Slide 1
Slide 1 text
No content
Slide 2
Slide 2 text
Security / AuditabilityΛ
SREνʔϜͷՌࢦඪʹՃ͑ͨ
Takuya Onda
SRE Lounge #12
!2
Slide 3
Slide 3 text
Security / AuditabilityΛ
SREνʔϜͷՌࢦඪʹՃ͑ͨ
Takuya Onda
SRE Lounge #12
!3
Slide 4
Slide 4 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
Agenda
• ొஃऀɾձࣾհ
• Կ͕՝͔ͩͬͨɿηΩϡϦςΟରԠঢ়گͷةػײ
• ԿΛ࢝Ί͔ͨɿSecurityνʔϜͷ্ཱͪ͛
• Կ͕ى͖͔ͨɿ͍͍ײ͡ʹࣄ͕ಈ͖࢝ΊͨҰํɺ͋Βͨͳ՝͕ൃੜ
• ԿΛ͔ͬͨɿ3ຊͷࢦͱ۩ମྫհ
• ·ͱΊ
!4
Slide 5
Slide 5 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ొஃऀհ
• ໊લɿԸా
• ॴଐɿגࣜձࣾΤϨΧ
• ࣄɿSRE෦ɺSecurity෦ɺγε෦ͷ
౷ׅɻ·ͨɺ෦౷੍ϓϥΠόγʔରԠɺ
֤छඪରԠͳͲ୲ͯ͠·͢
• ˎ ຊ͔ࣗΒͷొஃͷͨΊɺ່ͷઈڣԻ్͕தަ͡Δ͔
͠Ε·ͤΜ͕ɺ͝༰͍͚ࣻͨͩΕͱࢥ͍·͢ mm
!5
Slide 6
Slide 6 text
ձࣾ֓ཁ
ձ໊ࣾ ɹ גࣜձࣾΤϨΧ / eureka, Inc.
ۀ ɹ 200811݄20
ܦӦਞ ɹ CEO ੴڮ४
ɹ CMO தଜ༟Ұ
ɹ CTO ۚࢠ৻ଠ
ɹ VP of Finance Andrew Badham
ɹ VP of Product, Pairs ۚా༔ر
ɹ Brand Director ࢁֆເ
ɹ Data Director Ԟଜ७
ɹ Customer Care Director ҆৴ཽഅ
ɹ Information Director Ըా
ࣄۀ༰ ɹࣗࣾαʔϏεͷاըɾ։ൃɾӡӦ
ɹɾ࿀Ѫɾࠗ׆ϚονϯάΞϓϦʮPairsʯ
ɹɾΦϯϥΠϯ݁ࠗ૬ஊॴʮPairsΤϯήʔδʯ
ɹɾΧοϓϧઐ༻ΞϓϦʮCouplesʯ
Slide 7
Slide 7 text
ਓੜʹʮ͋ͬͯΑ͔ͬͨʯͱ
ࢥͬͯΒ͑ΔͷΛɻ
ࢲͨͪɺੈքͷࠃʑͰɺԯͷਓʑ͕͏ϓϩμΫτΛ
ੜΈग़͍ͯ͜͠͏ͱ͍ͯ͠·͢ɻ
ͦΕɺҰ࣌తͳָ͠ΈศརΛఏڙ͢ΔͷͰͳ͘ɺ
ਓੜΛৼΓฦͬͨ࣌ʹʮ͋ͷͱ͖ɺ͋ͷαʔϏε͕͋ͬͯΑ͔ͬͨʯͱɺ
ࢥͬͯΒ͑ΔͷͰ͋Γ͍ͨɻ
ग़ձ͑ͳ͔ͬͨਓͲ͏͕͠ग़ձ͑ͨΓɺ
ͻͱΓͻͱΓͷબࢶ͕ͬͱ͕ͬͨΓɻ
ࢲͨͪͷαʔϏεͰɺ୭͔ͷਓੜΛΑΓΑ͍ͷʹ͢Δ͜ͱ͕ɺ
ΤϨΧͷ໋Ͱ͢ɻ
Slide 8
Slide 8 text
͔͚͕͑ͷͳ͍ਓͱͷग़ձ͍ΛੜΈग़͠ɺ
ຊɺΞδΞʹσʔςΟϯάαʔϏεจԽΛఆணͤ͞Δɻ
To help people find their life partner and make dating services a social norm in Japan and Asia.
Vision
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
1,000
ྦྷܭձһ
ಥഁ
ສ
ਓ
Slide 11
Slide 11 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ొ ͕͢͞ ϓϩϑΟʔϧ ͍͍Ͷʂ Ϛονϯά ϝοηʔδ ࣮ࡍʹग़ձ͏
αʔϏε֓ཁ
ຊਓ֬ೝ
ಠ֬ೝ
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
ʮ͙͢ʹͰ͍݁ࠗͨ͠ʯͱࢥ͍ͬͯͯɺʑͷੜ׆Ͱ
݁ࠗ૬खʹ૬Ԡ͍͠ͱࢥ͑Δ૬खͱग़ձ͏lػձzlखஈz
ͳ͍ਓ͚ɻ
ॆ࣮ͳαϙʔτମ੍ͱɺετϨεͷͳ͍खܰͳࠗ׆ମݧΛ
ఏڙ͢Δɺ݁ࠗͷر͕ߴ͍ਓ͚͕ͩೖձͰ͖ΔαʔϏ
εɻ
λʔήοτ
αʔϏε༰
ϖΞʔζ͕ͭͬͨ͘
ΦϯϥΠϯ݁ࠗ૬ஊॴ
Slide 14
Slide 14 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
Agenda
• ొஃऀɾձࣾհ
• Կ͕՝͔ͩͬͨɿηΩϡϦςΟରԠঢ়گͷةػײ
• ԿΛ࢝Ί͔ͨɿSecurityνʔϜͷ্ཱͪ͛
• Կ͕ى͖͔ͨɿ͍͍ײ͡ʹࣄ͕ಈ͖࢝ΊͨҰํɺ͋Βͨͳ՝͕ൃੜ
• ԿΛ͔ͬͨɿ3ຊͷࢦͱ۩ମྫհ
• ·ͱΊ
!14
Slide 15
Slide 15 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
എܠɿձࣾͱࣄۀΛͱΓ·͘มԽ
• ϚονϯάΞϓϦͷϦʔσΟϯάΧϯύχʔͱͯ͠ͷࣾձత
• ࣄۀͷ҆৺ɾ҆શͷχʔζ
• ֦େ͢Δ৫ɾαʔϏεنɾγεςϜ
!15
Slide 16
Slide 16 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ηΩϡϦςΟରࡦ
ͬͱγϡοͱ͍ͨ͠ʂ
!16
Slide 17
Slide 17 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ηΩϡϦςΟରࡦͷ՝ (࣌)
• ਪਐྗ͕ෆ͍ͯͨ͠
• ॴࡏ͕ᐆດɻ͔ͭɺݗҾ͕͍ͳ͍ɻ
• CTO։ൃνʔϜɺSREνʔϜMISνʔϜ͕ͦΕͱͳ͘ਪਐ͍ͯͨ͠
ɻ
• ہॴతͳηΩϡϦςΟରࡦʹͳΓ͕ͪ
• ޚͱݕʹઢ͕͖͕ͪ
• ඇٕज़ͷηΩϡϦςΟରԠͷΕ
!17
Slide 18
Slide 18 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
Agenda
• ొஃऀɾձࣾհ
• Կ͕՝͔ͩͬͨɿηΩϡϦςΟରԠঢ়گͷةػײ
• ԿΛ࢝Ί͔ͨɿSecurityνʔϜͷ্ཱͪ͛
• Կ͕ى͖͔ͨɿ͍͍ײ͡ʹࣄ͕ಈ͖࢝ΊͨҰํɺ͋Βͨͳ՝͕ൃੜ
• ԿΛ͔ͬͨɿ3ຊͷࢦͱ۩ମྫհ
• ·ͱΊ
!18
Slide 19
Slide 19 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ηΩϡϦςΟνʔϜ͕ൃ
• ηΩϡϦςΟྖҬͷΞΧϯλϏϦςΟΛू
• ঢ়گͷಁ໌ԽͱϨϙʔςΟϯά
• ϩʔυϚοϓͷࡦఆ
• ༧ࢉͱਓࣄܭը
• ඇٕज़ྖҬؚΊͨแׅతͳηΩϡϦςΟରࡦͷਪਐ
• IRମ੍ͷϒϥογϡΞοϓɺܦӦਞΛר͖ࠐΜͩΠϯγσϯτDrillͷ࣮ࢪ
• શैۀһ͚ηΩϡϦςΟτϨʔχϯάͷ࣮ࢪɺηΩϡΞίʔσΟϯάτϨʔχϯάͷܭը
• Πϕϯτͷूͱ੬ऑੑͷτϦΞʔδ
• ʮPCͳ͘͠·ͨ͠ʂʯɺʮมͳϝʔϧདྷͨΜͰ͚͢Ͳʂʯʮxxͱ͍͏πʔϧ͔ΒΞϥʔτདྷͨͧʯ
• ʮ͜ͷπʔϧͬͯେৎʁʯɺʮ͜Μͳ੬ऑੑ͕ੈͷதʹʂʯ
!19
Slide 20
Slide 20 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
Agenda
• ొஃऀɾձࣾհ
• Կ͕՝͔ͩͬͨɿηΩϡϦςΟରԠঢ়گͷةػײ
• ԿΛ࢝Ί͔ͨɿSecurityνʔϜͷ্ཱͪ͛
• Կ͕ى͖͔ͨɿ͍͍ײ͡ʹࣄ͕ಈ͖࢝ΊͨҰํɺ͋Βͨͳ՝͕ൃੜ
• ԿΛ͔ͬͨɿ3ຊͷࢦͱ۩ମྫհ
• ·ͱΊ
!20
Slide 21
Slide 21 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ہॴతͳτϨʔυΦϑ
• શ͕ͯॱௐͳ࣌,ηΩϡϦςΟݟ͑ͳ͍. ݮ or ԆظՄೳͳίετͱΈͳͤ͞Δ
• ʮͦΕࠓͬͨํ͕Α͍ʁʯɺʮ੬ऑੑରԠɺ͑ʔɺ͜ΕظݶΒͳ͍ͱμϝɺɺʁʯ
• ʮxxΛಋೖ͢Δʁ͍͍͚Ͳɺࠓ͜Εಋೖͯ͠୭ӡ༻Ͱ͖ͳ͘ͳ͍ʁʯ
• ߟ͑ํͷ͢Εҧ͍
• ࠷খಛݖͱ৬ঠ | You built it, you run itͷਫ਼ਆ
• Security By Design(ϓϩδΣΫτͷ಄Ͱ༷֓ཁΛΓ͍ͨ) | ࡉ͔͘ૣ࢝͘Ί͍ͨ
• ίϛϡχέʔγϣϯίετͷ૿Ճ
• Qɿʮ֎෦ʹηΩϡϦςΟஅґཔ͢Δ͔Βɺߏਤ͘ΕΜʁʯ,Aɿ(ͦΜͳͷͳ͍)ʮɺɺ͍༻ҙ͠·͢ʯ
• QɿʮxxͬͯϦιʔεԿʹͬͯΔͷʁͲΜͳഎܠʁʯ Aɿ(͜ͷΓͱΓ࠷ۙଟͯ͘͠ΜͲ͍ΜͩΑͳɺɺ)
ʮ͑ʔͱͰ͢Ͷɺ͜Εɺɺʯ
!21
Slide 22
Slide 22 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
Agenda
• ొஃऀɾձࣾհ
• Կ͕՝͔ͩͬͨɿηΩϡϦςΟχʔζͷΕ
• ԿΛ࢝Ί͔ͨɿSecurityνʔϜͷ্ཱͪ͛
• Կ͕ى͖͔ͨɿ͍͍ײ͡ʹࣄ͕ಈ͖࢝ΊͨҰํɺ͋Βͨͳ՝͕ൃੜ
• ԿΛ͔ͬͨɿ3ຊͷࢦͱ۩ମྫհ
• ·ͱΊ
!22
Slide 23
Slide 23 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ސ٬ͷՁఏڙʹूத͍ͨ͠ͷҰॹ
• 3ຊͷࢦΛݩʹɺຎࡲͷղফ
1.ඪઃܭ & ඪͷڞ༗
2.҆શͳબΛσϑΥϧτʹ
3.ίϛϡχέʔγϣϯͷૄ݁߹ԽͱϧʔςΟϯԽ
!23
Slide 24
Slide 24 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ඪઃܭ & ඪͷڞ༗
• ηΩϡϦςΟϦεΫ(Πϕϯτ)ରԠঢ়گΛνʔϜؒڞ௨ͷՌࢦඪʹ
• SLI = ඪऩଋҎʹରԠྃͨ͠Ҋ݅/ શΠϕϯτ x 100
• SLO = xx%
!24
Slide 25
Slide 25 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ηΩϡϦςΟϦεΫɾΠϕϯτιʔε(Ұ෦)
!25
SRE Team MIS Team Developer Team
GuardDuty ○
ECR Scanning ○
AWS Inspector ○
CrowdStrike ○
Cisco Meraki ○
Static Analysis ○
Slide 26
Slide 26 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ηΩϡϦςΟϦεΫɾධՁํ๏
!26
ఆٛ (Ұ෦) CVSS Base Score ରԠඪ
Broker
ݖݶͷͳ͍ࣄऀ͕10Λ͑ΔϢʔβʔͷೝূτʔΫϯ/ࢿ֨ใ/ΫοΩʔ/ύε
ϫʔυɺϝοηʔδɺੜ݄·ͨͦͷଞͷPII, ࢧ͍Χʔυɺ·ͨਖ਼֬ͳ
GPSҐஔใΛऔಘͰ͖ΔΑ͏ʹ͢Δ੬ऑੑɻ
9 - 10 xxҎ
Critical 7 - 8.9 ʓʓҎ
Major 4.0 - 6.9 ˚˚Ҏ
Minor 0.1 - 3.9
□□Ҏ
(ϦεΫอ༗அՄ)
Trivial -
ˑˑҎ
(ϦεΫอ༗அՄ)
Slide 27
Slide 27 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
҆શͳબΛσϑΥϧτʹ
• ಁաతͳػೳΛఏڙ͢ΔࣄͰෛ୲Λ͔͚Δࣄͳ͘ਖ਼͍͠ࣄΛͳ͢
• ಛఆɿΞηοτϚωδϝϯτͷίετΛԼ͛Δ
• λάʹΑΔετϨʔδɾϦιʔεͷࣗݾఆٛతྨ
• AWS System Manger Inventory
• ޚɿߏඪ४ԽͰ༧త౷੍ͷෛՙΛԼ͛Δ
• IAM Account / IAM User࡞ෆՄ
• 3Tier Architecture x WAF x Shield AdvanceʹΑΔอޢ
• EC2 x ASG | FargageʹΑΔγεςϜͷRotate,
• ݕɿࣄ࣮ೝࣝͷίετΛԼ͛Δ
• AuditΞΧϯτͰAWS Config | GuardDuty | CloudTrail ͷAggregation
• ࣄ࣮ೝࣝλΠϛϯάΛνʔϜϧʔςΟϯʹΈࠐΉ
!27
Slide 28
Slide 28 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ΞηοτϚωδϝϯτͷίετΛԼ͛Δ
!28
• ϦιʔεͷSensitivityΛλάͰఆٛ.System ManagerGASͳͲͰλά
छผΛݩʹऩू (ˎ λά͓Αͼίʔυͯٙ͢ࣅίʔυͰ͢)
Slide 29
Slide 29 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ߏඪ४ԽͰ༧త౷੍ͷෛՙΛԼ͛Δ
!29
• 3Tier Architecture x WAF x Shield AdvanceʹΑΔอޢ (ˎٙࣅίʔυ)
Slide 30
Slide 30 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ߏඪ४ԽͰ༧త౷੍ͷෛՙΛԼ͛Δ
!30
• IdPܦ༝ͰͷSSOͷΈڐՄ & IAM Userͷ࡞ࢭΛΈԽ͢Δ (ˎٙ
ࣅίʔυ)
ΤϯδχΞ৬ผ
Roleઃܭ
Slide 31
Slide 31 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ߏඪ४ԽͰ༧త౷੍ͷෛՙΛԼ͛Δ
!31
• EC2 on ASG | Fargate x Resource Rotation
ࢀߟɿηΩϡϦςΟύονΛࢧ͑Δ αʔόՈசԽٕज़ͷհ
https://speakerdeck.com/takuya542/sekiyuriteipatutiwozhi-eru-sabajia-chu-hua-ji-shu-falseshao-jie
Slide 32
Slide 32 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ίϛϡχέʔγϣϯͷૄ݁߹ԽͱϧʔςΟϯԽ
• ඞཁͳใΛඞཁͳਓ͕ࣗͰऔΓ͍͢ঢ়ଶʹ
• ൃݟత౷੍ͷࣄ࣮ೝࣝͷίετΛԼ͛Δ
• ࠩ͠ࠐ·ΕΔͷͰͳ͘ɺఆظతʹঢ়ଶΛ֬ೝ͢Δ
!32
Slide 33
Slide 33 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
SecurityΞΧϯτʹใΛू͢Δ
!33
• AWS Config Rules | GuardDuty | CloudTrail Log & ViewerΛू
Guard Duty x Multi Accountମ੍
(ˎ ٙࣅίʔυ)
Slide 34
Slide 34 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ൃݟదੑɾࣄ࣮ೝࣝΛϧʔςΟϯԽ
• ηΩϡϦςΟΞϥʔτΛड͚ͬͺͳ͠ʹ͠ͳ͍ɻೳಈతʹ֬ೝ͢Δ࣌ؒ
Λ֬อ͢Δ
!34
Slide 35
Slide 35 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
ൃݟదੑɾࣄ࣮ೝࣝΛϧʔςΟϯԽ
• ηΩϡϦςΟΞϥʔτΛड͚ͬͺͳ͠ʹ͠ͳ͍ɻೳಈతʹ֬ೝ͢Δ࣌ؒ
Λ֬อ͢Δ
!35
Slide 36
Slide 36 text
CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy
૯ׅ
• ݟ͚ͭͨڴҖͷରԠ͕ڴҖϞσϧʹج͖ͮɺదʹߦΘΕͯΔঢ়ଶΛҡ
࣋͠ͳ͕ΒɺڴҖݕͷ෯Λ͛ͯ͘ͷ͕ॏཁ (SREຊͷSLOઃܭͷ
νϟϓλʔʹ௨͡Δͱ͜Ζ͕ଟʹ͋Δͱ͍͏ॴײ)
• ༧త౷੍ͱൃݟత౷੍ͲͪΒʹภ͍͚ͬͯͳ͍ɻ·ͨɺํͷ౷
੍ίετΛৗʹԼ͛ΔΑ͏ʹϓϩδΣΫτΛϩʔυϚοