΟઃܭ
ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ

View Slide

ઓུ
ઓུʢػີੑʣ
ηΩϡϦςΟઃܭ
ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ

View Slide

ઓུ
ઓུʢػີੑʣ
ηΩϡϦςΟઃܭ
ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ
43&νʔϜ͕ओʹ୲౰͕ͪ͠

View Slide

ઓུ
ઓུʢػີੑʣ
ηΩϡϦςΟઃܭ
ઓུʢՄ༻ੑʣ ઓུʢ׬શੑʣ
ϓϩμΫτνʔϜ͕ओʹ୲౰͕ͪ͠

View Slide

ઃܭ
ઓུʢػີੑʣ
ηΩϡϦςΟઃܭ
ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ

View Slide

ઓज़ɾ࣮૷
ηΩϡϦςΟઃܭ
ઓུʢՄ༻ੑʣ

View Slide

๏ྩɾج४

View Slide

๏ྩɾج४
๏ྩɾج४
ઓུʢػີੑʣ
ηΩϡϦςΟઃܭ
ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ

View Slide

- ๏ྩ:
- ٞձ੍͕ఆ͢Δ๏نൣʢ๏཯ʣ + ߦ੓ػ੍͕ؔఆ͢Δ๏نൣʢ໋ྩʣ
- ๏త߆ଋྗ͸͋Δ
- ج४:
- ࠷௿ݶຬͨ͢΂͖ϧʔϧ
- ९कΛਪ঑͞ΕΔʮΨΠυϥΠϯʯ΍ʮࢦ਑ʯ΋ؚ·ΕΔ͜ͱ͕͋Δ
- ๏త߆ଋྗ͸ͳ͍ʢ͋Δʣ
- ͜ΕΛຬͨͯ͠ͳ͍ͱ͖ʹɺى͜Γ͏Δ͜ͱ͸…
๏ྩɾΨΠυϥΠϯͱ͸
IUUQTKBXJLJQFEJBPSHXJLJ๏ྩ

View Slide

- ਉຽͷ޾෱Λ૿ਐ͢ΔͨΊ
- ެڞͷ҆ೡடংΛอ࣋͢ΔͨΊ
๏ྩɾΨΠυϥΠϯͷ໨త
IUUQTKBXJLJQFEJBPSHXJLJ๏ྩ

View Slide

- ๏ྩɾ๏཯
- ۚ༥঎඼औҾ๏
- ൜ࡑऩӹҠస๷ࢭ๏
- ݸਓ৘ใอޢ๏
- ΨΠυϥΠϯ
- ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑
- ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४
- ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ
- ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ
- ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍
- ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ
- தখاۀBCPࡦఆӡ༻ํ਑
ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ

View Slide

९क͞Εͳ͍ͱ…?

View Slide

ɹߦ੓ॲ෼

View Slide

ߦ੓ॲ෼ྫ

View Slide

- ๏ྩɾ๏཯
- ۚ༥঎඼औҾ๏ʢ಺෦౷੍ʣ
- etc
- ΨΠυϥΠϯ
- ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻʢࣄۀܧଓʣ
- தখاۀBCPࡦఆӡ༻ํ਑ʢࣄۀܧଓʣ
- etc
؂ಜࢦ਑Λओ࣠ʹਾ͑ͨ๏ྩରԠ

View Slide

- ๏ྩɾ๏཯
- ۚ༥঎඼औҾ๏ʢ಺෦౷੍ʣ
- etc
- ΨΠυϥΠϯ
- ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻʢࣄۀܧଓʣ
- தখاۀBCPࡦఆӡ༻ํ਑ʢࣄۀܧଓʣ
- etc
؂ಜࢦ਑Λओ࣠ʹਾ͑ͨ๏ྩରԠ
☓ߦ੓ॲ෼Λ͏͚ͳ͍ͨΊͷରԠ
˓ϢʔβʔͷอޢͱՁ஋ͷఏڙΛܧଓ͢ΔͨΊͷରԠ

View Slide

ۚ༥঎඼औҾۀऀ౳޲͚ͷ
૯߹తͳ؂ಜࢦ਑

View Slide

- “ۀ຿ͷ݈શ͔ͭద੾ͳӡӦΛ֬อ”
- “༗Ձূ݊ͷൃߦٴͼۚ༥঎඼౳ͷऔҾ౳Λެਖ਼”
- “༗Ձূ݊ͷྲྀ௨Λԁ׈ʹ͢Δ”
- “ۚ༥঎඼౳ͷެਖ਼ͳՁ֨ܗ੒౳ΛਤΓ”
- “ࠃຽܦࡁͷ݈શͳൃలٴͼ౤ࢿऀͷอޢʹࢿ͢Δ͜ͱ”
؂ಜࢦ਑ͷ໨త

View Slide

- ۚ༥௕ͷݕࠪ෦ہʹΑΔΦϯαΠτݕࠪ
- ͦͷใࠂॻͷ݁ՌɺώΞϦϯάɺվળɾରԠࡦͷ࣮ࢪঢ়گɺࢦఠࣄ߲ͷվળঢ়گͳ
Ͳ͔Βɺূ݊औҾ౳؂ࢹҕһձΑΓקࠂ to ۚ༥ி؂ࠪ෦ہ
- ۚ༥ிઃஔใ20্ୈ߲̍
- ؂ࠪ෦ہ͸ͦͷ಺༰Λݕ౼ͯ͠ߦ੓ॲ෼ͷݕ౼
- ۚ঎๏ୈ56৚ͷ̎ୈ߲̍
- ۚ঎๏ୈ51৚~52৚ͷ̎
- ݕ౼࣌͸ʮຊ؂ಜࢦ਑ʹܝ͛ͨධՁ߲໨౳ʹরΒͯ͠ʯݕ౼͠ɺ಺༰Λܾఆ
ߦ੓ॲ෼͸؂ಜࢦ਑ͷධՁ߲໨Λιʔεͱ͢Δ
IUUQTXXXGTBHPKQDPNNPOMBXHVJEFLJOZVTIPIJOIUNM
IUUQTXXXGTBHPKQDPNNPOMBXHVJEFLJOZVTIPIJOIUNM

View Slide

ධՁ߲໨
https://www.fsa.go.jp/common/law/guide/kinyushohin/

View Slide

αΠόʔηΩϡϦςΟͷจ຺Ͱ཈͑Δ΂͖Օॴ
https://www.fsa.go.jp/common/law/guide/kinyushohin/

View Slide

- ސ٬৘ใʹ͍ͭͯɺҎԼͷ९कΛٻΊΒΕ͍ͯΔ
- ݸਓ৘ใͷอޢʹؔ͢Δ๏཯ʹ͍ͭͯͷΨΠυϥΠϯ
- ·ͨɺΠϯαΠμʔऔҾ౳ͷෆެਖ਼ͳऔҾ๷ࢭ΋ٻΊΒ
Ε͍ͯΔ
III-2-4 ސ٬౳ʹؔ͢Δ৘ใ؅ཧ
IUUQTXXXGTBHPKQDPNNPOMBXLKIPHPQEG
IUUQTXXXGTBHPKQDPNNPOMBXLKIPHPQEG

View Slide

- γεςϜϦεΫʹର͢Δೝࣝ
- ద੾ͳϦεΫ؅ཧମ੍ͷ֬
ཱ
- γεςϜϦεΫධՁ
- ৘ใηΩϡϦςΟ؅ཧ
- αΠόʔηΩϡϦςΟ؅ཧ
- γεςϜ؂ࠪ
- ֎෦ҕୗ؅ཧ
- ίϯςΟϯδΣϯγʔϓϥϯ
- γεςϜ౷߹ϦεΫ
- ো֐ൃੜ࣌ͷରԠ
III-2-8 γεςϜϦεΫ؅ཧଶ੎
https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html

View Slide

ઓུ

View Slide

ઓུ
ઓུʢػີੑʣ
ηΩϡϦςΟઃܭ
ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ

View Slide

Cybersecurity Framework(CSF)
- NIST: ถࠃཱඪ४ٕज़ݚڀॴ
- AESͳͲ҉߸ٕज़ͷબఆͱඪ४ԽͳͲ
- ॏཁΠϯϑϥΛѻ͏اۀɾ૊৫ͷαΠόʔϦ
εΫͷ؅ཧΛࢧԉ͢ΔͨΊͷɺϦεΫϕʔ
εɾΞϓϩʔνʹجͮ͘൚༻తͳFW
- ̏ཁૉ͔Β੒Γཱͭ
- CoreɺTierɺProﬁle
IUUQTOWMQVCTOJTUHPWOJTUQVCT$481/*45$481QEG

View Slide

ͳͥϦεΫϕʔε͕ॏཁͳͷ͔
ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ɾղઆॻʢୈ൛ʣ
- ”Ϋϥ΢υαʔϏε΍FinTechاۀ౳ͱ࿈ܞͨۚ͠༥ؔ࿈αʔ
Ϗεͷར༻͕޿͕ΓΛΈͤΔͳͲɺଟ༷Խ͖͍ͯͯ͠Δ”
- “ଟ༷Խ͢ΔʢதུʣγεςϜʹ͓͍ͯ(ैདྷͷج४Ͱ͸)৽ن
։ൃ΁ͷ౤ࢿ͕཈੍͞ΕΔ౳ɺܦӦࢿݯ͕ద੾ʹ഑෼͞Εͳ
͍ͱ͍ͬͨݒ೦͕ੜ͡ɺʢதུʣϦεΫθϩΛ௥ٻ͢Δ͜ͱ
͸ඞͣ͠΋߹ཧతͰ͸ͳ͍”

View Slide

͜͜ʹςΩετΛೖΕ·͢ɻ
ͻͱͭͷεϥΠυʹ಺༰Λ٧Ί͗͢
ͳ͍Α͏ʹ͠·͠ΐ͏ɻ
ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕
εϥΠυ࡞ΓͷجຊͰ͢ɻ
Core

View Slide

Core
ͭͷػೳ

View Slide

Core
ͷΧςΰϦʔ
ʢͱαϒΧςΰϦʔʣ

View Slide

Core

View Slide

Tier

View Slide

Proﬁle

View Slide

ઓུ
ઓུʢػີੑʣ
ηΩϡϦςΟઃܭ
ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ

View Slide

- Protecting Controlled Unclassiﬁed Information in Nonfederal Systems and
Organizations: Enhanced Security Requirements for Critical Programs and High
Value Assets
- APT͔Βॏཁͳࢿ࢈ͷػີੑɾ׬શੑΛकΔͨΊਪ঑͞ΕΔηΩϡϦςΟରࡦू
- ྫ: ϓϥΠόγʔɺ੫ɺۚ༥৘ใɺಛݖͳͲ
- ཁ݅ྫ
- ΞΫηε੍ޚɺҙࣝ෇͚ɾ܇࿅ɺ؂ࠪɺߏ੒؅ཧɺࣝผͱೝূͳͲͳͲ
- Cyber Security Frameworkͱඥ෇͚ΒΕ͍ͯΔ
NIST SP 800-171
IUUQTXXXOJTUHPWTJUFTEFGBVMUpMFTEPDVNFOUTDVJPDUDVJ@PWFSWJFXDBTFZQEG

View Slide

ઃܭ

View Slide

ઃܭ
ηΩϡϦςΟઃܭ
ઓུʢػີʣ ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ

View Slide

BeyondCorp/ZeroTrust

View Slide

ઓज़

View Slide

ઓज़ɾ࣮૷
ηΩϡϦςΟઃܭ
ઓུʢػີʣ ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ

View Slide

- Cyber Kill Chainʢྫʣ
- F35ʢεςϧεઓಆػʣΛ։ൃͨ͠ϩοΩʔυɾϚʔςΟϯʹ
ΑΔϑϨʔϜϫʔΫ
- ඪతܕ߈ܸʹ͓͚Δ߈ܸͷϑΣʔζΛ෼ྨͨ͠΋ͷ
- ఁ࡯ɺ෢ثԽɺσϦόϦʔɺΤΫεϓϩΠτɺΠϯετʔϧɺ
C&Cɺ໨తͷ࣮ߦ
ڴҖ෼ੳ

View Slide

- Adversarial Tactics, Techniques, and Common Knowledge
- CVEΛ؅ཧ͍ͯ͠ΔMITREࣾͷφϨοδϕʔεͱϑϨʔϜϫʔΫ
- ߈ܸऀɾ߈ܸάϧʔϓɺઓज़త໨ඪɺٕज़తͳߦಈɺ߈ܸπʔϧ
ΛϦετԽɾϝτϦΫεԽ
- ۩ମతͳ๷ޚࡦͷ࣮૷ʹ໾ཱͭ
- STIX/TAXIIͰͷΠϯςϦδΣϯεڞ༗
ATT&CK
IUUQTBUUBDLNJUSFPSH

View Slide

ϜͱηΩϡϦςΟ - ઃܭɾ࣮຿ฤ
2019/08/10 By @ken5scal

View Slide

Pre 2010: Perimeter Model

View Slide

1990s: Internetେരൃ

View Slide

1994: IANAʹΑΔPrivate NetworkϨϯδͷ֬อʢ RFC1597)

View Slide

ΤϯλʔϓϥΠζͷΠϯλʔωοτࢀՃ
5SVTUFE[POF
- ϝʔϧ౳Λ࢖ͬͨ֎෦ͱͷ
ίϛϡχέʔγϣϯͷൃੜ
- ࣍ͷڥքͷొ৔
- (Un)Trust Zone
- Demilitarized Zone
6OUSVUFE[POF
%.;

View Slide

- σΟϨΫτϦαʔϏε
- Ϣʔβʔ΍PCϦιʔεͷҰׅ؅ཧ
- Ϣʔβʔ΍PCͷઃఆΛۉҰԽ
- ೝূͳͲ֤ػೳͰඪ४ٕज़Λ࠾༻
2000: Active Directory
5SVTUFE
6OUSVUFE
%.

View Slide

ઓུʢ࠶ܝʣ: Active DirectoryͷΧόʔൣғ
ઓུʢػີੑʣ
ηΩϡϦςΟઃܭ
ઓུʢ׬શੑʣ
ઓུʢՄ༻ੑʣ

View Slide

1. ΞΫηε੍ޚ
2. ҙࣝ޲্ͱ܇࿅
3. ؂ࠪͱ੹೚௥ೝੑ
4. ߏ੒؅ཧ
5. ࣝผͱೝূ
6. ΠϯγσϯτରԠ
7. ϝϯςφϯε
8. ϝσΟΞอޢ
9. ਓతηΩϡϦςΟ
10. ෺ཧతอޢ
11. ϦεΫΞηεϝϯτ
12. ηΩϡϦςΟΞηεϝϯτ
13. γεςϜͱ௨৴ͷอޢ
14. γεςϜͱ৘ใͷ׬શੑ
SP800-171:ɹຽؒاۀ͕ߨ͡Δ΂͖ηΩϡϦςΟରࡦͷཁ݅

View Slide

1. ΞΫηε੍ޚ
2. ҙࣝ޲্ͱ܇࿅
3. ؂ࠪͱ੹೚௥ೝੑ
4. ߏ੒؅ཧ
5. ࣝผͱೝূ
6. ΠϯγσϯτରԠ
7. ϝϯςφϯε
8. ϝσΟΞอޢ
9. ਓతηΩϡϦςΟ
10. ෺ཧతอޢ
11. ϦεΫΞηεϝϯτ
12. ηΩϡϦςΟΞηεϝϯτ
13. γεςϜͱ௨৴ͷอޢ
14. γεςϜͱ৘ใͷ׬શੑ
SP800-171: ຽؒاۀ͕ߨ͡Δ΂͖ηΩϡϦςΟରࡦͷཁ݅

View Slide

- Ϣʔβʔೝূ
- Ϣʔβʔ౷੍
- σόΠε౷੍
- ϚεσϓϩΠ
- ετϨʔδ
- ೝূہ
- DNS
- DHCP
Active Directory͕༗͢Δػೳ

View Slide

ଞͷκʔϯʢTrustκʔϯʣ
%.;
։ൃऀ ਓࣄ
ਓࣄ޲͚κʔϯ
։ൃऀ޲͚κʔϯ
౿Έ୆
ਓࣄ%#
5SVTUκʔϯ

View Slide

Trusted Zone಺Ͱͷۀ຿
ॏཁͳσʔλ
0Oαʔόʔ
ॏཁͳσʔλ
0Oαʔόʔ
ۀ຿ΞϓϦ
ۀ຿ΞϓϦ
ۀ຿ΞϓϦ
ۀ຿ΞϓϦ
5SVTUFE[POF

View Slide

function CanWeTrust (zone string) bool {
return zone == “true”
}
γϯϓϧͳੈք

View Slide

·ͱΊ
ڥքϞσϧͱκʔϯͷग़ݱ

View Slide

Post 2010

View Slide

- ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ
- 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ
- 2010?: iPhoneͷϏδωε্Ͱͷ׆༻
- 2014: ୈ̐ελʔτΞοϓϒʔϜ
- 2016: ϦϞʔτϫʔΫͷ޿͕Γ
ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ

View Slide

- SalesforceͷϝΨώοτ
- 2010?: iPhoneͷϏδωε্ͷ׆༻

View Slide

ݟग़͠
5IF/FFEMFTTMZ$PNQMFY)JTUPSZPG4BB4 4JNQMJpFEIUUQTXXXQSPDFTTTUIJTUPSZPGTBBT

View Slide

- Trusted -> Untrustedͷϒϥ
΢βΞΫηεཁ݅૿Ճ
- DMZʹϦόʔεϓϩΩγΛ௥
Ճ͢Δ͜ͱͰे෼ରॲՄೳ
SaaSͷొ৔ʹΑΔ֎෦઀ଓͷ૿Ճ
5SVTUFE
6OUSVUFE
%.
Ϧόϓϩ

View Slide

<ਤղ>Ϗδωεͱ*5ͷؔ܎IUUQTCMPHFWBOHFMJTNKQFOUSZCVTJOFTTJU

View Slide

- Google Apps For YourDomain ʢݱGSuiteʣͷొ৔
- AWSͷొ৔: αʔϏεఏڙ؀ڥͷPaaSԽ
"84೥ͷาΈdԊֵdIUUQTBXTBNB[PODPNKQBXT@IJTUPSZEFUBJMT
8JLJQFEJBIUUQTFOXJLJQFEJBPSHXJLJ(@4VJUF

View Slide

- Trustedκʔϯ಺ͷγεςϜ
͕ଓʑͱSaaSԽ
৘ใγεςϜͷSaaSԽʹΑΔมԽ
5SVTUFE
6OUSVUFE
%.
Ϧόϓϩ

View Slide

Ͳ͜Ζ͔αʔϏε؀ڥͰ͑͞as a Serviceʹ
5SVTUFE
6OUSVUFE
%.
Ϧόϓϩ
։ൃऀ޲͚κʔϯ
౿Έ୆

View Slide


View Slide

- ۀ຿ͰͷεϚϗ׆༻ࣄྫ૿Ճ

View Slide

- ن੍࢈ۀʹ͓͚ΔελʔτΞοϓͷ૿Ճʢྫ: Fintechʣ
վળ͢ΔΘ͕ࠃͷελʔτΞοϓࣄۀ؀ڥIUUQTXXXKSJDPKQ.FEJB-JCSBSZpMFSFQPSUKSJSFWJFXQEGQEG

View Slide

w ن੍࢈ۀʹ଍Λ౿ΈೖΕΔϕϯνϟʔͷ૿Ճ
w lେखاۀͷΦʔϓϯΠϊϕʔγϣϯ௥ٻͱελʔτΞοϓ࿈ܞz

View Slide


View Slide

IUUQTSFDSVJUIPMEJOHTDPKQOFXT@EBUBSFMFBTF@IUNM

View Slide


View Slide

ॏཁͳσʔλ
0Oαʔόʔ
ࣾձ৘੎΍αʔϏεͷมԽʹ൐͏ۀ຿σʔλͷ෼ࢄͱܦ࿏ͷଟ༷Խ
ॏཁͳσʔλ
0Oαʔόʔ
ϙϦγʔɾϧʔϧͷఠཁ
ॏ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ

View Slide

ॏཁͳσʔλ
0Oαʔόʔ
ॏཁͳσʔλ
0Oαʔόʔ
ॏ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿
ΞϓϦ
ۀ຿
ΞϓϦ

View Slide

ॏཁͳσʔλ
0Oαʔόʔ
ॏཁͳσʔλ
0Oαʔόʔ
ॏ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ॏཁͳ
σʔλ
ॏཁͳ
σʔλ
جװ
σʔλ
جװ
σʔλ
ۀ຿
ΞϓϦ
ۀ຿
ΞϓϦ

View Slide

ॏཁͳσʔλ
0Oαʔόʔ
ॏཁͳσʔλ
0Oαʔόʔ
ॏ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ۀ຿Ξ
ϓϦ
ॏཁͳ
σʔλ
ॏཁͳ
σʔλ
ॏཁͳ
σʔλ
ॏཁͳ
σʔλ
ۀ຿
ΞϓϦ
ۀ຿
ΞϓϦ
جװ
σʔλ
جװ
σʔλ

View Slide

৴པʢTrustʣ͢ΔڥքͷมԽ

View Slide

ڥքͷมԽͱ
ڴҖɾΠϯγσϯτ

View Slide

ඪతܕ߈ܸʢڴҖʣ
- ಛఆͷ૊৫಺ͷ৘ใΛૂͬͯ
ߦΘΕΔαΠόʔ߈ܸ(2009~)
- ࠃ಺ࣄྫ
- 2011: ࡾඛॏ޻
- 2015: ೔ຊ೥ۚػߏ
- 2018: CoinCheckʁ
5IF$ZCFS,JMM$IBJOIUUQTXXXMPDLIFFENBSUJODPNFOVTDBQBCJMJUJFTDZCFSDZCFSLJMMDIBJOIUNM

View Slide

αϓϥΠνΣʔϯ
- ੡඼ʹର͢Δෆਖ਼ϓϩάϥϜͷຒΊࠐΈɺϋʔυ΢ΣΞͷෆਖ਼վ଄
ͳͲʹΑͬͯੜ͡Δ৘ใηΩϡϦςΟ্ͷϦεΫ
- ࣄྫ
- NPMͷਓؾϥΠϒϥϦ΁ͷѱੑίʔυ஫ೖ
- GEMͷ” strong_password”΁ͷѱੑίʔυ஫ೖ
- ϑΝΠϧγΣΞ֦ுػೳͷ৐ͬऔΓ
- 7Pay͕ґଘ͢Δomni7ʹ͓͚Δ੬ऑੑ
- ถࠃͷϑΝʔ΢ΣΠ੡඼ഉআ
IUUQTXXXTFDVSJUZXFFLDPNNBMJDJPVTDPEFQMBOUFETUSPOHQBTTXPSESVCZHFN
IUUQTXXXXJSFEDPNTUPSZHPPHMFDISPNFFYUFOTJPOTTFDVSJUZDIBOHFT

View Slide

಺෦൜ߦ
- ૊৫಺ͷϝϯόʔʹΑΔѱҙ͋Δߦಈ
- ࠃ಺ࣄྫ
- 2014: ϕωοηͷάϧʔϓاۀ಺ͷ೿ݣࣾһʹΑ
Δݸਓ৘ใ࿙Ӯʢ͋ΔҙຯαϓϥΠνΣʔϯͰ΋
͋Δʣ

View Slide

ڞ௨఺

View Slide

Trustκʔϯͷ৴པੑͷ௿Լ
- ඪతܕ߈ܸ
- Drive by Download΍ਫҿΈ৔߈ܸ
- ExploitޙͷC2CʹΑΔ৘ใऩूɾԣஅత৵֐
- αϓϥΠνΣʔϯϦεΫ
- ґଘઌͷOSSʹ͓͚Δ੬ऑੑ
- ಺෦൜ߦ
- ૊৫಺ͷ൜ߦ

View Slide

ωοτϫʔΫڥքΛࠜڌʹͨ͠Trustͷݶք
- σʔλɾਓɾఏܞઌ͕ඞͣ͠΋Trustڥքʹ͍ͳ
͍
- TrustڥքʹUntrustfulͳཁૉ͕૿͑ͨ

View Slide

BeyondCorp
Zero Trust Network

View Slide

- ωοτϫʔΫͷڥքʹԠͨ͡৴པྖҬͷ֓೦Λഉআ
- ϢʔβʔɾσόΠεΛ΋ͱʹೝূ͢Δ
- ͦΕΒ΁ͷೝՄʢΞΫηε੍ޚʣ͸ϙϦγʔʹ΋ͱ
͖ͮಈతʹܾఆ͢Δ
- ͲͪΒ͔ͱ͍͏ͱɺαʔϏε؀ڥ޲͚
Zero Trust Networkͱ͸
IUUQTDMPVEHPPHMFDPNCFZPOEDPSQ

View Slide

- ैۀһ͕ʮ৴པͰ͖ͳ͍ωοτϫʔΫʯΛ௨ͯ͡
ಇ͚ΔΑ͏ʹ͢ΔGoogleࣾ಺ͷΞϓϩʔν
BeyondCorpͱ͸
IUUQTDMPVEHPPHMFDPNCFZPOEDPSQ

View Slide

https://www.youtube.com/watch?v=SSUUg38lFg0
IUUQTXXXZPVUVCFDPNXBUDI W4466HM'HUT
IUUQTUDP&X+W$3(,[9 BNQ
Zero Trust/Beyond CorpͷϦιʔε
࿦จͱͯ͋͠Δͷ͕
#FZPOE$PSQ
;FSP5SVTUͷ࿦จ͋ͬͨΒ͢Έ·ͤΜ

View Slide

Ҏ߱ɺBeyondCorpΛϕʔεʹ͠·͢

View Slide

- ͢΂ͯΛUntrusted Zone͔ΒͷΞΫηεͱԾఆ͢Δ
- ΞΫηεݩͷϢʔβʔɾσόΠεΛೝূ͢Δ
- ΞΫηεݩΛσʔλʹԠͯ͡ΞΫηεՄ൱൑அ͢
Δ
- “Never Trust, Always Verify”
Basic Principals

View Slide

function CanWeTrust (
device, user interface, zone string) int {
// return value from 0~1
return someAlgorithm(device, user, zone)
}
function AuthorizationDecision(
device, user interface, score int) bool{
return AllowOrDisAllow(device, user, zone)
}
ෳ਺ͷม਺͔Β৴པ͕ܭࢉ͞ΕΔੈք

View Slide

IUUQTBJHPPHMFSFTFBSDIQVCTQVCQEG

View Slide

- Ϣʔβʔͷಛఆ
- σόΠεͷಛఆ
- ΞΫηεϓϩΩγ
- ΞΫηε੍ޚΤϯδϯʢϙϦγʔΤϯδϯʣ
- Trust Inferenceʢ৴པείΞࢉग़Τϯδϯʣ
ඞཁͳίϯϙʔωϯτ

View Slide

Ϣʔβʔͷಛఆ
ʢIdentiﬁcation)

View Slide

View Slide

- ͦͷϢʔβʔ͸ຊ౰ʹਖ਼͍͠Ϣʔβʔͳͷ͔
- ඞཁͳίϯϙʔωϯτ
- ϢʔβʔɾάϧʔϓDB
- Ϣʔβʔೝূ
Ϣʔβʔͷಛఆ

View Slide

- ຊਓ֬ೝ
- ΦϯϥΠϯ্ʹ͋ΔϦιʔε΁ͷΞΫηεΛཁ
ٻ͢Δਃ੥ऀͷొ࿥ͱ਎ݩ֬ೝ
- ೝূ
- ೝূ৘ใͷ࿈ܞ
ϢʔβʔΛηΩϡΞʹೝূ͢Δϓϩηε
IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPJOEFYKBIUNM

View Slide

- ຊਓ֬ೝ
- ೝূ
- ొ࿥ޙͷϦιʔε΁ͷΞΫηεΛཁٻ͢Δਃ੥
ऀͷΞΠσϯςΟςΟͷ͔֬͞Λূ໌͢Δ

View Slide

- ຊਓ֬ೝ
- ೝূ
- ೝূ࣌ͷ৘ใΛଞΞϓϦ΍γεςϜͱ࿈ܞ͢Δ

View Slide

- ຊਓ֬ೝ
- ೝূ

View Slide

ϢʔβʔɾάϧʔϓDB

View Slide

View Slide

ਓࣄ%#

View Slide

ϢʔβʔɾάϧʔϓDBͷ֓ཁ
- σΟϨΫτϦ
- ΦϒδΣΫτͷҰݩ؅ཧ͢ΔϢʔβʔɾάϧʔϓDB
- ωοτϫʔΫʹ઀ଓͨ͠αʔόʔͳͲͷࢿݯʢϦιʔεʣͷॴࡏɾ
ଐੑɾઃఆͳͲͷ৘ใΛޮ཰తʹऩू͠ɺه࿥ɾ؅ཧ͢ΔαʔϏε
- ར఺
- ಡΈऔΓ͕ߴ଎
- ෼ࢄܕͷ৘ใ֨ೲϞσϧ
- ߴ౓ͳݕࡧػೳΛ࣋ͭ

View Slide

ϢʔβʔɾάϧʔϓDBؔ܎ͷϓϩτίϧ
- LDAP
- SCIM

View Slide

LDAP
- Lightweight Directory Access Protocol
- σΟϨΫτϦαʔϏεʹΞΫηε͢Δϓϩτίϧ
- ػೳ
- ݕࡧ: ldapsearch, ߋ৽: ldapmodify, ௥Ճ: ldapadd
- Active Directory͕༗໊͕ͩɺ࠷ۙ͸GSuite΋࣮૷ͨ͠
- ঎༻Ͱ΋OSSͰ΋࢖ΘΕ๛෋ͳ࣮੷͕͋Δ
- Ϋϥ΢υɾWebΞϓϦͰ͸ϝδϟʔΑΓͷϚΠφʔ

View Slide

LDAP
$
-
*
&
/
5
4
&
3
7
&
3
IUUQTISPVIBOJPSHMEBQTFSWFSPQFOMEBQDFOUPT

View Slide

LDAPྫ: ݕࡧ
$
-
*
&
/
5
4
&
3
7
&
3
CJOE
DODMJFOU PVTFSWFST EDFYBNQMF EDDPNF
1BTTXPSE\QBTTXPSE^
SFTVMUTVDDFTT
TFBSDIPCKFDUDMBTT
BMM-%"10CKFDU
ˈldapsearch -D “cn=admin” -w {password} -b “dc=example,dc=com” "(objectclass=*)"

View Slide

SCIMɹʢ͖͢Ήʣ
- System for Cross-domain Identity Management
- “Ϋϥ΢υϕʔεͷΞϓϦέʔγϣϯ͓ΑͼαʔϏεʹ͓͚Δ
ϢʔβʔIDͷ؅ཧΛ༰қʹ͢ΔΑ͏ʹઃܭ”
- Ұݩ؅ཧ͞ΕͨσΟϨΫτϦ͔Βɺར༻͢ΔαʔϏε΁ͷϓϩ
Ϗδϣχϯά
- JSON/XMLܗࣜ
- REST APIʹΑΔϞσϧૢ࡞
- LDAPΑΓϚΠφʔ
IUUQXXXTJNQMFDMPVEJOGP

View Slide

SCIMϞσϧ

View Slide

{
"schemas":
["urn:ietf:params:scim:schemas:core:
2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"externalId":"bjensen",
"meta":{
"resourceType": "User",
"created":"2011-08-01T18:29:49.793Z",
"lastModified":"2011-08-01T18:29:49.793Z",
"location":"https://example.com/v2/Users/
2819c223...",
"version":"W\/\"f250dd84f0671c3\""
},
"name":{
"formatted": "Ms. Barbara J Jensen, III",
"familyName": "Jensen",
"givenName": "Barbara",
"middleName": "Jane",
"honorificPrefix": "Ms.",
"honorificSuffix": "III"
},
"userName":"bjensen",
"phoneNumbers":[
{
"value":"555-555-8377",
"type":"work"
}
],
"emails":[
{
"value":"[email protected]",
"type":"work",
"primary": true
}
]
}

View Slide

SCIM Protocols
- ࡞੒ɿ POST /{version}/{resource}
- ಡऔɿ GET /{v}/{resource}/{id}
- ஔ׵ɿ PUT /{v}/{resource}/{id}
- ࡟আɿ DELETE /{v}/{resource}/{id}
- ෦෼ஔ׵ɿ PATCH /{v}/{resource}/{id}
- ݕࡧ: GET /{v}/{resource}?ϑΟϧλʔ= {ଐੑ} {ΦϖϨʔλ} {஋}ˍ
SORTBY = {attributeName}ˍsortOrder={ঢॱ|߱ॱ}
- Ұׅ࡞੒ɿ POST /{v}/Bulk

View Slide

Ϣʔβʔೝূ

View Slide

View Slide

Ϣʔβʔೝূ
- 2ஈ֊ೝূͱSingle Sign On͕େલఏ
- ೝূ͕௨ͬͨ৔߹ɺ୹࣌ؒͷτʔΫϯΛൃߦ͢Δ
- τʔΫϯͷதʹ͸ೝՄϓϩηεʹඞཁͳ৘ใؚ͕
·Ε͍ͯΔ͜ͱ͕ଟ͍

View Slide

ೝূͱγϯάϧɾαΠϯΦϯͷҧ͍
- ೝূ
- ϢʔβͷΞΠσϯςΟςΟ͕͔֬ͳ΋ͷͰ͋Δ͜ͱΛΫϨ
σϯγϟϧΛఏࣔͯ͠ূ໌͢Δϓϩηε
- ୅දతͳϓϩτίϧ: FIDO (WebAuthn + CTAP)
- Single Sign On
- γεςϜΛލ͍ͰΞΠσϯςΟςΟ΍ೝূ৘ใΛ఻ൖ͢Δ
ͨΊͷϓϩηε
- ୅දతͳϓϩτίϧ: Kerberos, SAML, OIDC
IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPTQCKBIUNMTFD

View Slide

ೝূ

View Slide

- γεςϜϦιʔε΁ͷΞΫηεΛਃ੥͢ΔϢʔ
βʔɾϓϩηεɾσόΠεͱ͍ͬͨΤϯςΟςΟ
ͷΞΠσϯςΟςΟΛཱূʢVerifyʣ
- ௨ৗɺΫϨσϯγϟϧͷఏࣔΛ൐͏
ೝূͱ͸
IUUQTQBHFTOJTUHPWTQIUNM

View Slide

- 1961: ύεϫʔυͷొ৔ at MIT
- 1983: ICΧʔυϚΠίϯ
- ????: ΫϨδοτΧʔυ with ICνοϓ
- 2000~:
- SMS΍ϝʔϧʹΑΔ௥Ճೝূίʔυͷૹ৴
- TOTPΛ࢖ͬͨ௥Ճೝূ
- εϚʔτΧʔυΛ࢖ͬͨActive Directoryೝূ
- ੜମೝূΛ࢖ͬͨ௥Ճೝূ
- Yubicoࣾઃཱ
- 2018:
- FIDO2
ೝূํࣜͷભҠ
IUUQTFOXJLJQFEJBPSHXJLJ1BTTXPSE

View Slide

8FC"VUIO
CFDPNFT
XDQSPQPTFE
SFDDFPNFOEBUJPO
HNTpEPpEP
'FC 'FC
+BO
8FC"VUIO
CFDPNFT
XDQSPQPTFE
SFDDFPNFOEBUJPO
.BSDI .BZ
8FC"VUIO
XDDBOEJEBUF
SFDDFPNFOEBUJPO
8FC"VUIO
XDQSPQPTFE
SFDDFPNFOEBUJPO
+VOF .BS
8FC"VUI
XD
TUBOEBSJ[FE

View Slide

"VUIFOUJDBUPS
$MJFOU
3FMZJOH
1BSUZ
3FMZJOH
1BSUZ
$SFEFOUJBM,FZ
,FZ1BJS

,FZ1BJS
$SFEFOUJBM
,FZ1BJS

FIDO

View Slide

Platform
5&& 51.

View Slide

SSOʢϑΣσϨʔγϣϯʣ
ೝূ৘ใͷ࿈ܞ

View Slide

- SSO
- 1౓ͷೝূͰෳ਺ͷγεςϜ͕ར༻ՄೳʹͳΔ͜ͱ
- Kerberosೝূɺσδλϧॺ໊ೝূ
- ϑΣσϨʔγϣϯ
- ωοτϫʔΫυϝΠϯΛ·͍ͨͰೝূ৘ใΛ࿈ܞ͢Δ͜ͱ
- SAML, OIDC
SSOɾϑΣσϨʔγϣϯͱ͸

View Slide

xxxx-xxxx

xxxx-xxxx/AttributeValue>

Kengo Suzuki

https://sts.windows.net/xxxx-xxxx/
AttributeValue>

http://schemas.microsoft.com/ws/2008/06/
identity/authenticationmethod/password
http://schemas.microsoft.com/claims/
multipleauthn

arn:aws:iam::1111:role/xxx-role,arn:aws:iam::
1111:saml-provider/Azure
arn:aws:iam::1111:role/xxx-role,arn:aws:iam::
1111:saml-provider/Azure

3

Suzuki

[email protected]

[email protected]

[email protected]

arn:aws:iam::xxxxxxxx:role/xxx-
role,arn:aws:iam::1111:saml-provider/Azure
AttributeValue>
arn:aws:iam::xxxx:role/
yyy-role,arn:aws:iam::1111:saml-provider/
Azure

14400

৬ೳ৘ใͷ࿈ܞ
ྫϑϩϯτΤϯυ
4".- "TTFSUJPO

View Slide

{
"ver": "2.0",
"iss": “https://login.microsoftonline.com/
xxxxxx-xxxxx-xxxxx-xxxx/v2.0",
"sub": "Axxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"aud": "xxxxxx-xxxxx-xxxxx-xxxx",
"exp": 1536361411,
"iat": 1536274711,
"nbf": 1536274711,
"name": “Kengo Suzuki",
"preferred_username": “[email protected]“,
"oid": "xxxxxx-xxxxx-xxxxx-xxxx",
"tid": "xxxxxx-xxxxx-xxxxx-xxxx",
"nonce": "111111",
"aio": “!eGbIDakyp5mnOrcdqHeYSnltepQmRp6AIZ8jY”
“roles": "frontend",
}

৬ೳ৘ใͷ࿈ܞ
ྫϑϩϯτΤϯυ
0*%$ *%5PLFO

View Slide

BeyondCorpʹ͓͚ΔʮϢʔ
βʔͷೝূʯͷཁ݅Λຬͨ͢
੡඼ = IDaaS
IUUQTXXXQJOHJEFOUJUZDPNFOSFTPVSDFTDMJFOUMJCSBSZBSUJDMFTJEFOUJUZBTBTFSWJDFJEBBTIUNM

View Slide

AzureAD: σΟϨΫτϦ (LDAPϢʔβʔ૬౰)

View Slide

AzureAD: σΟϨΫτϦ (LDAPάϧʔϓ૬౰)

View Slide

AzureAD: ϓϩϏδϣχϯά(SCIM)

View Slide

AzureAD: Ϣʔβʔೝূ(MFA)ͱೝূ৘ใ࿈ܞ

View Slide

- ೝূΛ௨ͯ͠ϢʔβʔΛಛఆ͠ͳ͚Ε͹ͳΒͳ͍
- Ϣʔβʔʹඥͮ͘࿦ཧతͳΦϒδΣΫτ͕ඞཁ
- ΦϒδΣΫτΛҰݩ؅ཧ͢ΔDB = σΟϨΫτϦ
- ΦϒδΣΫτΛଞαʔϏεʹ఻ൖ͢Δ͜ͱ = ϓϩϏδϣχϯά
- Ϣʔβʔͷೝূ৘ใΛ࿈ܞ͢Δ͜ͱ = SSOɾϑΣσϨʔγϣϯ
Ϣʔβʔͷಛఆɹ·ͱΊ

View Slide

σόΠεͷಛఆ
(Identiﬁcation)

View Slide

View Slide

- ਓ͕ਖ਼౰Ͱ΋ɺײછͨ͠୺຤ʹΑΓ߈ܸऀͷҙਤ͕ୡ੒
͞Εͯ͠·͏ࣄྫ͸زͭ΋͋Δ
- ΑͬͯɺσόΠεͷਖ਼౰ੑΛ֬อ͠ͳ͚Ε͹ͳΒͳ͍
- ඞཁͳίϯϙʔωϯτ
- σόΠεDBʢΠϯϕϯτϦʣ
- σόΠεೝূ
σόΠεͷಛఆ

View Slide

σόΠεDB
ʢΠϯϕϯτϦʣ

View Slide

σόΠεDBʢΠϯϕϯτϦʣͷ֓ཁ
- σόΠεͷଐੑΛอ࣋͢ΔΦϒδΣΫτΛ؅ཧ͢ΔDB
- ҎԼͷ؅ཧػೳΛ࣋ͭ΂͖
- ௐୡͨ͠σόΠεͷొ࿥
- σόΠεͷߏ੒؅ཧʢؚΉมߋͱσϓϩΠʣ
- ߏ੒৘ใͷϦΞϧλΠϜදࣔ
- ۀ຿ར༻͍ͯ͠ΔσόΠεछผͷαϙʔτ
- Windows, MacOS, iOS, Android, Linux…

View Slide

- ௐୡ͔ΒΠϯϕϯτϦొ࿥·Ͱͷஈ֊͸୹͍΄͏
͕ϕλʔ
- ࠷ۙ͸ࣗಈొ࿥Մೳ
ΠϯϕϯτϦొ࿥

View Slide

ݟग़͠
IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO
ΠϯϕϯτϦొ࿥(Mac/iOS)

View Slide

ΠϯϕϯτϦొ࿥(Windows)
IUUQTNZJHOJUFUFDIDPNNVOJUZNJDSPTPGUDPNTFTTJPOT

View Slide

σόΠεͷߏ੒؅ཧ
- ج४ɾϙϦγʔʹैͬͯߏ੒
- ۀ຿ར༻ΞϓϦ/CAͷΠϯετʔϧ
- ݹ͍ΞϓϦͷར༻
- OSɾΞϓϦͷ࠷৽Խ
- σΟεΫ҉߸Խ
- ϩʔΧϧAdminͷύεϫʔυมߋ
- ऑ͍ύεϫʔυͷېࢭ
- ฆࣦ୺຤ͷϩοΫɾॳظԽ
- ߏ੒ঢ়گ΍୺຤ͷϝτϦΫεΛχΞɾϦΞϧλΠϜͰ
ऩू
- ࣾ಺NWʹݶఆ͞Εͣܧଓతʹద༻
ॏ
ॏཁͳ
σʔλ
ॏཁͳ
σʔλ
ॏཁͳ
σʔλ
ॏཁͳ
σʔλ

View Slide

- ͜ΕΒͷཁ݅Λຬͨ͢঎༻੡඼͸·ͩͳ͍ʢڪΒ͘ʣ
- ϢʔβʔϞσϧΛఆٛ͢ΔSCIMεΩʔϚͷΑ͏ͳඪ४΋ະ
ొ৔
- Google͸ࣗࣾͰϝλσόΠεΠϯϕϯτϦΛߏங
- 15ͷҟͳΔσʔλιʔε
- 300ສ/೔݅ɺྦྷܭ80ςϥόΠτͷσʔλΛऩू
- ֤OS͝ͱͷઐ໳νʔϜ
σόΠεΠϯϕϯτϦͷݱ࣮

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετͷڧௐจࣈ
- Ϧετ
୺຤ΠϯϕϯτϦͷσʔλιʔε
#FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
σόΠεΠϯϕϯτϦͷσʔλιʔε
w ࢿ࢈؅ཧ
w ʮࢿ࢈ʯͱͯ͠ͷσόΠε%#
w ϋʔυ΢ΣΞ΍ͦͷதͰಈ͘ιϑτ΢ΣΞ΍ϥΠηϯε΋؅ཧ
w ͦΕΒʹՃ͑ͯϥΠϑαΠΫϧ΋؅ཧ
w ૯຿ɾܦཧ͕؅ཧͯ͠Δ͜ͱ΋͋Δ

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
w σΟϨΫτϦɾαʔϏε
w Ϣʔβʔɾάϧʔϓ%#ͱಉ͡
w 8JOEPXTΛར༻͍ͯ͠ΔاۀͰ͸ɺ"DUJWF%JSFDUPSZ͕ط
ʹ͋ΔͷͰɺ͔ͦ͜ΒσʔλΛΠϯϙʔτ͢Δ

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
w ωοτϫʔΫػث
w %)$1΍"31ςʔϒϧͷ࿈ܞ
w ωοτϫʔΫػث͸ελϯυΞϩϯͳঢ়ଶͰଘࡏ͢Δ͜ͱ͕
ଟ͍

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
w ੬ऑੑεΩϟφ
w /FTVT΍/NBQͳͲΛఆظతʹ࣮ࢪͯ͠ɺ੬ऑੑ͕ͳ͍͔
νΣοΫ
w ͦͷ݁Ռͷ࿈ܞ

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
w $"
w ୺຤ʹຒΊࠐ·Εͨূ໌ॻͷτϥετΞ
ϯΧʔ
w ূ໌ॻ͕ਖ਼౰͔ͳͲΛ࿈ܞ

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
w ߏ੒؅ཧαʔϏε
w σόΠεͷߏ੒ঢ়گΛ࿈ܞ

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
w ύον؅ཧαʔϏε
w 04΍Πϯετʔϧ͞ΕͨΫϥΠΞϯτΞ
ϓϦͷύον؅ཧ
w ద༻ঢ়گͳͲͷ࿈ܞ

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
୺຤ΠϯϕϯτϦͷσʔλιʔε
w ʢϝλʣΠϯϕϯτϦαʔϏε
w ͜ΕΒͷσʔλΛऔΓࠐΈɺؔ࿈෇͚ͨ
୯ҰͷΠϯϕϯτϦ

View Slide

σόΠεೝূ

View Slide

- RFC5280
- ެ։伴ূ໌ॻͷϑΥʔϚοτΛఆٛ
- CRLͷఆٛ
- ূ໌ॻνΣʔϯͷݕূํ๏Λఆٛ
- ൿີ伴ͷ৴པੑΛূ໌Ͱ͖ΔͨΊɺσόΠεೝূͱͯ͠ར༻
X.509

View Slide

ͦͷൿີ伴͸ϢχʔΫ͔

View Slide

ෆਖ਼ʹૠೖ͞Εͨ伴ϖΞ
Ͱͳ͍͔
伴ϖΞΛॻ͖׵͑ΒΕͯ
͍ͳ͍͔

View Slide

Attestation
"UUFTUBUJPO,FZTͷ
ϖΞ࡞੒
ᶅ4IJQ
޻৔ग़ՙ࣌ʹ
伴ϖΞΛ51.ʹຒΊ
ࠐΉ
ൿີ伴ͷੜ੒ɾ؅
ཧ͸51.5&&
಺ͷΈ
51.5&&
ੜ੒͞Εͨൿີ伴
ʹඥͮ͘ূ໌ॻ͸
֎ग़Մೳ

View Slide

51.ͷެ։伴
Ͱݕূ
51.5&&

View Slide

Windows TPM
IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZJOGPSNBUJPOQSPUFDUJPOUQNIPXXJOEPXTVTFTUIFUQN

View Slide

ݟग़͠
PS C:\> Get-TpmEndorsementKeyInfo -Hash "Sha256"
IsPresent : True
PublicKey :
System.Security.Cryptography.AsnEncodedData
PublicKeyHash :
70769c52b6e24ef683693c2a0208da68d77e94192e1f4080ae
7c9b97c6caa681
ManufacturerCertificates : {[Subject]
OID.2.23.133.2.3=1.2,
OID.2.23.133.2.2=C4T8SOX3.5,
OID.2.23.133.2.1=id:782F345A
[Issuer]
CN=Contoso TPM CA1, OU=Contoso
Certification Authority, O=Contoso, C=KR
[Serial Number]
77A120A
[Not Before]
6/4/2012 6:35:58 PM
[Not After]
6/4/2022 6:35:57 PM
[Thumbprint]
77378D1480AB48FEA2D4E610B2C7EEF648FEA2
}
AdditionalCertificates : {}
IUUQTHJUIVCDPN.JDSPTPGU%PDTXJOEPXTQPXFSTIFMMEPDTCMPCNBTUFSEPDTFUXJOEPXTUSVTUFEQMBUGPSNN

View Slide

BeyondCorpʹ͓͚ΔσόΠ
εɾΞΠσϯςΟςΟΛຬͨ
͢੡඼ɾαʔϏε

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
σόΠεͷΤʔδΣϯτʢUEMʣ

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
macOS, iOSฤ

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
ূ໌ॻΠϯετʔϧ
$FOTPSFE

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
ߏ੒؅ཧʢྫ: ϩʔΧϧAdminͷύεϫʔυ೔࣍มߋʣ
$FOTPSFE

View Slide

#####################################################################################
###############
# Decode API user Password
apiPass="$( decryptString "$apiEncryptedPass" "$saltAPI" "$passAPI" )"
if [ -z "$apiPass" ]; then
scriptLogging "Failed to decrypt API user's password" 2
exit 1
fi
#####################################################################################
###############
# Retrieve LAPS user password from Extent Attribute
previousEncryptedPassword="$( retrievePassword "$apiUser" "$apiPass" "$HWUUID"
"$extAttName" )"
if [ -n "$previousEncryptedPassword" ]; then
scriptLogging "Retrieved previous password is $previousEncryptedPassword
(encrypted)."
retrievedPassword="$( decryptString "$previousEncryptedPassword" "$laSalt"
"$laPass" )"
else
scriptLogging "Could not get previous password. Try initial password for $
{laUserName}."
scriptLogging "Try to use initial password for ${laUserName}:
$initialEncryptedPassForLadminUser (encrypted)."
retrievedPassword="$( decryptString "$initialEncryptedPassForLadminUser"
"$initLaSalt" "$initLaPass" )"
fi
if [ -z "$retrievedPassword" ]; then
scriptLogging "Failed to decrypt previous password of $laUserName" 2
exit 1
fi
#####################################################################################
###############
# Check current password with Retrieved password
/usr/bin/dscl /Local/Default -authonly "$laUserName" "$retrievedPassword" 2> /dev/
null
returnCode=$?
if [ "$returnCode" -eq 0 ]; then
scriptLogging "Current password has match with Retrieved password."
else
scriptLogging "Retrieved password for $laUserName is not match current password.
dserr: $returnCode" 2
exit $returnCode
fi
#####################################################################################
###############
# Change password with new one.
newpassword="$( /usr/bin/openssl rand -base64 48 | /usr/bin/tr -d OoIi1lLS | /usr/
bin/head -c 12 )"
changePassword "$laUserName" "$retrievedPassword" "$newpassword"
#####################################################################################
###############
# Encrypt New Password
encryptedPassword="$( echo "$newpassword" | /usr/bin/openssl enc -aes256 -a -A -S
"$laSalt" -k "$laPass" )"
if [ -n "$encryptedPassword" ]; then
# If you want to log new password, remove ':' at start of next line.
: scriptLogging "New password: $encryptedPassword (Encrypted)"
else
scriptLogging "Failed to encrypt new password. Why?" 2
scriptLogging "Roll back with previous one."
changePassword "$laUserName" "$newpassword" "$retrievedPassword"
exit 1
fi
#####################################################################################
###############
# Update Extent Attribute with New Password
uploadPassword "$apiUser" "$apiPass" "$HWUUID" "$extAttName" "$encryptedPassword"
returnCode=$?
if [ "$returnCode" -ne 0 ]; then
scriptLogging "Failed to upload." 2
scriptLogging "Roll back with previous one."
changePassword "$laUserName" "$newpassword" "$retrievedPassword"
exit 1
fi
try="$( retrievePassword "$apiUser" "$apiPass" "$HWUUID" "$extAttName" )"
if [ "$try" = "$encryptedPassword" ]; then
scriptLogging "Retrieve test passed."
scriptLogging "Done."
exit 0
else
scriptLogging "Retrieve test failed. Get unexpected string." 2
scriptLogging "Retrieved String: $try" 2
scriptLogging "Expected String: $encryptedPassword" 2
scriptLogging "Done in error." 2
exit 1
fi
$FOTPSFE

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
ύον؅ཧʢྫ: Chromeͷ࠷৽Խʣ
$FOTPSFE

View Slide

shlogger "Mount dmg file: $dmgfile"
devfile="$( /usr/bin/hdiutil attach -nobrowse "$
{workdir}/${dmgfile}" | /usr/bin/grep Chrome | /
usr/bin/awk '{print $1}' )"
check_result="$( checkapp "$dl_chromapp"
"$developerid" )"
if [ "$check_result" = ok ]; then
shlogger "Codesign check passed."
runstate="$( /usr/bin/pgrep Chrome | /usr/bin/
wc -l )"
shlogger "Chrome run state: $runstate"
if [ "$runstate" -ne 0 ]; then
notification=yes ; fi
tmpdir="/tmp/$( /usr/bin/uuidgen )"
/bin/mkdir -m 755 "$tmpdir"
/bin/mv "$CHROME" "$tmpdir"
/bin/cp -af "$dl_chromapp" /Applications
shlogger "Install Chrome into /Applications"
/usr/bin/xattr -r -d com.apple.quarantine
"$CHROME"
shlogger "Remove com.apple.quarantine from
$CHROME"
else
shlgger "$check_result" 2
shlogger "Codesign check failed." 2
fi
/usr/bin/hdiutil detach -quiet "$devfile"
rm -rf "$workdir"
shlogger "Show notification: $notification"
if [ "$notification" = yes ]; then
show_notification "Googole Chrome has
updated!" "Restart Google Chrome now."
fi
shlogger "Done."
exit 0

w $ISPNFͷࣗಈΞοϓσʔτεΫϦϓτ

View Slide

#!/bin/bash
RESULT="Not Installed"
CHROME="/Applications/Google Chrome.app"
if [ -e "$CHROME" ]; then
installed_version="$( /usr/libexec/PlistBuddy
-c "print CFBundleShortVersionString" "$CHROME/
Contents/Info.plist" )"
current_stable_version="$( /usr/bin/curl -s
https://omahaproxy.appspot.com/all | /usr/bin/awk
-F, '/mac,stable/ {print $3}' )"
if [ "$installed_version" =
"$current_stable_version" ]; then
RESULT="UptoDate"
else
RESULT="Old"
fi
fi
echo "$RESULT"

w Πϯετʔϧ͞Ε͍ͯΔ$ISPNFͷόʔδϣϯνΣοΫͱଐੑઃఆ

View Slide

֦ுଐੑͷ෇༩
$FOTPSFE
$FOTPSFE

View Slide

χΞϦΞϧλΠϜͷߏ੒؅ཧ
$FOTPSFE

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
Windows, Androidฤ

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
ূ໌ॻΠϯετʔϧ

$FOTPSFE

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
ߏ੒؅ཧ
$FOTPSFE

View Slide

{
"@odata.context": "https://graph.microsoft.com/
v1.0/$metadata#deviceManagement/managedDevices/$entity",
"id": "xxxxx",
"userId": "xxxxx",
"deviceName": "xxxx",
"managedDeviceOwnerType": "company",
"enrolledDateTime": "2019-07-18T12:17:53.0413033Z",
"lastSyncDateTime": "2019-08-15T02:34:53.7572148Z",
"operatingSystem": "Windows",
"complianceState": "compliant",
"jailBroken": "Unknown",
"managementAgent": "mdm",
"osVersion": "10.0.18362.295",
"easActivated": true,
"easDeviceId": "xxxxx",
"easActivationDateTime":
"2019-07-18T12:25:05.2874123Z",
"azureADRegistered": true,
"deviceEnrollmentType": "windowsCoManagement",
"activationLockBypassCode": null,
"emailAddress": “[email protected]”,
"azureADDeviceId": "xxxxx",
"deviceRegistrationState": "registered",
"deviceCategoryDisplayName": "Windows",
"isSupervised": false,
"exchangeLastSuccessfulSyncDateTime":
"0001-01-01T00:00:00Z",
"exchangeAccessState": "none",
"exchangeAccessStateReason": "none",
"remoteAssistanceSessionUrl": "",
"remoteAssistanceSessionErrorDetails": "",
"isEncrypted": true,
"userPrincipalName": “[email protected]",
"model": "xxxxx",
"manufacturer": "xxxxx",
"imei": null,
"complianceGracePeriodExpirationDateTime":
"9999-12-31T23:59:59.9999999Z",
"serialNumber": "xxxxx",
"phoneNumber": null,
"androidSecurityPatchLevel": null,
"userDisplayName": "Kengo Suzuki",
"wiFiMacAddress": "xxxxx",
"deviceHealthAttestationState": null,
"subscriberCarrier": "",
"meid": "",
"totalStorageSpaceInBytes": -1638924288,
"freeStorageSpaceInBytes": -822083584,
"managedDeviceName": "xxxx/18/2019_12:17 PM",
"partnerReportedThreatState": "secured",
"deviceActionResults": [],
"configurationManagerClientEnabledFeatures": {
"inventory": false,
"modernApps": false,
"resourceAccess": false,
"deviceConfiguration": false,
"compliancePolicy": false,
"windowsUpdateForBusiness": false
}
}

w "1*Λ͔ͭͬͯߏ੒৘ใΛऔಘ
w IUUQTHSBQINJDSPTPGUDPN
WEFWJDF.BOBHFNFOU
NBOBHFE%FWJDFTEFWJDF*%

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
ύον؅ཧʢWindows Defenderʣ
$FOTPSFE

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
੬ऑੑεΩϟϯʢWindows Defenderʣ
$FOTPSFE

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
σΟϨΫτϦʢActive Directoryʣ

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
Network

View Slide

- Ϧετ
- Ϧετ
- Ϧετ
- Ϧετ
ࢿ࢈؅ཧπʔϧ

View Slide

- શσόΠεͰ࣮ࢪ͢Δඞཁ͋Γ
- ʢϝλʣΠϯϕϯτϦαʔϏε͸·ͩ঎༻ԽɾOSSԽ͞Ε
͍ͯͳ͍
- ࣗ෼Ͱ࡞Δ͔͠ͳ͍…
- σόΠεೝূ͸ TPM + x.509
σόΠεΞΠσϯςΟςΟɹ·ͱΊ

View Slide

ΞΫηε੍ޚ

View Slide

View Slide

- Access Proxy:
- શHTTP/SSHϦΫΤετͷड෇
- Access Control Engine(ACE):
- ΞΫηε੍ޚΛෳ਺ͷσʔλιʔε͔Βܾఆ͢ΔϙϦγʔΤϯδϯɻ
- Trust Inference:
- Ϣʔβʔ΍σόΠεͷ৴པείΞΛࢉग़͢ΔΤϯδϯ
- Pipleline:
- ACEʹσʔλΛfeed͢ΔύΠϓϥΠϯ
- Resource:
- ΞΫηε੍ޚͷର৅ʹͳΔΞϓϦɺαʔϏεɺΠϯϑϥ
ΞΫηε੍ޚͷ֓ཁʢొ৔ਓ෺ʣ

View Slide

ΞΫηε੍ޚͷ֓ཁʢྲྀΕʣ
w શ)55144)ϦΫΤετ͸"DDFTT1SPYZʹ޲͚ΒΕΔ
w શ)55144)ϦΫΤετ͸"DDFTT1SPYZʹ޲͚ΒΕΔ

View Slide

w "DDFTT1SPYZ͔Β4JOHMF4JHO0OʹϦμΠϨΫτ

View Slide

w 4JOHMF4JHO0OͰɺೝূ৘ใΛ࿈ܞ͢Δʢ'FEFSBUJPOʣ

View Slide

w ΞΫηε੍ޚΛܾఆ͢ΔΑ͏ϦΫΤετ

View Slide

w σόΠε΍Ϣʔβʔͷ৴པ౓Λܭࢉ
w σόΠεɾϢʔβʔͷଐੑͱͯ͠อଘ
w ύΠϓϥΠϯΛ௨ͯ͠৴པείΞɺΠϯϕ
ϯτϦ৘ใΛ"$&ʹ࿈ܞ

View Slide

function userTrustInference (user, app interface) int {
// isUserVulnerable(user)
// isUserAccessingFromNewLocation(user)
// hasTakenSecurityTraining(user)
// isAppCritical(app)
return userTrustTier(userInfo, appInfo)
}
function deviceTrustInference (device, app interface) int {
// isDeviceVulnerable(device)
// isDevieLatest(device)
// isBrowserLatest(device)
// isDeviceManaged(device)
// isDeviceEncrypted(device)
// isDeviceActive(device)
return deviceTrustTier(deviceInfo, app)
}

View Slide

w "1ͱύΠϓϥΠϯ͔ΒऔಘͰ͖ΔσʔλΛ΋ͱʹΞΫηεՄ൱
Λܾఆɾద༻

View Slide

BeyondCorpʹ͓͚ΔΞΫη
ε੍ޚΛຬͨ͢੡඼ɾαʔ
Ϗε

View Slide

Access Proxy
w "[VSF"%
w ੍ݶ
w )551ʢ4ʣҎ֎ͷϓϩ
τίϧରԠ
w ύεϫʔυೝূํࣜ

View Slide

Trust Inference
w "[VSF"%*EFOUJUZ1SPUFDUJPO Ϣʔβʔ

w .JDSPTPGU%FGFOEFS"51ʢσόΠεʣ
w "[VSF"51ʢσόΠεɾϢʔβʔʣ

View Slide

- Ϣʔβʔͷ৴པ౓ΛαΠϯΠϯঢ়ଶ͔Βܭଌ
- αΠϯΠϯΠϕϯτͦͷ΋ͷͱɺαΠϯΠϯޙͷߦಈ͔Βܭଌ
- Πϕϯτྫ: TorΛ࢖ͬͨϩάΠϯࢪߦ
- ߦಈྫ: ෆՄೳͳཱྀߦ
- ৴པ౓ʢϦεΫ஋ʣ͸Low, Medium, HighͰ෼ྨ
- ୹ॴ: ϦεΫ஋ͷࢉग़ࠜڌ͕Θ͔Γʹ͍͘
Trust Inference - AzureAD Identity Protection

View Slide

{
"@odata.type": "#microsoft.graph.unfamiliarLocationRiskEvent",
"id": “xxxx-xxxx",
"riskEventStatus": "dismissedAsFixed",
"riskLevel": "medium",
"riskEventType": "UnfamiliarLocationRiskEvent",
"riskEventDateTime": "2019-xx-xxT06:30:45",
"closedDateTime": “2019-xx-xxT09:18:43",
"createdDateTime": "2019-xx-xxT09:18:43",
"userId": “xxxx-xxxx",
"userDisplayName": “Kengo Suzuki",
"userPrincipalName": “[email protected]",
"ipAddress": "18.205.93.232",
"location": {
"city": "Ashburn",
"state": "VA",
"countryOrRegion": "United States",
"geoCoordinates": {
"latitude": 39.0437,
"longitude": -77.4742
}

w 4JHO*O3JTL&WFOU

View Slide

{
"id": "xxxx-Xxxx-xxxx",
"isDeleted": null,
"isGuest": null,
"isProcessing": false,
“riskLevel": "none",
"riskState": "remediated",
"riskDetail": "userPerformedSecuredPasswordReset",
"riskLastUpdatedDateTime": "2018-xx-xxT01:33:06",
"userDisplayName": [email protected],
"userPrincipalName": null
}

w 6TFS3JTL

View Slide

- σόΠεͰൃੜͨ͠ΞϥʔτͱͦͷޙͷରԠঢ়گ
͔ΒϦεΫ஋Λࢉग़
- ৴པ౓ʢϦεΫ஋ʣ͸Low, Medium, HighͰ෼ྨ
- ୹ॴ: ϦεΫ஋ͷ൑அࠜڌ΍ಛ௃બ୒͕Θ͔Γʹ
͍͘
Trust Inference - Microsoft Defender ATP

View Slide

ɹɹɹɹɹ{
"id": "xxxxx",
"computerDnsName": “xxxxxxxxxxx”,
"firstSeen": "2019-xx-xxT09:18:43",
ɹɹɹɹɹ"lastSeen": "2019-xx-xxT09:18:43",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": “xxx.xxx.xxx.xxx”,
"lastExternalIpAddress": "xxx.xxx.xxx.xxx",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
ɹɹɹ "rbacGroupName": "The-A-Team",
"riskScore": "Low",
ɹɹɹɹ"isAadJoined": true,
"aadDeviceId": “xxxx-xxxx",
ɹɹɹɹ "machineTags": [ "test tag 1", "test tag 2" ]
},

w %FWJDF3JTL

View Slide

- υϝΠϯࢀՃͰͷATPܥ߈ܸΛݕ஌
- WDATPͱ࿈ܞ
Trust Inference - Azure ATP

View Slide

Trust Inference
w "[VSF"%৚݅෇͖ΞΫηε

View Slide

- Ϋϥ΢υαʔϏεʹର͢ΔΞΫηε੍ޚΛෳ਺ͷ৚݅ʹج͍ͮ
ܾͯఆɾద༻͢ΔαʔϏε
- ৚݅ͷྫ
- ୺຤ͷϙϦγʔ४ڌঢ়گ
- ϢʔβʔͷϦεΫ஋
- ΫϥΠΞϯτΞϓϦछผ
- ΞΫηεઌͷΫϥ΢υαʔϏε
- Ґஔ৘ใ
৚݅෇͖ΞΫηε
IUUQTEPDTNJDSPTPGUDPNFOVTB[VSFBDUJWFEJSFDUPSZDPOEJUJPOBMBDDFTTPWFSWJFX

View Slide

- MFAͷશ༗ޮԽ
৚݅෇͖ΞΫηεྫ: શΞϓϦ޲͚

View Slide

- ॏཁͳαʔϏεʹରͯ͠ɺαΠϯΠϯϦεΫ͕গ
͠Ͱ΋͋Ε͹ϩάΠϯΛڐՄ͠ͳ͍
- ॏཁαʔϏε
- AWS, ౿Έ୆, ύεϫʔυϚωʔδϟʔ,
- ސ٬৘ใ؅ཧ༻αʔϏε
৚݅෇͖ΞΫηεྫ: ॏཁΞϓϦ޲͚

View Slide

- ؅ཧ͞ΕͨσόΠεͰϙϦγʔ४ڌͨ͠΋ͷͷΈΞΫηεՄೳ
- ؅ཧ͞ΕͨσόΠε: ProﬁleΛΠϯετʔϧ͞ΕͨBYOD୺຤΋ؚΉ
- ४ڌ͞Εͨঢ়ଶ
- σΟεΫ͕Full Encryption͞Ε͍ͯΔ
- σόΠεͷϦεΫ஋͕LowҎԼͰ͋Δ
- OS͕ಛఆͷόʔδϣϯҎ্Ͱ͋Δ
- TPMΛඋ͍͑ͯΔ
- BIOSϨϕϧͷ
৚݅෇͖ΞΫηεྫ: ؅ཧσόΠεͷΈڐՄ

View Slide

- ͕͜͜BeyondCorp/ZeroTrustͷ؊
- શͯͷΞΫηε͸Access ProxyΛܦ༝͢Δ
- ωοτϫʔΫ͚ͩͰ͸ͳ͘ɺෳ਺ͷσʔλιʔε͔Β൑அ͢Δ
- ͦͷதʹ͸৴པ౓Λܾఆ͢ΔTrust Inferene΋ؚ·ΕΔ
- ACEʹσʔλ͕ू໿͞ΕɺΞΫηε੍ޚ͕ܾఆɾద༻͞ΕΔ
ΞΫηε੍ޚɹ·ͱΊ

View Slide

- BeyondCorpΛҰ൪ݱ࣮ͯ͠Δ঎༻αʔϏε͸
Microsoft
- θϩ͔Β૊Έ࢝ΊΔͷͰ͋Ε͹ɺMicrosoft365
ύοέʔδΛ࢖ͬͯɺ଍Γͳ͍෦෼Λݸผͷι
ϦϡʔγϣϯʹٻΊΔͷ͕ίεύ͕ྑ͍
ࢲݟ

View Slide

ࠓ·Ͱͷ͓͞Β͍

View Slide

ηΩϡϦςΟཁ݅શମ૾
ηΩϡϦςΟઃܭ
ઓུʢՄ༻ੑʣ

View Slide

View Slide

ηΩϡϦςΟ୲౰ͱͯ͠
΍Δ͜ͱ͸໌֬ʹͳΓ·͔ͨ͠ʁ

View Slide

ϜͱηΩϡϦςΟ - ߦಈࢦ਑ฤ
2019/08/10 By @ken5scal

View Slide

- ϛογϣϯܾఆͱܦӦਞͱͷ߹ҙ
- ༏ઌॱҐʹର͢ΔܦӦਞͱͷ߹ҙ
- ಥવ;ͬͯ͘ΔʢଞࣾΛؚΊͨʣΠϯγσϯτରԠ
- ιϦϡʔγϣϯͷͨΊͷ༧ࢉ֬อ
- ϨΨγʔͳपลγεςϜͱͷ౷߹
- ৽͍͠ϓϩμΫτ΁ͷίϛοτ
- ʢ΍ͬͱ…ʣ࣮૷ɾӡ༻
- ࠾༻ɾνʔϜϏϧσΟϯά
- Etc, etc
Զͨͪͷઓ͍͸·ͩ࢝·ͬͨ͹͔Γͩ

View Slide

- ׬શ/ඪ४తͳΧϦΩϡϥϜͳͲͳ͍
- खΛಈ͔ͦ͏ɻ࣮ફ͋ΔͷΈɻ
- ίϛϡχέʔγϣϯΛଵΒͳ͍
- ਏ͍͜ͱ΋ࣦഊ΋͋Δ
- ָ؍ऀͰ͍Α͏
- ॿ͚ΛٻΊΑ͏
- ஌ࣝΛڞ༗͠Α͏
So, you want to work in security?
ݪจ4P ZPVXBOUUPXPSLJOTFDVSJUZ
೔ຊޠ໿ηΩϡϦςΟͰ൧৯͍͍ͨਓ޲͚ͷ৺ͷ࣋

View Slide

Good Luck and Happy Hacking!

View Slide

Thank You!

View Slide

ユーザー企業における情報システムとセキュリティ #seccamp2019

ユーザー企業における情報システムとセキュリティ #seccamp2019

Kengo Suzuki

More Decks by Kengo Suzuki

Other Decks in Technology

Featured

Transcript