Ϣʔβʔاۀʹ͓͚Δ৘ใγες ϜͱηΩϡϦςΟ - શମ૾ฤ 2019/08/10 By @ken5scal

ࣗݾ঺հ - ࣗݾ঺հ: @ken5scal (ླ໦ݚޗ) - ޷͖ͳٕज़ελοΫ: ೝূɾೝՄ - ۚ༥ܥɾFintechܥͰେاۀɾελʔτΞοϓ྆ํͰηΩϡϦςΟΛ୲౰ - 2011: NRIηΩϡΞ - SIer - ূ݊ձࣾ޲͚MSS αʔϏεͷఏڙ - 2014: Money Forward - Ϣʔβʔاۀ - ࢿ࢈؅ཧɾΫϥ΢υձܭܥFintechελʔτΞοϓ - 2018: FOLIO - Ϣʔβʔاۀ - ূ݊ܥFintechελʔτΞοϓ

͋Δ೔…

օ༷ͱ໨ઢ߹Θͤ

- Who: “ੈͷதΛࣗ෼ͨͪͷྗͰม͍͖͍͑ͯͨͱࢥ͍ͬͯΔํ” - What: “ࠓճ͸ʮ͖ͪΜͱӡ༻͢Δʯͱ͍͏ࣄΛςʔϚ” - Howᶃ: “ߴ౓ͳ৘ใηΩϡϦςΟٕज़ͷशಘ” - Howᶄ: “Ϟϥϧ΍๏཯९कͷҙࣝɺηΩϡϦςΟҙࣝɺ৬ۀҙ ࣝɺཱࣗతͳֶशҙࣝʢٕज़Ҏ֎ʹඞཁͳٕೳʣʹ͍ͭͯ΋޲্ ͷͨΊͷػձΛఏڙ” ӡ༻ͱ։ൃτϥοΫ IUUQTXXXJQBHPKQKJO[BJDBNQ[FOLPLV@DIBSBDUFSJTUJDIUNM IUUQTXXXJQBHPKQKJO[BJDBNQ[FOLPLV@BCPVUIUNM

- Who: “ੈͷதΛࣗ෼ͨͪͷྗͰม͍͖͍͑ͯͨͱࢥ͍ͬͯΔํ” - What: “ࠓճ͸ʮ͖ͪΜͱӡ༻͢Δʯͱ͍͏ࣄΛςʔϚ” - Howᶃ: “ߴ౓ͳ৘ใηΩϡϦςΟٕज़ͷशಘ” - Howᶄ: “Ϟϥϧ΍๏཯९कͷҙࣝɺηΩϡϦςΟҙࣝɺ৬ۀҙ ࣝɺཱࣗతͳֶशҙࣝʢٕज़Ҏ֎ʹඞཁͳٕೳʣʹ͍ͭͯ΋޲্ ͷͨΊͷػձΛఏڙ” ӡ༻ͱ։ൃτϥοΫ IUUQTXXXJQBHPKQKJO[BJDBNQ[FOLPLV@DIBSBDUFSJTUJDIUNM IUUQTXXXJQBHPKQKJO[BJDBNQ[FOLPLV@BCPVUIUNM

ੈͷத͕มΘΔͱ͸ʁ

No content

ͱ͍͏͜ͱͰ͸ͳ͘ ʢݸਓͷҙݟͰ͢ʣ

৽͍͠Ձ஋Λ૑ग़͢Δ͜ͱ

- ੈքతྲྀΕ - ୈ4࣍࢈ۀֵ໋ٕज़ - ࠃ಺ͷྲྀΕ - Connected Industry - Society 5.0 ৽͍͠Ձ஋ͷ૑ग़ͷྲྀΕ

ୈ̐࣍࢈ۀֵ໋ IUUQTXXXCSJUBOOJDBDPNUPQJD5IF'PVSUI*OEVTUSJBM3FWPMVUJPO

- ࣮ੈքʢϑΟδΧϧۭؒʣʹ͋Δଟ༷ ͳσʔλΛηϯαʔωοτϫʔΫ౳Ͱ ऩू͠ɺαΠόʔۭؒͰେن໛σʔλ ॲཧٕज़౳Λۦ࢖ͯ͠෼ੳʗ஌ࣝԽΛ ߦ͍ɺͦ͜Ͱ૑ग़ͨ͠৘ใʗՁ஋ CPS IUUQTXXXKFJUBPSKQDQTBCPVU

- “զ͕ࠃ͸ɺ੡଄ۀΛ௒͑ͯɺϞϊͱϞ ϊɺਓͱػցɾγ εςϜɺਓͱٕज़ɺҟͳΔ࢈ۀʹଐ͢Δاۀͱاۀɺੈ ୅Λ௒ ͑ͨਓͱਓɺ੡଄ऀͱফඅऀͳͲɺ༷ʑͳ΋ͷΛ ͭͳ͛Δ”࢈ۀࣾձ Connected Industries

Connected Industries in ۚ༥ ۚ༥ிϑΟϯςοΫ͸ڞ௨Ձ஋Λ૑଄Ͱ͖Δ͔

νϟοτ(LINE) X ূ݊ձࣾ(FOLIO) ʲ-*/&'JOBODJBMʳ-*/&'JOBODJBMͱ'0-*0ɺʮ-*/&εϚʔτ౤ࢿʯΛຊ೔͔Βఏڙ։࢝

IUUQTOFXTQJDLTDPNOFXT

- ௒εϚʔτࣾձ - ʮඞཁͳ΋ͷɾαʔϏεΛɺඞཁͳਓʹɺඞཁͳ࣌ʹɺඞཁͳ͚ͩఏڙ͠ɺࣾձͷ༷ʑ ͳχʔζʹ͖Ίࡉ͔͘ରԠͰ͖ɺ͋ΒΏΔਓ͕࣭ͷߴ͍αʔϏεΛड͚ΒΕɺ೥ྸɺੑ ผɺ஍Ҭɺݴޠͱ͍༷ͬͨʑͳҧ͍Λ৐Γӽ͑ɺ׆͖׆͖ͱշదʹ฻Β͢͜ͱ͕Ͱ͖ Δʯࣾձ - ํ޲ੑ - ʮ৽ͨͳ֗ʯͮ͘ΓͷࡏΓํͦͷ΋ͷͷݟ௚͠ - γΣΞϦϯάΤίϊϛʔͷਪਐ - FinTechͷ׆༻ਪਐ Society 5.0 IUUQXXXTPVNVHPKQKPIPUTVTJOUPLFJXIJUFQBQFSKBIQEGOQEG IUUQTXXXNFUJHPKQQSFTTQEG

- ࢈ۀͳͲطଘͷ࿮૊ΈΛ௒͑Δ࿈ܞ - ΑΓੜ׆ʹີணͨ͠࿈ܞʹͳΓɺαΠόʔۭؒͱϑΟδΧϧۭ͕ؒ݁߹͖ͯͨ͠ - ෼໺ - ϔϧεέΞ - Ҡಈʢ෺ྲྀɾҠಈʣ - αϓϥΠνΣʔϯ - ۚ༥ ʢ·ͱΊʣ৽͍͠Ձ஋͸Ͳ͜Ͱੜ·Ε͍ͯΔ͔ʁ

৽͍͠Ձ஋ͱϦεΫ

- ΞϝϦΧͰϑΟϯςοΫ౤ࢿͷओͨΔྖҬ͸༥ࢿͱܾࡁ - ༥ࢿɿ68ԯυϧ - ܾࡁ: 19ԯυϧ ৽͍͠Ձ஋ͷܦࡁن໛ IUUQTXXXDBPHPKQLFJ[BJOLO@@IUN

ࢢ৔ΛऔΓʹߦ͘ᗐ྽ͳ૪͍

Typical concern about platform markets is that people will coordinate on a “dominant” platform. IUUQTXFCTUBOGPSEFEVdKEMFWJO&DPO-FDUVSF&DPOPNJDTPG1MBUGPSNTQQUY

݁Ռ

https://piyolog.hatenadiary.jp/entry/2019/06/07/063000 IUUQTQJZPMPHIBUFOBEJBSZKQFOUSZ

https://headlines.yahoo.co.jp/hl?a=20190716-00000136-kyodonews-bus_all IUUQTIFBEMJOFTZBIPPDPKQIM BLZPEPOFXTCVT@BMM

IUUQTLPOEFJIBUFCMPKQFOUSZ

No content

IUUQXXXJUSFTFBSDIBSUCJ[ Q

- ࢈ۀͳͲطଘͷ࿮૊ΈΛ௒͑Δ࿈ܞ IUUQTXXXNFUJHPKQTIJOHJLBJNPOP@JOGP@TFSWJDFTBOHZP@DZCFSXH@TFJEPXH@CVOZBPEBOEBJOJTPQEG@@QEG

- 2011: - Playstation Networkʹର͢ΔSQL InjectionʹΑΔݸਓ৘ใྲྀग़ - 2012: - ΦϯϥΠϯόϯΫʹର͢ΔϚϯΠϯβϒϥ΢βʹΑΔෆਖ਼ૹۚ - 2014: - ϕωοη ͷ಺෦൜ߦʹΑΔݸਓ৘ใྲྀग़ - 2015: - ೥ۚ؅ཧγεςϜαΠόʔ߈ܸ ʹΑΔݸਓ৘ใྲྀग़ - 2018: - Ծ૝௨՟औҾॴ͔Βͷ҉߸ࢿ࢈ྲྀग़ - 2019: - ΩϟογϡϨεαʔϏεʹ͓͚Δෆਖ਼ߪೖ ৽͍͠Ձ஋ͱϦεΫݦࡏԽͷྫ

- 2011: - Playstation Networkʹର͢ΔSQL InjectionʹΑΔݸਓ৘ใྲྀग़ - 2012: - ΦϯϥΠϯόϯΫʹର͢ΔϚϯΠϯβϒϥ΢βʹΑΔෆਖ਼ૹۚ - 2014: - ϕωοη ͷ಺෦൜ߦʹΑΔݸਓ৘ใྲྀग़ - 2015: - ೥ۚ؅ཧγεςϜαΠόʔ߈ܸ ʹΑΔݸਓ৘ใྲྀग़ - 2018: - Ծ૝௨՟औҾॴ͔Βͷ҉߸ࢿ࢈ྲྀग़ - 2019: - ΩϟογϡϨεαʔϏεʹ͓͚Δෆਖ਼ߪೖ ৽͍͠Ձ஋ͱϦεΫݦࡏԽͷྫ ݦࡏԽ·Ͱͷεϐʔυ૿Ճ

