Slide 1

Slide 1 text

@ken5scal, 2022/11/20 ಉࢤॾ܅ΑɺθϩτϥετΛܸͯ LayerX CTOࣨ

Slide 2

Slide 2 text

ࣗݾ঺հ • @ken5scal • CTOࣨ / Fintechࣄۀ෦ • CTOࣨ: CTO഑ԼͰશࣾԣஅతͳηΩϡϦςΟɾγεςϜͷ։ൃɾӡ༻ • ϙϦγʔ࡞੒ɺࣾ಺ڭҭɺମ੍ߏஙɺ࣮૷ʙӡ༻·Ͱ • Fintechࣄۀ෦: ෆಈ࢈ؔ࿈ͷۚ༥঎඼ɺࢿ࢈ӡ༻ͷޮ཰Խ • ݸਓ׆ಈʮSecureཱྀஂʯ • O’Reilly ʮθϩτϥετωοτϫʔΫʯ؂༁ • ΄΅िץʮ๩͍͠ਓͷͨΊͷηΩϡϦςΟɾΠϯςϦδΣϯεʯ • PodCastʮSecure Liaisonʯ

Slide 3

Slide 3 text

ΞδΣϯμ • θϩτϥετͱ͸ • ӡ༻্ͷͿͪ౰ͨͬͨ՝୊ • ॏཁͳ఺ͱ͸ʁ

Slide 4

Slide 4 text

LayerXʹ͓͚ΔηΩϡϦςΟݚम p.1

Slide 5

Slide 5 text

θϩτϥετ͸ ηΩϡϦςΟΛߴΊΔ΋ͷ͔

Slide 6

Slide 6 text

Կͷ੒Ռ΋!! ಘΒΕ·ͤΜͰͨ͠!!

Slide 7

Slide 7 text

ͱ͍͏ͷ͸ݴ͍ա͕͗ͩ

Slide 8

Slide 8 text

มΘΒͣͦ͜ʹ͍ΔΠϯγσϯτ

Slide 9

Slide 9 text

ΞδΣϯμ • θϩτϥετͱ͍͏ߟ͑ํ͸ • ੈؒҰൠͷ՝୊ • ӡ༻্ͷͿͪ౰ͨͬͨ՝୊ • ॏཁͳ఺ͱ͸ʁ

Slide 10

Slide 10 text

θϩτϥετͱ͸ • θϩτϥετ͸ɺಛఆͷ࣮૷Λࢦ͢΋ͷͰ͸ͳ͍ • ۀ຿؀ڥ͕ಛఆͷίϯϐϡʔλɺͦͯ͠ݶఆ͞Εͨωοτ ϫʔΫ͔Βɺ෼ࢄԽ͞ΕͨωοτϫʔΫʹࣾձతɾܦࡁత ʹγϑτͨ͠؀ڥʹదԠͨ͠γεςϜอޢͷߟ͑ํ • ؀ڥ͕มΘΕ͹ɺࢿ࢈ɾ੬ऑੑɾڴҖɺϦεΫ΋มΘΔ • ઃܭݪཧ͸ීว • 3ཁૉ: ػີੑɺ׬શੑɺՄ༻ੑ • ઃܭݪଇ: ࠷খݖݶɺ৬຿෼ঠ https://www.process.st/history-of-saas/

Slide 11

Slide 11 text

θϩτϥετͱ͸ 2017 2020 2021 2022 O’Reilly NIST SP800-207 NCSC σδλϧி

Slide 12

Slide 12 text

θϩτϥετͱ͸ 2017 2020 2021 2022 O’Reilly NIST SP800-207 NCSC σδλϧி • The Network is always assumed to be hostile. • External and internal threats exists on the network at all times • Network locality is not suf fi cient for decagon trust in a network • Every device, user, and network fl ow is authenticated and authorized • Policies must be dynamic and calculated from as many sources of data as possible • The entire enterprise private network is not considered an implicit trust zone • Devices on the network may not be owned of con fi gurable by the enterprise. • No resource is inherently trusted. • Not all enterprise resources are on enterprise-owned infrastructure • Remote enterprise subjects and assets cannot fully trust their local network connection • Assets and work fl ows moving between enterprise and non enterprise infrastructure should have a consistent security and posture

Slide 13

Slide 13 text

θϩτϥετͱ͸ 2017 2020 2021 2022 O’Reilly NIST SP800-207 NCSC σδλϧி • Know your architecture including users, devices, services and data • Know your user, service, and device identities • Assess user behavior, service and device health • Use policies to authorize requests • Authenticate and authorize everywhere • Focus your monitoring on users, devices and services • Don’t trust any network, including your own • Choose services which have been designed for zero trust • ϦιʔεΛ ࣝผ͠ɺಛఆͰ͖Δঢ়ଶʹ͢Δ • ओମͷ ਎ݩ֬ೝɾ౰ਓೝূΛ࣮ࢪ͢Δ • ωοτϫʔΫΛอޢ͢Δ • Ϧιʔεͷঢ়ଶΛ ֬ೝ͢Δ • ΞΫηε੍ޚϙϦγʔͰධՁ͠ɺΞΫηε؅ཧΛ͢Δ • ϦιʔεͱΞΫηεΛ ؍ଌ͢Δ

Slide 14

Slide 14 text

θϩτϥετͱ͸ 2017 2020 2021 2022 O’Reilly NIST SP800-207 NCSC σδλϧி • The Network is always assumed to be hostile. • External and internal threats exists on the network at all times • Network locality is not suf fi cient for decagon trust in a network • Every device, user, and network fl ow is authenticated and authorized • Policies must be dynamic and calculated from as many sources of data as possible • The entire enterprise private network is not considered an implicit trust zone • Devices on the network may not be owned of con fi gurable by the enterprise. • No resource is inherently trusted. • Not all enterprise resources are on enterprise-owned infrastructure • Remote enterprise subjects and assets cannot fully trust their local network connection • Assets and work fl ows moving between enterprise and non enterprise infrastructure should have a consistent security and posture

Slide 15

Slide 15 text

θϩτϥετͱ͸ 2017 2020 2021 2022 O’Reilly NIST SP800-207 NCSC σδλϧி • Know your architecture including users, devices, services and data • Know your user, service, and device identities • Assess user behavior, service and device health • Use policies to authorize requests • Authenticate and authorize everywhere • Focus your monitoring on users, devices and services • Don’t trust any network, including your own • Choose services which have been designed for zero trust • ϦιʔεΛ ࣝผ͠ɺಛఆͰ͖Δঢ়ଶʹ͢Δ • ओମͷ ਎ݩ֬ೝɾ౰ਓೝূΛ࣮ࢪ͢Δ • ωοτϫʔΫΛอޢ͢Δ • Ϧιʔεͷঢ়ଶΛ ֬ೝ͢Δ • ΞΫηε੍ޚϙϦγʔͰධՁ͠ɺΞΫηε؅ཧΛ͢Δ • ϦιʔεͱΞΫηεΛ ؍ଌ͢Δ

Slide 16

Slide 16 text

θϩτϥετͱ͸ • σδλϧΞΠσϯςΟςΟͱϙϦγʔʹΑΔΞΫηε੍ޚʹΑΔʮ࠷খݖ ݶʯͱʮ৬຿෼ঠʯͷ࣮ݱ • ͜ͷߟ͑ํΛ࣠ʹɺϦεΫରࡦΛ͍ͯͨ͠ • ϦεΫ = ൃੜ֬཰ x Өڹ౓ • ൃੜ֬཰ = ڴҖ x ੬ऑੑ • Өڹ౓ = ࢿ࢈΍ۀ຿ͷಛੑ

Slide 17

Slide 17 text

౰ࣾͷ੒௕ͱ Ψόφϯεഊ๺ͷྺ࢙ ※ಛʹϦεΫ͸ݦࡏԽ͍ͯ͠·ͤΜ…yet

Slide 18

Slide 18 text

LayerXʹ͓͚Δθϩτϥετ • 2020೥ஈ֊͔Βਪਐ͍ͯͨ͠ • ֩ͱͳΔσδλϧɾΞΠσϯςΟςΟʹண໨ͨ͠࠷খݖݶͷ๏ଇɺ৬຿෼ঠ΋ਐΊ͍ͯͨ • ϦεΫΛ௿ݮ͢ΔͨΊͷɺࢿ࢈؅ཧɺ੬ऑੑ؅ཧɺڴҖʹ͍ͭͯ΋ԼهͷΑ͏ʹ • αʔϏεج൫͸AWS GuardDutyɺࣾ಺ج൫͸Microsoftͷෆਖ਼ݕ஌ɺ୺຤؅ཧͰ༧๷ • AWSͷSecurityHub΍GCPͷSecurity Command CenterʹΑΔܧଓతݕࠪ • ि࣍ͷ֬ೝʹΑΓɺ֤νʔϜ΁ͷ஫ҙשى • ةݥͳ΋ͷ͸SlackʹΑΔ௨஌ • λάʹΑΔϦιʔεͷ؅ཧ • ͦͷଞɺSaaS͸৹ࠪΛ͖ͬͪΓ • ࣗಈԽ΋ඞཁे෼ʹ཈͍͑ͯͨ • ͕…

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

ηΩϡϦςΟΛҡ࣋ɾ؅ཧ͢ΔͨΊͷ׆ಈͱഊ๺ͷྺ࢙ • ྫɿΞΫηε੍ޚ • IdPʹΑΔID৘ใͷϑΣσϨʔγϣϯ • άϧʔϓΛ໾ׂͱݟཱͯͨRBAC • ໾৬ɺ৬຿ɺνʔϜɺ৘ใ۠෼౳Ͱ੾Δ • ੩తͳϙϦγʔʹΑΔΞΫηε࣌ͷίϯςΫε τΛऔΓࠐΉ • Ϣʔβʔ΍σόΠε্ʹηΩϡϦςΟϦεΫ ͕ٙΘΕ͍ͯͳ͍͔ • ಛఆͷΞΫηεͷΈʹMFA࠶ೝূΛཁٻ͢Δ Ϣʔβʔ άϧʔϓ A ʢRole A) Ϧιʔε ᶃΞΫηε ϙϦγʔ ᶄॴଐ֬ೝ ᶆΞΫηεՄ൱ɾద༻ ֎෦ σʔλιʔε ᶅΞΫηείϯςΫετͷ ֬ೝ 0άϧʔϓϝϯόʔ؅ཧ ϝϯόʔ௥Ճ

Slide 21

Slide 21 text

૊৫֦େɾଟ༷Խʹ൐͏άϧʔϓͷΧϯϒϦΞେരൃ • ໾৬ɺ৬຿ɺνʔϜɺ৘ใ۠෼͕രൃతʹ૿Ճ • νʔϜมߋɺݚम࣮ࢪΛ͢Δ͚ͩͰมߋର৅ͷάϧʔ ϓ͕̍̌ۙ͋͘Δ • ඞͣΧόʔ͖͠Ε͍͍ͯͳ͍ΧςΰϦ͕Ͱ͖ɺͦͷͨͼ ʹ໋໊نଇͷରԠʹ௥ΘΕΔ • ಛఆͷ໾৬ x ಛఆͷνʔϜͷ৔߹ʹ͍Ε͍ͨάϧʔϓͷ ؅ཧ͕ࠔ೉ • άϧʔϓʹΑΔΞΫηε੍ޚ͸݁ہɺॊೈੑ͕௿͍

Slide 22

Slide 22 text

ࠓޙͷऔ૊ᶃɿݖݶ؅ཧͱϙϦγʔͷਁಁɾܧଓ • ϢʔβʔɺσόΠεɺαʔϏε͋Δ͍͸ΞΫηεઌ৐ΓιʔεʹଐੑΛ෇༩ ͠ɺͦΕΛ΋ͱʹϙϦγʔͰಈతͳΞΫηε੍ޚΛ࣮ࢪ͢ΔʢABACʣ • ୭͕ɺͲ͜·ͰଐੑΛ؅ཧ͢Δ͔ɺͱ͍͏੹೚ൣғʹ͍ͭͯٞ࿦த… Ϣʔβʔ - ଐੑA - ଐੑB άϧʔϓ A ʢRole A) Ϧιʔε -ଐੑX -ଐੑY ᶃάϧʔϓʹґଘ͠ͳ͍ ΞΫηε ϙϦγʔ ଐੑʹΑͬͯ ϝϯόʔ௥Ճ ᶆΞΫηεՄ൱ɾద༻ ֎෦ σʔλιʔε ᶅΞΫηείϯςΫετͷ ֬ೝ

Slide 23

Slide 23 text

̎ͭͷϙϦγʔ؅ཧ - ಺෦౷੍తͳϙϦγʔ https://atmarkit.itmedia.co.jp/ait/articles/0204/19/news003.html ಺෦౷੍తͳϙϦγʔ ʢͬͪ͜ͷ࿩ʣ CNCFతͳϙϦγʔ͸ Ұൠతʹ͸ΨΠυϥΠ ϯ΍ϓϩγʔδϟ • ಺෦త౷੍తͳҙຯͰͷϙϦγʔ͸جຊతʹɺࣗવݴޠʹΑΔυ ΩϡϝϯςʔγϣϯͰ͋Δ • ͦͷϙϦγʔ͸ʢԼҐจॻͰ͋Δελϯμʔυ΍ϓϩγʔδϟʹ Ԋͬͨʣ࣮૷΍ରࡦͱ࿦ཧతʹໃ६͍ͯͯ͠͸ͳΒͳ͍ • ·ͨɺͦͷܨ͕ΓΛূ໌Մೳɾ؂ࠪՄೳͳঢ়ଶʹͯ͠આ໌੹೚Λ Ռͨ͞Ͷ͹ͳΒͳ͍ • ͜ͷඞཁੑʹ͸ҟ࿦͸গͳ͍Ͱ͋Ζ͏ • ͨͩɺݱࡏͷϙϦγʔɺ࣮૷ɾରࡦ·Ͱͷ౷੍ʹ͸࣮ޮੑ΍ӡ༻ ʹ͓͍ͯ՝୊͕͋Δ • ྨࣅ͢Δෳ਺ͷن੍ͷଘࡏͱɺͦΕʹ൐͏ໃ६΍؅ཧͷෳࡶ͞ • ্Ґن੍ͷߋ৽ʹ͋Θ֤ͤͨछ౷੍ͷߋ৽ • ৘ใγεςϜࣗମͷෳࡶੑͷ૿Ճ • ͜ΕΒʹ൐͏ϖʔύʔϫʔΫͷ޻਺૿େ ๏ྩ ۀքඪ४

Slide 24

Slide 24 text

ηΩϡϦςΟରࡦɾ࣮૷ʹ಺෦౷੍ϙϦγʔʹؔ͢ΔϝλσʔλΛ͚ͭΔ • OSCAL: Open Security Controls Assessment Language • ৘ใγεςϜͷηΩϡϦςΟରࡦʢControlʣΛఆٛ͠ɺͦΕʹج͍ͮͯධՁ ͢ΔͨΊͷඪ४Խ͞Εͨσʔλத৺ͷධՁϑϨʔϜϫʔΫ w .BDIJOFSFBEBCMFͳදݱʹΑΔ୤ϝλೝ஌γεςϜ w ๏ن੍ɾϑϨʔϜϫʔΫͳͲϋΠϨϕϧͳཁ݅ͱ࣮૷ͷτϨʔαϏϦςΟΛ ֬อ w ܧଓతͳݕࠪɾධՁ https://pages.nist.gov/OSCAL/

Slide 25

Slide 25 text

$POUSPM-BZFS $POUSPM-BZFS *NQMFNFOUBUJPO-BZFS "TTFTTNFOU-BZFS

Slide 26

Slide 26 text

" catalog": { "uuid": "fa8f6772-40a9-4976-b7fd-e95c5b9ee037", "metadata": { "title": " FedRAMP Rev 4 Low Baseline", "published": "2021-02-05T00:00:00.000-04:00", "last-modified": "2021-10-13T18:23:58.261729Z", "version": "fedramp1.1.0-oscal1.0.0", "oscal-version": "1.0.0", "links": [ { "href": "FedRAMP_rev4_LOW-baseline_profile.xml", "rel": "resolution-source" } ], "roles": [ { "id": "prepared-by", "title": "Document creator" }, { "id": "fedramp-pmo", "title": "The FedRAMP Program Management Office (PMO)", "short-name": "CSP" }, { "id": "fedramp-jab", "title": "The FedRAMP Joint Authorization Board (JAB)", "short-name": "CSP" } ], "parties": [], "responsible-parties": [] }, " groups": [ { "id": "ac", "class": "family", "title": " Access Control", "controls": [ { "id": "ac-1", "class": " SP800-53", "title": "Access Control Policy and Procedures", "params": [ { "id": "ac-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "ac-1_prm_2", "label": "organization-defined frequency", "constraints": [ { "description": "at least every 3 years" } ] }, { "id": "ac-1_prm_3", "label": "organization-defined frequency", "constraints": [ { "description": "at least annually" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": “label", "value": "AC-1"}, { "name": “sort-id", "value": "ac-01"} ], "links": [ུ], "parts": [ { "id": "ac-1_smt", "name": "statement", "prose": "The organization:", "parts": [ { "id": "ac-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develops, documents, and disseminates ུ:", "parts": [ { "id": "ac-1_smt.a.1", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "ུ" }, { "name": “label”, "value": "1." } 26

Slide 27

Slide 27 text

" profile": { "uuid": "8742196d-86ba-4e72-a411-28867dab43bb", "metadata": { "title": "NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE", "last-modified": "2021-06-08T13:57:33.97549-04:00", "version": "Final", "oscal-version": "1.0.0", "roles": [ { "id": "creator", "title": "Document Creator" }, { "id": "contact", "title": "Contact" } ], "parties": [ { "uuid": "984e6c07-b5b6-4ab6-b22b-283609c325e6", "type": "organization", "name": "Joint Task Force, Transformation Initiative", "email-addresses": [ "[email protected]" ], "addresses": [ { "addr-lines": [ "National Institute of Standards and Technology", "Attn: Computer Security Division", "Information Technology Laboratory", "100 Bureau Drive (Mail Stop 8930)" ], "city": "Gaithersburg", "state": "MD", "postal-code": "20899-8930" } ] } ], "responsible-parties": [ { "role-id": "creator", "party-uuids": [ "984e6c07-b5b6-4ab6-b22b-283609c325e6" ] }, { "role-id": "contact", "party-uuids": [ "984e6c07-b5b6-4ab6-b22b-283609c325e6" ] } ] }, " imports": [ { " href": "NIST_SP-800-53_rev5_catalog.xml", "include-controls": [ { "with-ids": [ " ac-1", " ac-2", " ac-3", " ac-7", “ུ” ] } ] } ], "merge": { "as-is": true } } } 27

Slide 28

Slide 28 text

{ " component-definition": { "uuid": "a7ba800c-a432-44cd-9075-0862cd66da6b", "metadata": { "title": "MongoDB Component Definition Example", "last-modified": "2001-08-26T23:11:47Z", "version": "20210826", "oscal-version": "1.0.0", "roles": [{"id": "provider","title": "Provider"}], "parties": [ { "uuid": "ef7c799a-c50e-49ab-83e0-515e989e6df1", "type": "organization", "name": "MongoDB", "links": [ { "href": "https://www.mongodb.com", "rel": "website" }]}] }, " components": [ { "uuid": "91f646c5-b1b6-4786-9ec3-2305a044e217", "type": "software", "title": "MongoDB", "description": "MongoDB is a source-available, cross-platform document- oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas.", "purpose": "Provides a NoSQL database service", "responsible-roles": [ { "role-id": "provider", "party-uuids": [ "ef7c799a-c50e-49ab-83e0-515e989e6df1" ] } ], "protocols": [ { "uuid": "2b4a1b3a-cbc5-4cc8-bde6-7437c28c4e54", "name": "mongodb", "title": "Primary daemon process for the MongoDB system.", "port-ranges": [ { "start": 27017, "end": 27017, "transport": "TCP" } ] }, { "uuid": "99d8d4e5-e734-4e05-a2f9-7353097b8b61", "name": "mongodb-shardsrv", "title": "MongoDB protocol for sharding with shardsrv option.", "port-ranges": [ { "start": 27018, "end": 27018, "transport": "TCP" } ] }, { "uuid": "6fa762f1-09ca-44d5-a94c-cfceb57debd5", "name": "mongodb-configsvr", "title": "MongoDB protocol for configsrv operation.", "port-ranges": [ { "start": 27019, "end": 27019, "transport": "TCP" }]} ], "control-implementations": [ { "uuid": "49f0b690-ed9f-4f32-aae0-625b77aa6d27", "source": "https://github.com/usnistgov/oscal-content/blob/master/ nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE- baseline_profile.xml", "description": "MongoDB control implementations for NIST SP 800-53 revision 5.", "implemented-requirements": [ { "uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee2a0", "control-id": "sc-8.1", "description": "MongoDB supports TLS 1.x to encrypt data in transit, preventing unauthorized disclosure or changes to information during transmission. To implement TLS, set the PEMKeyFile option in the configuration /etc/ mongod.conf to the certificate file's path and restart the the component." }, { "uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee2a0", "control-id": "sa-4.9", "description": "Must ensure that MongoDB only listens for network connections on authorized interfaces by configuring the MongoDB configuration file to limit the services exposure to only the network interfaces on which MongoDB 28

Slide 29

Slide 29 text

{ " system-security-plan": { "uuid": "d197545f-353f-407b-9166-ebf959774c5a", "metadata": { "title": "CSP IaaS System Security Plan", "last-modified": "2021-06-08T13:57:35.068496-04:00", "version": "0.1", "oscal-version": "1.0.0", "roles": [ུ], "parties": [ { "uuid": "11111111-0000-4000-9000-100000000001", "type": "person" } ] }, " import-profile": { "href": "../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline_profile.json" }, "system-characteristics": { "system-ids": [ { "id": "csp_iaas_system" } ], "system-name": "Leveraged IaaS System", "description": "An example of three customers leveraging an authorized SaaS (ུ)“, "security-sensitivity-level": "low", " system-information": { "information-types": [ { "title": "System and Network Monitoring", "description": "This IaaS system handles information pertaining to audit events.", "categorizations": [ { "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", "information-type-ids": ["C.3.5.8"] } ], "confidentiality-impact": { "base": "fips-199-moderate", "selected": "fips-199-low", "adjustment-justification": "This impact has been adjusted to low ʢུ)” }, "integrity-impact": { "base": "fips-199-moderate", "selected": "fips-199-low", "adjustment-justification": "This impact has been adjusted to low ུ” }, "availability-impact": { "base": "fips-199-moderate", "selected": "fips-199-low", "adjustment-justification": "This impact has been adjusted to low.ɹུ" } } ] }, " security-impact-level": { "security-objective-confidentiality": "fips-199-low", "security-objective-integrity": "fips-199-low", "security-objective-availability": "fips-199-low" }, "status": { "state": "operational" }, "authorization-boundary": { "description": "The hardware and software supporting the virtualized infrastructure supporting the IaaS." }, "remarks": "Most system-characteristics content does not support the example, and is included to meet the minimum SSP syntax requirements." }, " system-implementation": { "users": [ { "uuid": "11111111-0000-4000-9000-200000000001", "role-ids": [ "admin" ], "authorized-privileges": [ { "title": "Administrator", "functions-performed": ["Manages the components within the IaaS."] }]} ], "components": [ { "uuid": "cfbc1d9d-e772-47a4-aed5-1b902339eab2", "type": "this-system", "title": "This System", "description": "The system described by this SSP.\n\nThis text was auto-generated by the OSCAL M3-RC1 data upgrade converter.", "status": { "state": "operational" }}, { "uuid": "11111111-0000-4000-9001-000000000002", "type": "software", "title": "Application", "description": "An application within the IaaS, exposed to SaaS customersུ", "props": [{"name": “implementation-point”, "value": "system"}], "status": {"state": "operational"}, "responsible-roles": [ { "role-id": "admin", "party-uuids": ["11111111-0000-4000-9000-100000000001" ] }]}] }, " control-implementation": { "description": "This is a collection of control responses.", "implemented-requirements": [ { "uuid": "11111111-0000-4000-9009-002000000000", "control-id": "ac-2", "set-parameters": [ { "param-id": "ac-2_prm_1", 29

Slide 30

Slide 30 text

ηΩϡϦςΟΛҡ࣋ɾ؅ཧ͢ΔͨΊͷ׆ಈͱഊ๺ͷྺ࢙ • ࢿ࢈؅ཧ͓Αͼ੬ऑੑ؅ཧ • AWSͷSecurityHub΍GCPͷSecurity Command CenterʹΑΔ࣮ݱ • ि࣍Ͱ໨ݟ֬ೝʹΑΓɺ֤νʔϜ΁ͷ஫ҙשى • ةݥͳ΋ͷ͸SlackʹΑΔ௨஌ • λάʹΑΔϦιʔεͷ؅ཧ • ͦͷଞɺSaaS͸৹ࠪΛ͖ͬͪΓ • ૊৫֦େɾଟ༷Խʹ൐͏ϦιʔεͷΧϯϒϦΞେരൃ •

Slide 31

Slide 31 text

·ͱΊ • θϩτϥετ͸ηΩϡϦςΟରࡦͰ͸ͳ͘ɺಛఆͷۀ຿؀ڥʹ͓͚Δࢦ਑Ͱ͋Γߟ͑ ํͰ͋Δ • ֤૊৫͸ɺͦͷߟ͑ํΛ࣠ʹηΩϡϦςΟରࡦΛ͢Δ • LXͰ͸θϩτϥετʹૣ͍ஈ֊͔ΒऔΓ૊ΈɺΞΫηε੍ޚΛ • ͔͠͠ɺ૊৫֦େͱͱ΋ʹΑΓੵۃతͳࣗಈԽͷϑΣʔζʹೖ͖ͬͯͨ • θϩτϥετͷࢦ਑͸ҡ࣋ • ͦͷͨΊͷ՝୊ͷҰͭʹ಺෦౷੍తͳϙϦγʔͷܧଓతͳӡ༻ɾద༻͕͋Δ • OSCALͷΑ͏ʹͦ͏͍ͬͨऔΓ૊ΈΛॏཁࢹ͢Δைྲྀ͕΍΍͋Δ

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

ੋඇɺMeetyͰ ଓ͖Λ https://meety.net/matches/ SunJOdvBKMrT