IUUQTXXXFOJTBFVSPQBFVQVCMJDBUJPOTFOJTBUISFBUMBOETDBQFSFQPSU IUUQTXXXJQBHPKQTFDVSJUZWVMOUISFBUTIUNM ৽͍͠Ձ஋ͱมԽ͢ΔڴҖ

Ձ஋͕มԽ͢ΔʹͭΕ ϦεΫ͕৽͘͠ੜ·ΕΔɹor ϦεΫͷେ͖͕͞มԽ͢Δ

ੈͷதΛม͑ͳ͕Β ͖ͪΜͱӡ༻͍ͯ͘͠ͱ͸ʁ

ᶃΠϊϕʔγϣϯΛ࠷଎Խͭͭ͠ ᶄՁ஋Λ࠷େԽͭͭ͠ɺ ᶅϦεΫΛ࠷খԽ͢ΔࢪࡦΛ࣮ߦ͢Δ

ࠓ೔ͷΰʔϧ

- ʮੈͷதΛม͑Δʯͱʮ͖ͪΜͱӡ༻͢ΔʯΛཱ྆͢Δͨ Ίͷશମ૾Λ೺Ѳ͢Δ - ূ݊ձࣾΛέʔεελσΟͱ͢Δ - ࣌୅എܠͱͱ΋ʹมΘΓͭͭ͋Δઃܭํ਑Λ೺Ѳ͢Δ - BeyondCorpͷ঺հ ࠓ೔ͷΰʔϧ

ͱݴ͓ͬͨ࿩Λ͍͖ͤͯͨͩ͞·͢ - ࣗݾ঺հ: @ken5scal (ླ໦ݚޗ) - ޷͖ͳٕज़ελοΫ: ೝূɾೝՄ - ۚ༥ܥɾFintechܥͰେاۀɾελʔτΞοϓ྆ํͰηΩϡϦςΟΛ୲౰ - 2011: NRIηΩϡΞ - SIer - ূ݊ձࣾ޲͚MSS αʔϏεͷఏڙ - 2014: Money Forward - Ϣʔβʔاۀ - ࢿ࢈؅ཧɾΫϥ΢υձܭܥFintechελʔτΞοϓ - 2018: FOLIO - Ϣʔβʔاۀ - ূ݊ܥFintechελʔτΞοϓ

- ࣗݾ঺հ: @ken5scal (ླ໦ݚޗ) - ޷͖ͳٕज़ελοΫ: ೝূɾೝՄ - ۚ༥ܥɾFintechܥͰେاۀɾελʔτΞοϓ྆ํͰηΩϡϦςΟΛ୲౰ - 2011: NRIηΩϡΞ - SIer - ূ݊ձࣾ޲͚MSS αʔϏεͷఏڙ - 2014: Money Forward - Ϣʔβʔاۀ - ࢿ࢈؅ཧɾΫϥ΢υձܭܥFintechελʔτΞοϓ - 2018: FOLIO - Ϣʔβʔاۀ - ূ݊ܥFintechελʔτΞοϓ ͱݴ͓ͬͨ࿩Λ͍͖ͤͯͨͩ͞·͢ ূ݊ۀքͷཱ৔͔Βɺ Ͳ͏ελʔτΞοϓͰʮͪΌΜͱӡ༻͢Δʯ͔ ͓࿩͍͖ͤͯͨͩ͞·͢ɻ

- ࣗݾ঺հ: @ken5scal (ླ໦ݚޗ) - ۚ༥ܥɾFintechܥͰେاۀɾελʔτΞοϓ྆ํͰηΩϡϦςΟΛ୲౰ - 2011: - NRIηΩϡΞ ূ݊ձࣾ޲͚MSS - 2014: Money Forward - ࢿ࢈؅ཧɾΫϥ΢υձܭܥFintechελʔτΞοϓ - 2018: FOLIOʢݱ৬ʣ - ূ݊ܥFintechελʔτΞοϓ ٕज़ॻయͳͲͰಉਓࢽग़ͯ͠·͢

ΑΖ͓͘͠ئ͍͠·͢

- 3ࣾʹ7೥΄Ͳ͔͍ͨ͜͠ͱ͕ͳ͍ - Fintechɾۚ༥ͷதͰ΋ɺ2छ΄Ͳ͔͠ܦݧͳ͠ - ͕ͨͬͯ͠ɺҰൠతͳ಺༰ͱ͸ݴ͍೉͍ ஫ҙ

- ʮੈͷதΛม͑Δʯͱʮ͖ͪΜͱӡ༻͢ΔʯΛཱ྆͢Δͨ Ίͷશମ૾Λ೺Ѳ͢Δ - ূ݊ձࣾΛέʔεελσΟͱ͢Δ - ࣌୅എܠͱͱ΋ʹมΘΓͭͭ͋Δઃܭํ਑Λ೺Ѳ͢Δ - BeyondCorpͷ঺հ ࠓ೔ͷΰʔϧʢ࠶ܝʣ

ηΩϡϦςΟཁ݅શମ૾ ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢػີੑʣ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

๏ྩɾج४ɾࢦ਑ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ઓུʢػີੑʣ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

ઓུ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ઓུʢػີੑʣ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

ઓུ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ઓུʢػີੑʣ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

ઓུ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ઓུʢػີੑʣ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ 43&νʔϜ͕ओʹ୲౰͕ͪ͠

ઓུ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ઓུʢػີੑʣ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢՄ༻ੑʣ ઓུʢ׬શੑʣ ϓϩμΫτνʔϜ͕ओʹ୲౰͕ͪ͠

ઃܭ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ઓུʢػີੑʣ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

ઓज़ɾ࣮૷ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢػີੑʣ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

๏ྩɾج४

๏ྩɾج४ ๏ྩɾج४ αΠόʔηΩϡϦςΟઓུ ઓུʢػີੑʣ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

- ๏ྩ: - ٞձ੍͕ఆ͢Δ๏نൣʢ๏཯ʣ + ߦ੓ػ੍͕ؔఆ͢Δ๏نൣʢ໋ྩʣ - ๏త߆ଋྗ͸͋Δ - ج४: - ࠷௿ݶຬͨ͢΂͖ϧʔϧ - ९कΛਪ঑͞ΕΔʮΨΠυϥΠϯʯ΍ʮࢦ਑ʯ΋ؚ·ΕΔ͜ͱ͕͋Δ - ๏త߆ଋྗ͸ͳ͍ʢ͋Δʣ - ͜ΕΛຬͨͯ͠ͳ͍ͱ͖ʹɺى͜Γ͏Δ͜ͱ͸… ๏ྩɾΨΠυϥΠϯͱ͸ IUUQTKBXJLJQFEJBPSHXJLJ๏ྩ

- ਉຽͷ޾෱Λ૿ਐ͢ΔͨΊ - ެڞͷ҆ೡடংΛอ࣋͢ΔͨΊ ๏ྩɾΨΠυϥΠϯͷ໨త IUUQTKBXJLJQFEJBPSHXJLJ๏ྩ

- ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - ΨΠυϥΠϯ - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ - தখاۀBCPࡦఆӡ༻ํ਑ ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ

- ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - ΨΠυϥΠϯ - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ - தখاۀBCPࡦఆӡ༻ํ਑ ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ

- ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - ΨΠυϥΠϯ - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ - தখاۀBCPࡦఆӡ༻ํ਑ ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ

- ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - ΨΠυϥΠϯ - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ - தখاۀBCPࡦఆӡ༻ํ਑ ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ

- ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - ΨΠυϥΠϯ - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ - தখاۀBCPࡦఆӡ༻ํ਑ ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ

९क͞Εͳ͍ͱ…?

ɹߦ੓ॲ෼

ߦ੓ॲ෼ྫ

- ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ʢ಺෦౷੍ʣ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - etc - ΨΠυϥΠϯ - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻʢࣄۀܧଓʣ - தখاۀBCPࡦఆӡ༻ํ਑ʢࣄۀܧଓʣ - etc ؂ಜࢦ਑Λओ࣠ʹਾ͑ͨ๏ྩରԠ

- ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ʢ಺෦౷੍ʣ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - etc - ΨΠυϥΠϯ - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻʢࣄۀܧଓʣ - தখاۀBCPࡦఆӡ༻ํ਑ʢࣄۀܧଓʣ - etc ؂ಜࢦ਑Λओ࣠ʹਾ͑ͨ๏ྩରԠ ☓ߦ੓ॲ෼Λ͏͚ͳ͍ͨΊͷରԠ ˓ϢʔβʔͷอޢͱՁ஋ͷఏڙΛܧଓ͢ΔͨΊͷରԠ

ۚ༥঎඼औҾۀऀ౳޲͚ͷ ૯߹తͳ؂ಜࢦ਑

- “ۀ຿ͷ݈શ͔ͭద੾ͳӡӦΛ֬อ” - “༗Ձূ݊ͷൃߦٴͼۚ༥঎඼౳ͷऔҾ౳Λެਖ਼” - “༗Ձূ݊ͷྲྀ௨Λԁ׈ʹ͢Δ” - “ۚ༥঎඼౳ͷެਖ਼ͳՁ֨ܗ੒౳ΛਤΓ” - “ࠃຽܦࡁͷ݈શͳൃలٴͼ౤ࢿऀͷอޢʹࢿ͢Δ͜ͱ” ؂ಜࢦ਑ͷ໨త

- ۚ༥௕ͷݕࠪ෦ہʹΑΔΦϯαΠτݕࠪ - ͦͷใࠂॻͷ݁ՌɺώΞϦϯάɺվળɾରԠࡦͷ࣮ࢪঢ়گɺࢦఠࣄ߲ͷվળঢ়گͳ Ͳ͔Βɺূ݊औҾ౳؂ࢹҕһձΑΓקࠂ to ۚ༥ி؂ࠪ෦ہ - ۚ༥ிઃஔใ20্ୈ߲̍ - ؂ࠪ෦ہ͸ͦͷ಺༰Λݕ౼ͯ͠ߦ੓ॲ෼ͷݕ౼ - ۚ঎๏ୈ56৚ͷ̎ୈ߲̍ - ۚ঎๏ୈ51৚~52৚ͷ̎ - ݕ౼࣌͸ʮຊ؂ಜࢦ਑ʹܝ͛ͨධՁ߲໨౳ʹরΒͯ͠ʯݕ౼͠ɺ಺༰Λܾఆ ߦ੓ॲ෼͸؂ಜࢦ਑ͷධՁ߲໨Λιʔεͱ͢Δ IUUQTXXXGTBHPKQDPNNPOMBXHVJEFLJOZVTIPIJOIUNM IUUQTXXXGTBHPKQDPNNPOMBXHVJEFLJOZVTIPIJOIUNM

ධՁ߲໨ https://www.fsa.go.jp/common/law/guide/kinyushohin/

αΠόʔηΩϡϦςΟͷจ຺Ͱ཈͑Δ΂͖Օॴ https://www.fsa.go.jp/common/law/guide/kinyushohin/

- ސ٬৘ใʹ͍ͭͯɺҎԼͷ९कΛٻΊΒΕ͍ͯΔ - ݸਓ৘ใอޢ๏ - ݸਓ৘ใͷอޢʹؔ͢Δ๏཯ʹ͍ͭͯͷΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ·ͨɺΠϯαΠμʔऔҾ౳ͷෆެਖ਼ͳऔҾ๷ࢭ΋ٻΊΒ Ε͍ͯΔ III-2-4 ސ٬౳ʹؔ͢Δ৘ใ؅ཧ IUUQTXXXGTBHPKQDPNNPOMBXLKIPHPQEG IUUQTXXXGTBHPKQDPNNPOMBXLKIPHPQEG

- γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ - αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html

- γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ - αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html

- γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ - αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html

- γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ - αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html

- γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ - αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html

- γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ - αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html

- γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ - αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html

- γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ - αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html

ઓུ

ઓུ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ઓུʢػີੑʣ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

Cybersecurity Framework(CSF) - NIST: ถࠃཱඪ४ٕज़ݚڀॴ - AESͳͲ҉߸ٕज़ͷબఆͱඪ४ԽͳͲ - ॏཁΠϯϑϥΛѻ͏اۀɾ૊৫ͷαΠόʔϦ εΫͷ؅ཧΛࢧԉ͢ΔͨΊͷɺϦεΫϕʔ εɾΞϓϩʔνʹجͮ͘൚༻తͳFW - ̏ཁૉ͔Β੒Γཱͭ - CoreɺTierɺProfile IUUQTOWMQVCTOJTUHPWOJTUQVCT$481/*45$481QEG

ͳͥϦεΫϕʔε͕ॏཁͳͷ͔ ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ɾղઆॻʢୈ൛ʣ - ”Ϋϥ΢υαʔϏε΍FinTechاۀ౳ͱ࿈ܞͨۚ͠༥ؔ࿈αʔ Ϗεͷར༻͕޿͕ΓΛΈͤΔͳͲɺଟ༷Խ͖͍ͯͯ͠Δ” - “ଟ༷Խ͢ΔʢதུʣγεςϜʹ͓͍ͯ(ैདྷͷج४Ͱ͸)৽ن ։ൃ΁ͷ౤ࢿ͕཈੍͞ΕΔ౳ɺܦӦࢿݯ͕ద੾ʹ഑෼͞Εͳ ͍ͱ͍ͬͨݒ೦͕ੜ͡ɺʢதུʣϦεΫθϩΛ௥ٻ͢Δ͜ͱ ͸ඞͣ͠΋߹ཧతͰ͸ͳ͍”

͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ಺༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ Core IUUQTOWMQVCTOJTUHPWOJTUQVCT$481/*45$481QEG

͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ಺༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ Core ͭͷػೳ IUUQTOWMQVCTOJTUHPWOJTUQVCT$481/*45$481QEG

͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ಺༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ Core ͷΧςΰϦʔ ʢͱαϒΧςΰϦʔʣ IUUQTOWMQVCTOJTUHPWOJTUQVCT$481/*45$481QEG

Core IUUQTOWMQVCTOJTUHPWOJTUQVCT$481/*45$481QEG

Tier

Profile

ઓུ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ઓུʢػີੑʣ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

- Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets - APT͔Βॏཁͳࢿ࢈ͷػີੑɾ׬શੑΛकΔͨΊਪ঑͞ΕΔηΩϡϦςΟରࡦू - ྫ: ϓϥΠόγʔɺ੫ɺۚ༥৘ใɺಛݖͳͲ - ཁ݅ྫ - ΞΫηε੍ޚɺҙࣝ෇͚ɾ܇࿅ɺ؂ࠪɺߏ੒؅ཧɺࣝผͱೝূͳͲͳͲ - Cyber Security Frameworkͱඥ෇͚ΒΕ͍ͯΔ NIST SP 800-171 IUUQTXXXOJTUHPWTJUFTEFGBVMUpMFTEPDVNFOUTDVJPDUDVJ@PWFSWJFXDBTFZQEG

ઃܭ

ઃܭ ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢػີʣ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

BeyondCorp/ZeroTrust

ઓज़

ઓज़ɾ࣮૷ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢػີʣ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

- Cyber Kill Chainʢྫʣ - F35ʢεςϧεઓಆػʣΛ։ൃͨ͠ϩοΩʔυɾϚʔςΟϯʹ ΑΔϑϨʔϜϫʔΫ - ඪతܕ߈ܸʹ͓͚Δ߈ܸͷϑΣʔζΛ෼ྨͨ͠΋ͷ - ఁ࡯ɺ෢ثԽɺσϦόϦʔɺΤΫεϓϩΠτɺΠϯετʔϧɺ C&Cɺ໨తͷ࣮ߦ ڴҖ෼ੳ

- Adversarial Tactics, Techniques, and Common Knowledge - CVEΛ؅ཧ͍ͯ͠ΔMITREࣾͷφϨοδϕʔεͱϑϨʔϜϫʔΫ - ߈ܸऀɾ߈ܸάϧʔϓɺઓज़త໨ඪɺٕज़తͳߦಈɺ߈ܸπʔϧ ΛϦετԽɾϝτϦΫεԽ - ۩ମతͳ๷ޚࡦͷ࣮૷ʹ໾ཱͭ - STIX/TAXIIͰͷΠϯςϦδΣϯεڞ༗ ATT&CK IUUQTBUUBDLNJUSFPSH

Ϣʔβʔاۀʹ͓͚Δ৘ใγες ϜͱηΩϡϦςΟ - ઃܭɾ࣮຿ฤ 2019/08/10 By @ken5scal

Pre 2010: Perimeter Model

1990s: Internetେരൃ

1994: IANAʹΑΔPrivate NetworkϨϯδͷ֬อʢ RFC1597)

ΤϯλʔϓϥΠζͷΠϯλʔωοτࢀՃ 5SVTUFE[POF - ϝʔϧ౳Λ࢖ͬͨ֎෦ͱͷ ίϛϡχέʔγϣϯͷൃੜ - ࣍ͷڥքͷొ৔ - (Un)Trust Zone - Demilitarized Zone 6OUSVUFE[POF %.;

- σΟϨΫτϦαʔϏε - Ϣʔβʔ΍PCϦιʔεͷҰׅ؅ཧ - Ϣʔβʔ΍PCͷઃఆΛۉҰԽ - ೝূͳͲ֤ػೳͰඪ४ٕज़Λ࠾༻ 2000: Active Directory 5SVTUFE 6OUSVUFE %.

ઓུʢ࠶ܝʣ: Active DirectoryͷΧόʔൣғ ۚ༥ܥɹ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ઓུʢػີੑʣ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

1. ΞΫηε੍ޚ 2. ҙࣝ޲্ͱ܇࿅ 3. ؂ࠪͱ੹೚௥ೝੑ 4. ߏ੒؅ཧ 5. ࣝผͱೝূ 6. ΠϯγσϯτରԠ 7. ϝϯςφϯε 8. ϝσΟΞอޢ 9. ਓతηΩϡϦςΟ 10. ෺ཧతอޢ 11. ϦεΫΞηεϝϯτ 12. ηΩϡϦςΟΞηεϝϯτ 13. γεςϜͱ௨৴ͷอޢ 14. γεςϜͱ৘ใͷ׬શੑ SP800-171:ɹຽؒاۀ͕ߨ͡Δ΂͖ηΩϡϦςΟରࡦͷཁ݅

1. ΞΫηε੍ޚ 2. ҙࣝ޲্ͱ܇࿅ 3. ؂ࠪͱ੹೚௥ೝੑ 4. ߏ੒؅ཧ 5. ࣝผͱೝূ 6. ΠϯγσϯτରԠ 7. ϝϯςφϯε 8. ϝσΟΞอޢ 9. ਓతηΩϡϦςΟ 10. ෺ཧతอޢ 11. ϦεΫΞηεϝϯτ 12. ηΩϡϦςΟΞηεϝϯτ 13. γεςϜͱ௨৴ͷอޢ 14. γεςϜͱ৘ใͷ׬શੑ SP800-171: ຽؒاۀ͕ߨ͡Δ΂͖ηΩϡϦςΟରࡦͷཁ݅

- Ϣʔβʔೝূ - Ϣʔβʔ౷੍ - σόΠε౷੍ - ϚεσϓϩΠ - ετϨʔδ - ೝূہ - DNS - DHCP Active Directory͕༗͢Δػೳ

ଞͷκʔϯʢTrustκʔϯʣ %.; ։ൃऀ ਓࣄ ਓࣄ޲͚κʔϯ ։ൃऀ޲͚κʔϯ ౿Έ୆ ਓࣄ%# 5SVTUκʔϯ

Trusted Zone಺Ͱͷۀ຿ ॏཁͳσʔλ 0Oαʔόʔ ॏཁͳσʔλ 0Oαʔόʔ ۀ຿ΞϓϦ ۀ຿ΞϓϦ ۀ຿ΞϓϦ ۀ຿ΞϓϦ 5SVTUFE[POF

function CanWeTrust (zone string) bool { return zone == “true” } γϯϓϧͳੈք

·ͱΊ ڥքϞσϧͱκʔϯͷग़ݱ

Post 2010

- ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - 2010?: iPhoneͷϏδωε্Ͱͷ׆༻ - 2014: ୈ̐ελʔτΞοϓϒʔϜ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ

- ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - SalesforceͷϝΨώοτ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - 2010?: iPhoneͷϏδωε্ͷ׆༻ - 2014: ୈ̐ελʔτΞοϓϒʔϜ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ

ݟग़͠ 5IF/FFEMFTTMZ$PNQMFY)JTUPSZPG4BB4 4JNQMJpFEIUUQTXXXQSPDFTTTUIJTUPSZPGTBBT

- Trusted -> Untrustedͷϒϥ ΢βΞΫηεཁ݅૿Ճ - DMZʹϦόʔεϓϩΩγΛ௥ Ճ͢Δ͜ͱͰे෼ରॲՄೳ SaaSͷొ৔ʹΑΔ֎෦઀ଓͷ૿Ճ 5SVTUFE 6OUSVUFE %. Ϧόϓϩ

<ਤղ>Ϗδωεͱ*5ͷؔ܎IUUQTCMPHFWBOHFMJTNKQFOUSZCVTJOFTTJU

- ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - Google Apps For YourDomain ʢݱGSuiteʣͷొ৔ - AWSͷొ৔: αʔϏεఏڙ؀ڥͷPaaSԽ - 2010?: iPhoneͷϏδωε্ͷ׆༻ - 2014: ୈ̐ελʔτΞοϓϒʔϜ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ "84೥ͷาΈdԊֵdIUUQTBXTBNB[PODPNKQBXT@IJTUPSZEFUBJMT 8JLJQFEJBIUUQTFOXJLJQFEJBPSHXJLJ(@4VJUF

- Trustedκʔϯ಺ͷγεςϜ ͕ଓʑͱSaaSԽ ৘ใγεςϜͷSaaSԽʹΑΔมԽ 5SVTUFE 6OUSVUFE %. Ϧόϓϩ

Ͳ͜Ζ͔αʔϏε؀ڥͰ͑͞as a Serviceʹ 5SVTUFE 6OUSVUFE %. Ϧόϓϩ ։ൃऀ޲͚κʔϯ ౿Έ୆

<ਤղ>Ϗδωεͱ*5ͷؔ܎IUUQTCMPHFWBOHFMJTNKQFOUSZCVTJOFTTJU

- ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - 2010?: iPhoneͷϏδωε্ͷ׆༻ - ۀ຿ͰͷεϚϗ׆༻ࣄྫ૿Ճ - 2014: ୈ̐ελʔτΞοϓϒʔϜ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ

- ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - 2010?: iPhoneͷϏδωε্ͷ׆༻ - 2014: ୈ̐ελʔτΞοϓϒʔϜ - ن੍࢈ۀʹ͓͚ΔελʔτΞοϓͷ૿Ճʢྫ: Fintechʣ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ վળ͢ΔΘ͕ࠃͷελʔτΞοϓࣄۀ؀ڥIUUQTXXXKSJDPKQ.FEJB-JCSBSZpMFSFQPSUKSJSFWJFXQEGQEG

վળ͢ΔΘ͕ࠃͷελʔτΞοϓࣄۀ؀ڥIUUQTXXXKSJDPKQ.FEJB-JCSBSZpMFSFQPSUKSJSFWJFXQEGQEG w ن੍࢈ۀʹ଍Λ౿ΈೖΕΔϕϯνϟʔͷ૿Ճ w lେखاۀͷΦʔϓϯΠϊϕʔγϣϯ௥ٻͱελʔτΞοϓ࿈ܞz

վળ͢ΔΘ͕ࠃͷελʔτΞοϓࣄۀ؀ڥIUUQTXXXKSJDPKQ.FEJB-JCSBSZpMFSFQPSUKSJSFWJFXQEGQEG

- ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - 2010?: iPhoneͷϏδωε্ͷ׆༻ - 2014: ୈ̐ελʔτΞοϓϒʔϜ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ վળ͢ΔΘ͕ࠃͷελʔτΞοϓࣄۀ؀ڥIUUQTXXXKSJDPKQ.FEJB-JCSBSZpMFSFQPSUKSJSFWJFXQEGQEG

IUUQTSFDSVJUIPMEJOHTDPKQOFXT@EBUBSFMFBTF@IUNM

<ਤղ>Ϗδωεͱ*5ͷؔ܎IUUQTCMPHFWBOHFMJTNKQFOUSZCVTJOFTTJU

ॏཁͳσʔλ 0Oαʔόʔ ࣾձ৘੎΍αʔϏεͷมԽʹ൐͏ۀ຿σʔλͷ෼ࢄͱܦ࿏ͷଟ༷Խ ॏཁͳσʔλ 0Oαʔόʔ ϙϦγʔɾϧʔϧͷఠཁ ॏ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ

ॏཁͳσʔλ 0Oαʔόʔ ࣾձ৘੎΍αʔϏεͷมԽʹ൐͏ۀ຿σʔλͷ෼ࢄͱܦ࿏ͷଟ༷Խ ॏཁͳσʔλ 0Oαʔόʔ ϙϦγʔɾϧʔϧͷఠཁ ॏ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿ ΞϓϦ ۀ຿ ΞϓϦ

ॏཁͳσʔλ 0Oαʔόʔ ࣾձ৘੎΍αʔϏεͷมԽʹ൐͏ۀ຿σʔλͷ෼ࢄͱܦ࿏ͷଟ༷Խ ॏཁͳσʔλ 0Oαʔόʔ ϙϦγʔɾϧʔϧͷఠཁ ॏ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ॏཁͳ σʔλ ॏཁͳ σʔλ جװ σʔλ جװ σʔλ ۀ຿ ΞϓϦ ۀ຿ ΞϓϦ

ॏཁͳσʔλ 0Oαʔόʔ ࣾձ৘੎΍αʔϏεͷมԽʹ൐͏ۀ຿σʔλͷ෼ࢄͱܦ࿏ͷଟ༷Խ ॏཁͳσʔλ 0Oαʔόʔ ϙϦγʔɾϧʔϧͷఠཁ ॏ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ॏཁͳ σʔλ ॏཁͳ σʔλ جװ σʔλ جװ σʔλ ۀ຿ ΞϓϦ ۀ຿ ΞϓϦ

ॏཁͳσʔλ 0Oαʔόʔ ࣾձ৘੎΍αʔϏεͷมԽʹ൐͏ۀ຿σʔλͷ෼ࢄͱܦ࿏ͷଟ༷Խ ॏཁͳσʔλ 0Oαʔόʔ ϙϦγʔɾϧʔϧͷఠཁ ॏ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ॏཁͳ σʔλ ॏཁͳ σʔλ ॏཁͳ σʔλ ॏཁͳ σʔλ ۀ຿ ΞϓϦ ۀ຿ ΞϓϦ جװ σʔλ جװ σʔλ

৴པʢTrustʣ͢ΔڥքͷมԽ

ڥքͷมԽͱ ڴҖɾΠϯγσϯτ

ඪతܕ߈ܸʢڴҖʣ - ಛఆͷ૊৫಺ͷ৘ใΛૂͬͯ ߦΘΕΔαΠόʔ߈ܸ(2009~) - ࠃ಺ࣄྫ - 2011: ࡾඛॏ޻ - 2015: ೔ຊ೥ۚػߏ - 2018: CoinCheckʁ 5IF$ZCFS,JMM$IBJOIUUQTXXXMPDLIFFENBSUJODPNFOVTDBQBCJMJUJFTDZCFSDZCFSLJMMDIBJOIUNM

αϓϥΠνΣʔϯ - ੡඼ʹର͢Δෆਖ਼ϓϩάϥϜͷຒΊࠐΈɺϋʔυ΢ΣΞͷෆਖ਼վ଄ ͳͲʹΑͬͯੜ͡Δ৘ใηΩϡϦςΟ্ͷϦεΫ - ࣄྫ - NPMͷਓؾϥΠϒϥϦ΁ͷѱੑίʔυ஫ೖ - GEMͷ” strong_password”΁ͷѱੑίʔυ஫ೖ - ϑΝΠϧγΣΞ֦ுػೳͷ৐ͬऔΓ - 7Pay͕ґଘ͢Δomni7ʹ͓͚Δ੬ऑੑ - ถࠃͷϑΝʔ΢ΣΠ੡඼ഉআ IUUQTXXXTFDVSJUZXFFLDPNNBMJDJPVTDPEFQMBOUFETUSPOHQBTTXPSESVCZHFN IUUQTXXXXJSFEDPNTUPSZHPPHMFDISPNFFYUFOTJPOTTFDVSJUZDIBOHFT

಺෦൜ߦ - ૊৫಺ͷϝϯόʔʹΑΔѱҙ͋Δߦಈ - ࠃ಺ࣄྫ - 2014: ϕωοηͷάϧʔϓاۀ಺ͷ೿ݣࣾһʹΑ Δݸਓ৘ใ࿙Ӯʢ͋ΔҙຯαϓϥΠνΣʔϯͰ΋ ͋Δʣ

ڞ௨఺

Trustκʔϯͷ৴པੑͷ௿Լ - ඪతܕ߈ܸ - Drive by Download΍ਫҿΈ৔߈ܸ - ExploitޙͷC2CʹΑΔ৘ใऩूɾԣஅత৵֐ - αϓϥΠνΣʔϯϦεΫ - ґଘઌͷOSSʹ͓͚Δ੬ऑੑ - ಺෦൜ߦ - ૊৫಺ͷ൜ߦ

ωοτϫʔΫڥքΛࠜڌʹͨ͠Trustͷݶք - σʔλɾਓɾఏܞઌ͕ඞͣ͠΋Trustڥքʹ͍ͳ ͍ - TrustڥքʹUntrustfulͳཁૉ͕૿͑ͨ

BeyondCorp Zero Trust Network

- ωοτϫʔΫͷڥքʹԠͨ͡৴པྖҬͷ֓೦Λഉআ - ϢʔβʔɾσόΠεΛ΋ͱʹೝূ͢Δ - ͦΕΒ΁ͷೝՄʢΞΫηε੍ޚʣ͸ϙϦγʔʹ΋ͱ ͖ͮಈతʹܾఆ͢Δ - ͲͪΒ͔ͱ͍͏ͱɺαʔϏε؀ڥ޲͚ Zero Trust Networkͱ͸ IUUQTDMPVEHPPHMFDPNCFZPOEDPSQ

- ैۀһ͕ʮ৴པͰ͖ͳ͍ωοτϫʔΫʯΛ௨ͯ͡ ಇ͚ΔΑ͏ʹ͢ΔGoogleࣾ಺ͷΞϓϩʔν BeyondCorpͱ͸ IUUQTDMPVEHPPHMFDPNCFZPOEDPSQ

https://www.youtube.com/watch?v=SSUUg38lFg0 IUUQTXXXZPVUVCFDPNXBUDI W4466HM'HUT IUUQTUDP&X+W$3(,[9 BNQ Zero Trust/Beyond CorpͷϦιʔε ࿦จͱͯ͋͠Δͷ͕ #FZPOE$PSQ ;FSP5SVTUͷ࿦จ͋ͬͨΒ͢Έ·ͤΜ

Ҏ߱ɺBeyondCorpΛϕʔεʹ͠·͢

- ͢΂ͯΛUntrusted Zone͔ΒͷΞΫηεͱԾఆ͢Δ - ΞΫηεݩͷϢʔβʔɾσόΠεΛೝূ͢Δ - ΞΫηεݩΛσʔλʹԠͯ͡ΞΫηεՄ൱൑அ͢ Δ - “Never Trust, Always Verify” Basic Principals

function CanWeTrust ( device, user interface, zone string) int { // return value from 0~1 return someAlgorithm(device, user, zone) } function AuthorizationDecision( device, user interface, score int) bool{ return AllowOrDisAllow(device, user, zone) } ෳ਺ͷม਺͔Β৴པ͕ܭࢉ͞ΕΔੈք

IUUQTBJHPPHMFSFTFBSDIQVCTQVCQEG

- Ϣʔβʔͷಛఆ - σόΠεͷಛఆ - ΞΫηεϓϩΩγ - ΞΫηε੍ޚΤϯδϯʢϙϦγʔΤϯδϯʣ - Trust Inferenceʢ৴པείΞࢉग़Τϯδϯʣ ඞཁͳίϯϙʔωϯτ

Ϣʔβʔͷಛఆ ʢIdentification)

No content

- ͦͷϢʔβʔ͸ຊ౰ʹਖ਼͍͠Ϣʔβʔͳͷ͔ - ඞཁͳίϯϙʔωϯτ - ϢʔβʔɾάϧʔϓDB - Ϣʔβʔೝূ Ϣʔβʔͷಛఆ

- ຊਓ֬ೝ - ΦϯϥΠϯ্ʹ͋ΔϦιʔε΁ͷΞΫηεΛཁ ٻ͢Δਃ੥ऀͷొ࿥ͱ਎ݩ֬ೝ - ೝূ - ೝূ৘ใͷ࿈ܞ ϢʔβʔΛηΩϡΞʹೝূ͢Δϓϩηε IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPJOEFYKBIUNM

- ຊਓ֬ೝ - ೝূ - ొ࿥ޙͷϦιʔε΁ͷΞΫηεΛཁٻ͢Δਃ੥ ऀͷΞΠσϯςΟςΟͷ͔֬͞Λূ໌͢Δ - ೝূ৘ใͷ࿈ܞ ϢʔβʔΛηΩϡΞʹೝূ͢Δϓϩηε IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPJOEFYKBIUNM

- ຊਓ֬ೝ - ೝূ - ೝূ৘ใͷ࿈ܞ - ೝূ࣌ͷ৘ใΛଞΞϓϦ΍γεςϜͱ࿈ܞ͢Δ ϢʔβʔΛηΩϡΞʹೝূ͢Δϓϩηε IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPJOEFYKBIUNM

- ຊਓ֬ೝ - ೝূ - ೝূ৘ใͷ࿈ܞ ϢʔβʔΛηΩϡΞʹೝূ͢Δϓϩηε

ϢʔβʔɾάϧʔϓDB

No content

ਓࣄ%#

ϢʔβʔɾάϧʔϓDBͷ֓ཁ - σΟϨΫτϦ - ΦϒδΣΫτͷҰݩ؅ཧ͢ΔϢʔβʔɾάϧʔϓDB - ωοτϫʔΫʹ઀ଓͨ͠αʔόʔͳͲͷࢿݯʢϦιʔεʣͷॴࡏɾ ଐੑɾઃఆͳͲͷ৘ใΛޮ཰తʹऩू͠ɺه࿥ɾ؅ཧ͢ΔαʔϏε - ར఺ - ಡΈऔΓ͕ߴ଎ - ෼ࢄܕͷ৘ใ֨ೲϞσϧ - ߴ౓ͳݕࡧػೳΛ࣋ͭ

ϢʔβʔɾάϧʔϓDBؔ܎ͷϓϩτίϧ - LDAP - SCIM

LDAP - Lightweight Directory Access Protocol - σΟϨΫτϦαʔϏεʹΞΫηε͢Δϓϩτίϧ - ػೳ - ݕࡧ: ldapsearch, ߋ৽: ldapmodify, ௥Ճ: ldapadd - Active Directory͕༗໊͕ͩɺ࠷ۙ͸GSuite΋࣮૷ͨ͠ - ঎༻Ͱ΋OSSͰ΋࢖ΘΕ๛෋ͳ࣮੷͕͋Δ - Ϋϥ΢υɾWebΞϓϦͰ͸ϝδϟʔΑΓͷϚΠφʔ

LDAP $ - * & / 5 4 & 3 7 & 3 IUUQTISPVIBOJPSHMEBQTFSWFSPQFOMEBQDFOUPT

LDAPྫ: ݕࡧ $ - * & / 5 4 & 3 7 & 3 CJOE DODMJFOU PVTFSWFST EDFYBNQMF EDDPNF 1BTTXPSE\QBTTXPSE^ SFTVMUTVDDFTT TFBSDIPCKFDUDMBTT BMM-%"10CKFDU ˈldapsearch -D “cn=admin” -w {password} -b “dc=example,dc=com” "(objectclass=*)"

LDAPྫ: ݕࡧ $ - * & / 5 4 & 3 7 & 3 CJOE DODMJFOU PVTFSWFST EDFYBNQMF EDDPNF 1BTTXPSE\QBTTXPSE^ SFTVMUTVDDFTT TFBSDIPCKFDUDMBTT BMM-%"10CKFDU ˈldapsearch -D “cn=admin” -w {password} -b “dc=example,dc=com” "(objectclass=*)"

LDAPྫ: ݕࡧ $ - * & / 5 4 & 3 7 & 3 CJOE DODMJFOU PVTFSWFST EDFYBNQMF EDDPNF 1BTTXPSE\QBTTXPSE^ SFTVMUTVDDFTT TFBSDIPCKFDUDMBTT BMM-%"10CKFDU ˈldapsearch -D “cn=admin” -w {password} -b “dc=example,dc=com” "(objectclass=*)"

SCIMɹʢ͖͢Ήʣ - System for Cross-domain Identity Management - “Ϋϥ΢υϕʔεͷΞϓϦέʔγϣϯ͓ΑͼαʔϏεʹ͓͚Δ ϢʔβʔIDͷ؅ཧΛ༰қʹ͢ΔΑ͏ʹઃܭ” - Ұݩ؅ཧ͞ΕͨσΟϨΫτϦ͔Βɺར༻͢ΔαʔϏε΁ͷϓϩ Ϗδϣχϯά - JSON/XMLܗࣜ - REST APIʹΑΔϞσϧૢ࡞ - LDAPΑΓϚΠφʔ IUUQXXXTJNQMFDMPVEJOGP

IUUQXXXTJNQMFDMPVEJOGP SCIMϞσϧ

{ "schemas": ["urn:ietf:params:scim:schemas:core: 2.0:User"], "id":"2819c223-7f76-453a-919d-413861904646", "externalId":"bjensen", "meta":{ "resourceType": "User", "created":"2011-08-01T18:29:49.793Z", "lastModified":"2011-08-01T18:29:49.793Z", "location":"https://example.com/v2/Users/ 2819c223...", "version":"W\/\"f250dd84f0671c3\"" }, "name":{ "formatted": "Ms. Barbara J Jensen, III", "familyName": "Jensen", "givenName": "Barbara", "middleName": "Jane", "honorificPrefix": "Ms.", "honorificSuffix": "III" }, "userName":"bjensen", "phoneNumbers":[ { "value":"555-555-8377", "type":"work" } ], "emails":[ { "value":"[email protected]", "type":"work", "primary": true } ] } IUUQXXXTJNQMFDMPVEJOGP

SCIM Protocols - ࡞੒ɿ POST /{version}/{resource} - ಡऔɿ GET /{v}/{resource}/{id} - ஔ׵ɿ PUT /{v}/{resource}/{id} - ࡟আɿ DELETE /{v}/{resource}/{id} - ෦෼ஔ׵ɿ PATCH /{v}/{resource}/{id} - ݕࡧ: GET /{v}/{resource}?ϑΟϧλʔ= {ଐੑ} {ΦϖϨʔλ} {஋}ˍ SORTBY = {attributeName}ˍsortOrder={ঢॱ|߱ॱ} - Ұׅ࡞੒ɿ POST /{v}/Bulk IUUQXXXTJNQMFDMPVEJOGP

Ϣʔβʔೝূ

No content

Ϣʔβʔೝূ - 2ஈ֊ೝূͱSingle Sign On͕େલఏ - ೝূ͕௨ͬͨ৔߹ɺ୹࣌ؒͷτʔΫϯΛൃߦ͢Δ - τʔΫϯͷதʹ͸ೝՄϓϩηεʹඞཁͳ৘ใؚ͕ ·Ε͍ͯΔ͜ͱ͕ଟ͍

ೝূͱγϯάϧɾαΠϯΦϯͷҧ͍ - ೝূ - ϢʔβͷΞΠσϯςΟςΟ͕͔֬ͳ΋ͷͰ͋Δ͜ͱΛΫϨ σϯγϟϧΛఏࣔͯ͠ূ໌͢Δϓϩηε - ୅දతͳϓϩτίϧ: FIDO (WebAuthn + CTAP) - Single Sign On - γεςϜΛލ͍ͰΞΠσϯςΟςΟ΍ೝূ৘ใΛ఻ൖ͢Δ ͨΊͷϓϩηε - ୅දతͳϓϩτίϧ: Kerberos, SAML, OIDC IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPTQCKBIUNMTFD

ೝূ

- γεςϜϦιʔε΁ͷΞΫηεΛਃ੥͢ΔϢʔ βʔɾϓϩηεɾσόΠεͱ͍ͬͨΤϯςΟςΟ ͷΞΠσϯςΟςΟΛཱূʢVerifyʣ - ௨ৗɺΫϨσϯγϟϧͷఏࣔΛ൐͏ ೝূͱ͸ IUUQTQBHFTOJTUHPWTQIUNM

- 1961: ύεϫʔυͷొ৔ at MIT - 1983: ICΧʔυϚΠίϯ - ????: ΫϨδοτΧʔυ with ICνοϓ - 2000~: - SMS΍ϝʔϧʹΑΔ௥Ճೝূίʔυͷૹ৴ - TOTPΛ࢖ͬͨ௥Ճೝূ - εϚʔτΧʔυΛ࢖ͬͨActive Directoryೝূ - ੜମೝূΛ࢖ͬͨ௥Ճೝূ - Yubicoࣾઃཱ - 2018: - FIDO2 ೝূํࣜͷભҠ IUUQTFOXJLJQFEJBPSHXJLJ1BTTXPSE

8FC"VUIO CFDPNFT XDQSPQPTFE SFDDFPNFOEBUJPO HNTpEPpEP 'FC 'FC +BO 8FC"VUIO CFDPNFT XDQSPQPTFE SFDDFPNFOEBUJPO .BSDI .BZ 8FC"VUIO XDDBOEJEBUF SFDDFPNFOEBUJPO 8FC"VUIO XDQSPQPTFE SFDDFPNFOEBUJPO +VOF .BS 8FC"VUI XD TUBOEBSJ[FE

"VUIFOUJDBUPS $MJFOU 3FMZJOH 1BSUZ 3FMZJOH 1BSUZ $SFEFOUJBM,FZ ,FZ1BJS ,FZ1BJS $SFEFOUJBM ,FZ1BJS FIDO

Platform 5&& 51.

SSOʢϑΣσϨʔγϣϯʣ ೝূ৘ใͷ࿈ܞ

- SSO - 1౓ͷೝূͰෳ਺ͷγεςϜ͕ར༻ՄೳʹͳΔ͜ͱ - Kerberosೝূɺσδλϧॺ໊ೝূ - ϑΣσϨʔγϣϯ - ωοτϫʔΫυϝΠϯΛ·͍ͨͰೝূ৘ใΛ࿈ܞ͢Δ͜ͱ - SAML, OIDC SSOɾϑΣσϨʔγϣϯͱ͸

xxxx-xxxx xxxx-xxxx/AttributeValue> Kengo Suzuki https://sts.windows.net/xxxx-xxxx/ AttributeValue> http://schemas.microsoft.com/ws/2008/06/ identity/authenticationmethod/password http://schemas.microsoft.com/claims/ multipleauthn arn:aws:iam::1111:role/xxx-role,arn:aws:iam:: 1111:saml-provider/Azure arn:aws:iam::1111:role/xxx-role,arn:aws:iam:: 1111:saml-provider/Azure 3 Suzuki [email protected] [email protected] [email protected] arn:aws:iam::xxxxxxxx:role/xxx- role,arn:aws:iam::1111:saml-provider/Azure AttributeValue> arn:aws:iam::xxxx:role/ yyy-role,arn:aws:iam::1111:saml-provider/ Azure 14400 ৬ೳ৘ใͷ࿈ܞ ྫϑϩϯτΤϯυ 4".- "TTFSUJPO

{ "ver": "2.0", "iss": “https://login.microsoftonline.com/ xxxxxx-xxxxx-xxxxx-xxxx/v2.0", "sub": "Axxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "aud": "xxxxxx-xxxxx-xxxxx-xxxx", "exp": 1536361411, "iat": 1536274711, "nbf": 1536274711, "name": “Kengo Suzuki", "preferred_username": “[email protected]“, "oid": "xxxxxx-xxxxx-xxxxx-xxxx", "tid": "xxxxxx-xxxxx-xxxxx-xxxx", "nonce": "111111", "aio": “!eGbIDakyp5mnOrcdqHeYSnltepQmRp6AIZ8jY” “roles": "frontend", } ৬ೳ৘ใͷ࿈ܞ ྫϑϩϯτΤϯυ 0*%$ *%5PLFO

BeyondCorpʹ͓͚ΔʮϢʔ βʔͷೝূʯͷཁ݅Λຬͨ͢ ੡඼ = IDaaS IUUQTXXXQJOHJEFOUJUZDPNFOSFTPVSDFTDMJFOUMJCSBSZBSUJDMFTJEFOUJUZBTBTFSWJDFJEBBTIUNM

AzureAD: σΟϨΫτϦ (LDAPϢʔβʔ૬౰) IUUQTXXXQJOHJEFOUJUZDPNFOSFTPVSDFTDMJFOUMJCSBSZBSUJDMFTJEFOUJUZBTBTFSWJDFJEBBTIUNM

AzureAD: σΟϨΫτϦ (LDAPάϧʔϓ૬౰) IUUQTXXXQJOHJEFOUJUZDPNFOSFTPVSDFTDMJFOUMJCSBSZBSUJDMFTJEFOUJUZBTBTFSWJDFJEBBTIUNM

AzureAD: ϓϩϏδϣχϯά(SCIM) IUUQTXXXQJOHJEFOUJUZDPNFOSFTPVSDFTDMJFOUMJCSBSZBSUJDMFTJEFOUJUZBTBTFSWJDFJEBBTIUNM

AzureAD: Ϣʔβʔೝূ(MFA)ͱೝূ৘ใ࿈ܞ

- ೝূΛ௨ͯ͠ϢʔβʔΛಛఆ͠ͳ͚Ε͹ͳΒͳ͍ - Ϣʔβʔʹඥͮ͘࿦ཧతͳΦϒδΣΫτ͕ඞཁ - ΦϒδΣΫτΛҰݩ؅ཧ͢ΔDB = σΟϨΫτϦ - ΦϒδΣΫτΛଞαʔϏεʹ఻ൖ͢Δ͜ͱ = ϓϩϏδϣχϯά - Ϣʔβʔͷೝূ৘ใΛ࿈ܞ͢Δ͜ͱ = SSOɾϑΣσϨʔγϣϯ Ϣʔβʔͷಛఆɹ·ͱΊ

σόΠεͷಛఆ (Identification)

No content

- ਓ͕ਖ਼౰Ͱ΋ɺײછͨ͠୺຤ʹΑΓ߈ܸऀͷҙਤ͕ୡ੒ ͞Εͯ͠·͏ࣄྫ͸زͭ΋͋Δ - ΑͬͯɺσόΠεͷਖ਼౰ੑΛ֬อ͠ͳ͚Ε͹ͳΒͳ͍ - ඞཁͳίϯϙʔωϯτ - σόΠεDBʢΠϯϕϯτϦʣ - σόΠεೝূ σόΠεͷಛఆ

σόΠεDB ʢΠϯϕϯτϦʣ

σόΠεDBʢΠϯϕϯτϦʣͷ֓ཁ - σόΠεͷଐੑΛอ࣋͢ΔΦϒδΣΫτΛ؅ཧ͢ΔDB - ҎԼͷ؅ཧػೳΛ࣋ͭ΂͖ - ௐୡͨ͠σόΠεͷొ࿥ - σόΠεͷߏ੒؅ཧʢؚΉมߋͱσϓϩΠʣ - ߏ੒৘ใͷϦΞϧλΠϜදࣔ - ۀ຿ར༻͍ͯ͠ΔσόΠεछผͷαϙʔτ - Windows, MacOS, iOS, Android, Linux…

- ௐୡ͔ΒΠϯϕϯτϦొ࿥·Ͱͷஈ֊͸୹͍΄͏ ͕ϕλʔ - ࠷ۙ͸ࣗಈొ࿥Մೳ ΠϯϕϯτϦొ࿥

ݟग़͠ IUUQTXXXKBNGDPNCMPHBQQMFEFWJDFFOSPMMNFOUQSPHSBNBQQMFJUJOOPWBUJPO ΠϯϕϯτϦొ࿥(Mac/iOS)

ΠϯϕϯτϦొ࿥(Windows) IUUQTNZJHOJUFUFDIDPNNVOJUZNJDSPTPGUDPNTFTTJPOT

σόΠεͷߏ੒؅ཧ - ج४ɾϙϦγʔʹैͬͯߏ੒ - ۀ຿ར༻ΞϓϦ/CAͷΠϯετʔϧ - ݹ͍ΞϓϦͷར༻ - OSɾΞϓϦͷ࠷৽Խ - σΟεΫ҉߸Խ - ϩʔΧϧAdminͷύεϫʔυมߋ - ऑ͍ύεϫʔυͷېࢭ - ฆࣦ୺຤ͷϩοΫɾॳظԽ - ߏ੒ঢ়گ΍୺຤ͷϝτϦΫεΛχΞɾϦΞϧλΠϜͰ ऩू - ࣾ಺NWʹݶఆ͞Εͣܧଓతʹద༻ ॏ ॏཁͳ σʔλ ॏཁͳ σʔλ ॏཁͳ σʔλ ॏཁͳ σʔλ

- ͜ΕΒͷཁ݅Λຬͨ͢঎༻੡඼͸·ͩͳ͍ʢڪΒ͘ʣ - ϢʔβʔϞσϧΛఆٛ͢ΔSCIMεΩʔϚͷΑ͏ͳඪ४΋ະ ొ৔ - Google͸ࣗࣾͰϝλσόΠεΠϯϕϯτϦΛߏங - 15ͷҟͳΔσʔλιʔε - 300ສ/೔݅ɺྦྷܭ80ςϥόΠτͷσʔλΛऩू - ֤OS͝ͱͷઐ໳νʔϜ σόΠεΠϯϕϯτϦͷݱ࣮

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ୺຤ΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ࢿ࢈؅ཧ w ʮࢿ࢈ʯͱͯ͠ͷσόΠε%# w ϋʔυ΢ΣΞ΍ͦͷதͰಈ͘ιϑτ΢ΣΞ΍ϥΠηϯε΋؅ཧ w ͦΕΒʹՃ͑ͯϥΠϑαΠΫϧ΋؅ཧ w ૯຿ɾܦཧ͕؅ཧͯ͠Δ͜ͱ΋͋Δ

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w σΟϨΫτϦɾαʔϏε w Ϣʔβʔɾάϧʔϓ%#ͱಉ͡ w 8JOEPXTΛར༻͍ͯ͠ΔاۀͰ͸ɺ"DUJWF%JSFDUPSZ͕ط ʹ͋ΔͷͰɺ͔ͦ͜ΒσʔλΛΠϯϙʔτ͢Δ

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ωοτϫʔΫػث w %)$1΍"31ςʔϒϧͷ࿈ܞ w ωοτϫʔΫػث͸ελϯυΞϩϯͳঢ়ଶͰଘࡏ͢Δ͜ͱ͕ ଟ͍

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ੬ऑੑεΩϟφ w /FTVT΍/NBQͳͲΛఆظతʹ࣮ࢪͯ͠ɺ੬ऑੑ͕ͳ͍͔ νΣοΫ w ͦͷ݁Ռͷ࿈ܞ

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w $" w ୺຤ʹຒΊࠐ·Εͨূ໌ॻͷτϥετΞ ϯΧʔ w ূ໌ॻ͕ਖ਼౰͔ͳͲΛ࿈ܞ

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ߏ੒؅ཧαʔϏε w σόΠεͷߏ੒ঢ়گΛ࿈ܞ

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ύον؅ཧαʔϏε w 04΍Πϯετʔϧ͞ΕͨΫϥΠΞϯτΞ ϓϦͷύον؅ཧ w ద༻ঢ়گͳͲͷ࿈ܞ

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ୺຤ΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ʢϝλʣΠϯϕϯτϦαʔϏε w ͜ΕΒͷσʔλΛऔΓࠐΈɺؔ࿈෇͚ͨ ୯ҰͷΠϯϕϯτϦ

σόΠεೝূ

- RFC5280 - ެ։伴ূ໌ॻͷϑΥʔϚοτΛఆٛ - CRLͷఆٛ - ূ໌ॻνΣʔϯͷݕূํ๏Λఆٛ - ൿີ伴ͷ৴པੑΛূ໌Ͱ͖ΔͨΊɺσόΠεೝূͱͯ͠ར༻ X.509

ͦͷൿີ伴͸ϢχʔΫ͔

ෆਖ਼ʹૠೖ͞Εͨ伴ϖΞ Ͱͳ͍͔ 伴ϖΞΛॻ͖׵͑ΒΕͯ ͍ͳ͍͔

Attestation "UUFTUBUJPO,FZTͷ ϖΞ࡞੒ ᶅ4IJQ ޻৔ग़ՙ࣌ʹ 伴ϖΞΛ51.ʹຒΊ ࠐΉ ൿີ伴ͷੜ੒ɾ؅ ཧ͸51.5&& ಺ͷΈ 51.5&& ੜ੒͞Εͨൿີ伴 ʹඥͮ͘ূ໌ॻ͸ ֎ग़Մೳ

51.ͷެ։伴 Ͱݕূ 51.5&&

Windows TPM IUUQTEPDTNJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZJOGPSNBUJPOQSPUFDUJPOUQNIPXXJOEPXTVTFTUIFUQN

ݟग़͠ PS C:\> Get-TpmEndorsementKeyInfo -Hash "Sha256" IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : 70769c52b6e24ef683693c2a0208da68d77e94192e1f4080ae 7c9b97c6caa681 ManufacturerCertificates : {[Subject] OID.2.23.133.2.3=1.2, OID.2.23.133.2.2=C4T8SOX3.5, OID.2.23.133.2.1=id:782F345A [Issuer] CN=Contoso TPM CA1, OU=Contoso Certification Authority, O=Contoso, C=KR [Serial Number] 77A120A [Not Before] 6/4/2012 6:35:58 PM [Not After] 6/4/2022 6:35:57 PM [Thumbprint] 77378D1480AB48FEA2D4E610B2C7EEF648FEA2 } AdditionalCertificates : {} IUUQTHJUIVCDPN.JDSPTPGU%PDTXJOEPXTQPXFSTIFMMEPDTCMPCNBTUFSEPDTFUXJOEPXTUSVTUFEQMBUGPSNN

BeyondCorpʹ͓͚ΔσόΠ εɾΞΠσϯςΟςΟΛຬͨ ͢੡඼ɾαʔϏε

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ σόΠεͷΤʔδΣϯτʢUEMʣ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ macOS, iOSฤ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ূ໌ॻΠϯετʔϧ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF $FOTPSFE

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ߏ੒؅ཧʢྫ: ϩʔΧϧAdminͷύεϫʔυ೔࣍มߋʣ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF $FOTPSFE

##################################################################################### ############### # Decode API user Password apiPass="$( decryptString "$apiEncryptedPass" "$saltAPI" "$passAPI" )" if [ -z "$apiPass" ]; then scriptLogging "Failed to decrypt API user's password" 2 exit 1 fi ##################################################################################### ############### # Retrieve LAPS user password from Extent Attribute previousEncryptedPassword="$( retrievePassword "$apiUser" "$apiPass" "$HWUUID" "$extAttName" )" if [ -n "$previousEncryptedPassword" ]; then scriptLogging "Retrieved previous password is $previousEncryptedPassword (encrypted)." retrievedPassword="$( decryptString "$previousEncryptedPassword" "$laSalt" "$laPass" )" else scriptLogging "Could not get previous password. Try initial password for $ {laUserName}." scriptLogging "Try to use initial password for ${laUserName}: $initialEncryptedPassForLadminUser (encrypted)." retrievedPassword="$( decryptString "$initialEncryptedPassForLadminUser" "$initLaSalt" "$initLaPass" )" fi if [ -z "$retrievedPassword" ]; then scriptLogging "Failed to decrypt previous password of $laUserName" 2 exit 1 fi ##################################################################################### ############### # Check current password with Retrieved password /usr/bin/dscl /Local/Default -authonly "$laUserName" "$retrievedPassword" 2> /dev/ null returnCode=$? if [ "$returnCode" -eq 0 ]; then scriptLogging "Current password has match with Retrieved password." else scriptLogging "Retrieved password for $laUserName is not match current password. dserr: $returnCode" 2 exit $returnCode fi ##################################################################################### ############### # Change password with new one. newpassword="$( /usr/bin/openssl rand -base64 48 | /usr/bin/tr -d OoIi1lLS | /usr/ bin/head -c 12 )" changePassword "$laUserName" "$retrievedPassword" "$newpassword" ##################################################################################### ############### # Encrypt New Password encryptedPassword="$( echo "$newpassword" | /usr/bin/openssl enc -aes256 -a -A -S "$laSalt" -k "$laPass" )" if [ -n "$encryptedPassword" ]; then # If you want to log new password, remove ':' at start of next line. : scriptLogging "New password: $encryptedPassword (Encrypted)" else scriptLogging "Failed to encrypt new password. Why?" 2 scriptLogging "Roll back with previous one." changePassword "$laUserName" "$newpassword" "$retrievedPassword" exit 1 fi ##################################################################################### ############### # Update Extent Attribute with New Password uploadPassword "$apiUser" "$apiPass" "$HWUUID" "$extAttName" "$encryptedPassword" returnCode=$? if [ "$returnCode" -ne 0 ]; then scriptLogging "Failed to upload." 2 scriptLogging "Roll back with previous one." changePassword "$laUserName" "$newpassword" "$retrievedPassword" exit 1 fi try="$( retrievePassword "$apiUser" "$apiPass" "$HWUUID" "$extAttName" )" if [ "$try" = "$encryptedPassword" ]; then scriptLogging "Retrieve test passed." scriptLogging "Done." exit 0 else scriptLogging "Retrieve test failed. Get unexpected string." 2 scriptLogging "Retrieved String: $try" 2 scriptLogging "Expected String: $encryptedPassword" 2 scriptLogging "Done in error." 2 exit 1 fi $FOTPSFE

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ύον؅ཧʢྫ: Chromeͷ࠷৽Խʣ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF $FOTPSFE

shlogger "Mount dmg file: $dmgfile" devfile="$( /usr/bin/hdiutil attach -nobrowse "$ {workdir}/${dmgfile}" | /usr/bin/grep Chrome | / usr/bin/awk '{print $1}' )" check_result="$( checkapp "$dl_chromapp" "$developerid" )" if [ "$check_result" = ok ]; then shlogger "Codesign check passed." runstate="$( /usr/bin/pgrep Chrome | /usr/bin/ wc -l )" shlogger "Chrome run state: $runstate" if [ "$runstate" -ne 0 ]; then notification=yes ; fi tmpdir="/tmp/$( /usr/bin/uuidgen )" /bin/mkdir -m 755 "$tmpdir" /bin/mv "$CHROME" "$tmpdir" /bin/cp -af "$dl_chromapp" /Applications shlogger "Install Chrome into /Applications" /usr/bin/xattr -r -d com.apple.quarantine "$CHROME" shlogger "Remove com.apple.quarantine from $CHROME" else shlgger "$check_result" 2 shlogger "Codesign check failed." 2 fi /usr/bin/hdiutil detach -quiet "$devfile" rm -rf "$workdir" shlogger "Show notification: $notification" if [ "$notification" = yes ]; then show_notification "Googole Chrome has updated!" "Restart Google Chrome now." fi shlogger "Done." exit 0 w $ISPNFͷࣗಈΞοϓσʔτεΫϦϓτ

#!/bin/bash RESULT="Not Installed" CHROME="/Applications/Google Chrome.app" if [ -e "$CHROME" ]; then installed_version="$( /usr/libexec/PlistBuddy -c "print CFBundleShortVersionString" "$CHROME/ Contents/Info.plist" )" current_stable_version="$( /usr/bin/curl -s https://omahaproxy.appspot.com/all | /usr/bin/awk -F, '/mac,stable/ {print $3}' )" if [ "$installed_version" = "$current_stable_version" ]; then RESULT="UptoDate" else RESULT="Old" fi fi echo "$RESULT" w Πϯετʔϧ͞Ε͍ͯΔ$ISPNFͷόʔδϣϯνΣοΫͱଐੑઃఆ

֦ுଐੑͷ෇༩ $FOTPSFE $FOTPSFE

χΞϦΞϧλΠϜͷߏ੒؅ཧ $FOTPSFE

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ Windows, Androidฤ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ূ໌ॻΠϯετʔϧ $FOTPSFE

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ߏ੒؅ཧ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF $FOTPSFE

{ "@odata.context": "https://graph.microsoft.com/ v1.0/$metadata#deviceManagement/managedDevices/$entity", "id": "xxxxx", "userId": "xxxxx", "deviceName": "xxxx", "managedDeviceOwnerType": "company", "enrolledDateTime": "2019-07-18T12:17:53.0413033Z", "lastSyncDateTime": "2019-08-15T02:34:53.7572148Z", "operatingSystem": "Windows", "complianceState": "compliant", "jailBroken": "Unknown", "managementAgent": "mdm", "osVersion": "10.0.18362.295", "easActivated": true, "easDeviceId": "xxxxx", "easActivationDateTime": "2019-07-18T12:25:05.2874123Z", "azureADRegistered": true, "deviceEnrollmentType": "windowsCoManagement", "activationLockBypassCode": null, "emailAddress": “[email protected]”, "azureADDeviceId": "xxxxx", "deviceRegistrationState": "registered", "deviceCategoryDisplayName": "Windows", "isSupervised": false, "exchangeLastSuccessfulSyncDateTime": "0001-01-01T00:00:00Z", "exchangeAccessState": "none", "exchangeAccessStateReason": "none", "remoteAssistanceSessionUrl": "", "remoteAssistanceSessionErrorDetails": "", "isEncrypted": true, "userPrincipalName": “[email protected]", "model": "xxxxx", "manufacturer": "xxxxx", "imei": null, "complianceGracePeriodExpirationDateTime": "9999-12-31T23:59:59.9999999Z", "serialNumber": "xxxxx", "phoneNumber": null, "androidSecurityPatchLevel": null, "userDisplayName": "Kengo Suzuki", "wiFiMacAddress": "xxxxx", "deviceHealthAttestationState": null, "subscriberCarrier": "", "meid": "", "totalStorageSpaceInBytes": -1638924288, "freeStorageSpaceInBytes": -822083584, "managedDeviceName": "xxxx/18/2019_12:17 PM", "partnerReportedThreatState": "secured", "deviceActionResults": [], "configurationManagerClientEnabledFeatures": { "inventory": false, "modernApps": false, "resourceAccess": false, "deviceConfiguration": false, "compliancePolicy": false, "windowsUpdateForBusiness": false } } w "1*Λ͔ͭͬͯߏ੒৘ใΛऔಘ w IUUQTHSBQINJDSPTPGUDPN WEFWJDF.BOBHFNFOU NBOBHFE%FWJDFTEFWJDF*%

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ύον؅ཧʢWindows Defenderʣ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF $FOTPSFE

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF ੬ऑੑεΩϟϯʢWindows Defenderʣ $FOTPSFE

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF σΟϨΫτϦʢActive Directoryʣ

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF Network

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF ࢿ࢈؅ཧπʔϧ

- શσόΠεͰ࣮ࢪ͢Δඞཁ͋Γ - ʢϝλʣΠϯϕϯτϦαʔϏε͸·ͩ঎༻ԽɾOSSԽ͞Ε ͍ͯͳ͍ - ࣗ෼Ͱ࡞Δ͔͠ͳ͍… - σόΠεೝূ͸ TPM + x.509 σόΠεΞΠσϯςΟςΟɹ·ͱΊ

ΞΫηε੍ޚ

No content

- Access Proxy: - શHTTP/SSHϦΫΤετͷड෇ - Access Control Engine(ACE): - ΞΫηε੍ޚΛෳ਺ͷσʔλιʔε͔Βܾఆ͢ΔϙϦγʔΤϯδϯɻ - Trust Inference: - Ϣʔβʔ΍σόΠεͷ৴པείΞΛࢉग़͢ΔΤϯδϯ - Pipleline: - ACEʹσʔλΛfeed͢ΔύΠϓϥΠϯ - Resource: - ΞΫηε੍ޚͷର৅ʹͳΔΞϓϦɺαʔϏεɺΠϯϑϥ ΞΫηε੍ޚͷ֓ཁʢొ৔ਓ෺ʣ

ΞΫηε੍ޚͷ֓ཁʢྲྀΕʣ w ن੍࢈ۀʹ଍Λ౿ΈೖΕΔϕϯνϟʔͷ૿Ճ w lେखاۀͷΦʔϓϯΠϊϕʔγϣϯ௥ٻͱελʔτΞοϓ࿈ܞz w શ)55144)ϦΫΤετ͸"DDFTT1SPYZʹ޲͚ΒΕΔ w શ)55144)ϦΫΤετ͸"DDFTT1SPYZʹ޲͚ΒΕΔ

ΞΫηε੍ޚͷ֓ཁʢྲྀΕʣ w ن੍࢈ۀʹ଍Λ౿ΈೖΕΔϕϯνϟʔͷ૿Ճ w lେखاۀͷΦʔϓϯΠϊϕʔγϣϯ௥ٻͱελʔτΞοϓ࿈ܞz w "DDFTT1SPYZ͔Β4JOHMF4JHO0OʹϦμΠϨΫτ

ΞΫηε੍ޚͷ֓ཁʢྲྀΕʣ w 4JOHMF4JHO0OͰɺೝূ৘ใΛ࿈ܞ͢Δʢ'FEFSBUJPOʣ

ΞΫηε੍ޚͷ֓ཁʢྲྀΕʣ w ΞΫηε੍ޚΛܾఆ͢ΔΑ͏ϦΫΤετ

ΞΫηε੍ޚͷ֓ཁʢྲྀΕʣ w σόΠε΍Ϣʔβʔͷ৴པ౓Λܭࢉ w σόΠεɾϢʔβʔͷଐੑͱͯ͠อଘ w ύΠϓϥΠϯΛ௨ͯ͠৴པείΞɺΠϯϕ ϯτϦ৘ใΛ"$&ʹ࿈ܞ

function userTrustInference (user, app interface) int { // isUserVulnerable(user) // isUserAccessingFromNewLocation(user) // hasTakenSecurityTraining(user) // isAppCritical(app) return userTrustTier(userInfo, appInfo) } function deviceTrustInference (device, app interface) int { // isDeviceVulnerable(device) // isDevieLatest(device) // isBrowserLatest(device) // isDeviceManaged(device) // isDeviceEncrypted(device) // isDeviceActive(device) return deviceTrustTier(deviceInfo, app) }

ΞΫηε੍ޚͷ֓ཁʢྲྀΕʣ w "1ͱύΠϓϥΠϯ͔ΒऔಘͰ͖ΔσʔλΛ΋ͱʹΞΫηεՄ൱ Λܾఆɾద༻

BeyondCorpʹ͓͚ΔΞΫη ε੍ޚΛຬͨ͢੡඼ɾαʔ Ϗε

Access Proxy w "[VSF"% w ੍ݶ w )551ʢ4ʣҎ֎ͷϓϩ τίϧରԠ w ύεϫʔυೝূํࣜ

Trust Inference w "[VSF"%*EFOUJUZ1SPUFDUJPO Ϣʔβʔ w .JDSPTPGU%FGFOEFS"51ʢσόΠεʣ w "[VSF"51ʢσόΠεɾϢʔβʔʣ

- Ϣʔβʔͷ৴པ౓ΛαΠϯΠϯঢ়ଶ͔Βܭଌ - αΠϯΠϯΠϕϯτͦͷ΋ͷͱɺαΠϯΠϯޙͷߦಈ͔Βܭଌ - Πϕϯτྫ: TorΛ࢖ͬͨϩάΠϯࢪߦ - ߦಈྫ: ෆՄೳͳཱྀߦ - ৴པ౓ʢϦεΫ஋ʣ͸Low, Medium, HighͰ෼ྨ - ୹ॴ: ϦεΫ஋ͷࢉग़ࠜڌ͕Θ͔Γʹ͍͘ Trust Inference - AzureAD Identity Protection

{ "@odata.type": "#microsoft.graph.unfamiliarLocationRiskEvent", "id": “xxxx-xxxx", "riskEventStatus": "dismissedAsFixed", "riskLevel": "medium", "riskEventType": "UnfamiliarLocationRiskEvent", "riskEventDateTime": "2019-xx-xxT06:30:45", "closedDateTime": “2019-xx-xxT09:18:43", "createdDateTime": "2019-xx-xxT09:18:43", "userId": “xxxx-xxxx", "userDisplayName": “Kengo Suzuki", "userPrincipalName": “[email protected]", "ipAddress": "18.205.93.232", "location": { "city": "Ashburn", "state": "VA", "countryOrRegion": "United States", "geoCoordinates": { "latitude": 39.0437, "longitude": -77.4742 } w 4JHO*O3JTL&WFOU

{ "id": "xxxx-Xxxx-xxxx", "isDeleted": null, "isGuest": null, "isProcessing": false, “riskLevel": "none", "riskState": "remediated", "riskDetail": "userPerformedSecuredPasswordReset", "riskLastUpdatedDateTime": "2018-xx-xxT01:33:06", "userDisplayName": [email protected], "userPrincipalName": null } w 6TFS3JTL

- σόΠεͰൃੜͨ͠ΞϥʔτͱͦͷޙͷରԠঢ়گ ͔ΒϦεΫ஋Λࢉग़ - ৴པ౓ʢϦεΫ஋ʣ͸Low, Medium, HighͰ෼ྨ - ୹ॴ: ϦεΫ஋ͷ൑அࠜڌ΍ಛ௃બ୒͕Θ͔Γʹ ͍͘ Trust Inference - Microsoft Defender ATP

ɹɹɹɹɹ{ "id": "xxxxx", "computerDnsName": “xxxxxxxxxxx”, "firstSeen": "2019-xx-xxT09:18:43", ɹɹɹɹɹ"lastSeen": "2019-xx-xxT09:18:43", "osPlatform": "Windows10", "osVersion": "10.0.0.0", "lastIpAddress": “xxx.xxx.xxx.xxx”, "lastExternalIpAddress": "xxx.xxx.xxx.xxx", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, ɹɹɹ "rbacGroupName": "The-A-Team", "riskScore": "Low", ɹɹɹɹ"isAadJoined": true, "aadDeviceId": “xxxx-xxxx", ɹɹɹɹ "machineTags": [ "test tag 1", "test tag 2" ] }, w %FWJDF3JTL

- υϝΠϯࢀՃͰͷATPܥ߈ܸΛݕ஌ - WDATPͱ࿈ܞ Trust Inference - Azure ATP

Trust Inference w "[VSF"%৚݅෇͖ΞΫηε

- Ϋϥ΢υαʔϏεʹର͢ΔΞΫηε੍ޚΛෳ਺ͷ৚݅ʹج͍ͮ ܾͯఆɾద༻͢ΔαʔϏε - ৚݅ͷྫ - ୺຤ͷϙϦγʔ४ڌঢ়گ - ϢʔβʔͷϦεΫ஋ - ΫϥΠΞϯτΞϓϦछผ - ΞΫηεઌͷΫϥ΢υαʔϏε - Ґஔ৘ใ ৚݅෇͖ΞΫηε IUUQTEPDTNJDSPTPGUDPNFOVTB[VSFBDUJWFEJSFDUPSZDPOEJUJPOBMBDDFTTPWFSWJFX

- MFAͷશ༗ޮԽ ৚݅෇͖ΞΫηεྫ: શΞϓϦ޲͚

- ॏཁͳαʔϏεʹରͯ͠ɺαΠϯΠϯϦεΫ͕গ ͠Ͱ΋͋Ε͹ϩάΠϯΛڐՄ͠ͳ͍ - ॏཁαʔϏε - AWS, ౿Έ୆, ύεϫʔυϚωʔδϟʔ, - ސ٬৘ใ؅ཧ༻αʔϏε ৚݅෇͖ΞΫηεྫ: ॏཁΞϓϦ޲͚

- ؅ཧ͞ΕͨσόΠεͰϙϦγʔ४ڌͨ͠΋ͷͷΈΞΫηεՄೳ - ؅ཧ͞ΕͨσόΠε: ProfileΛΠϯετʔϧ͞ΕͨBYOD୺຤΋ؚΉ - ४ڌ͞Εͨঢ়ଶ - σΟεΫ͕Full Encryption͞Ε͍ͯΔ - σόΠεͷϦεΫ஋͕LowҎԼͰ͋Δ - OS͕ಛఆͷόʔδϣϯҎ্Ͱ͋Δ - TPMΛඋ͍͑ͯΔ - BIOSϨϕϧͷ ৚݅෇͖ΞΫηεྫ: ؅ཧσόΠεͷΈڐՄ

- ͕͜͜BeyondCorp/ZeroTrustͷ؊ - શͯͷΞΫηε͸Access ProxyΛܦ༝͢Δ - ωοτϫʔΫ͚ͩͰ͸ͳ͘ɺෳ਺ͷσʔλιʔε͔Β൑அ͢Δ - ͦͷதʹ͸৴པ౓Λܾఆ͢ΔTrust Inferene΋ؚ·ΕΔ - ACEʹσʔλ͕ू໿͞ΕɺΞΫηε੍ޚ͕ܾఆɾద༻͞ΕΔ ΞΫηε੍ޚɹ·ͱΊ

- BeyondCorpΛҰ൪ݱ࣮ͯ͠Δ঎༻αʔϏε͸ Microsoft - θϩ͔Β૊Έ࢝ΊΔͷͰ͋Ε͹ɺMicrosoft365 ύοέʔδΛ࢖ͬͯɺ଍Γͳ͍෦෼Λݸผͷι ϦϡʔγϣϯʹٻΊΔͷ͕ίεύ͕ྑ͍ ࢲݟ

ࠓ·Ͱͷ͓͞Β͍

ηΩϡϦςΟཁ݅શମ૾ ๏ྩɾج४ɾࢦ਑ αΠόʔηΩϡϦςΟઓུ ηΩϡϦςΟઃܭ αΠόʔηΩϡϦςΟઓज़ɾ࣮૷ ઓུʢػີੑʣ ઓུʢ׬શੑʣ ઓུʢՄ༻ੑʣ

No content

ηΩϡϦςΟ୲౰ͱͯ͠ ΍Δ͜ͱ͸໌֬ʹͳΓ·͔ͨ͠ʁ

Ϣʔβʔاۀʹ͓͚Δ৘ใγες ϜͱηΩϡϦςΟ - ߦಈࢦ਑ฤ 2019/08/10 By @ken5scal

- ϛογϣϯܾఆͱܦӦਞͱͷ߹ҙ - ༏ઌॱҐʹର͢ΔܦӦਞͱͷ߹ҙ - ಥવ;ͬͯ͘ΔʢଞࣾΛؚΊͨʣΠϯγσϯτରԠ - ιϦϡʔγϣϯͷͨΊͷ༧ࢉ֬อ - ϨΨγʔͳपลγεςϜͱͷ౷߹ - ৽͍͠ϓϩμΫτ΁ͷίϛοτ - ʢ΍ͬͱ…ʣ࣮૷ɾӡ༻ - ࠾༻ɾνʔϜϏϧσΟϯά - Etc, etc Զͨͪͷઓ͍͸·ͩ࢝·ͬͨ͹͔Γͩ

- ׬શ/ඪ४తͳΧϦΩϡϥϜͳͲͳ͍ - खΛಈ͔ͦ͏ɻ࣮ફ͋ΔͷΈɻ - ίϛϡχέʔγϣϯΛଵΒͳ͍ - ਏ͍͜ͱ΋ࣦഊ΋͋Δ - ָ؍ऀͰ͍Α͏ - ॿ͚ΛٻΊΑ͏ - ஌ࣝΛڞ༗͠Α͏ So, you want to work in security? ݪจ4P ZPVXBOUUPXPSLJOTFDVSJUZ ೔ຊޠ໿ηΩϡϦςΟͰ൧৯͍͍ͨਓ޲͚ͷ৺ͷ࣋

Good Luck and Happy Hacking!

Thank You!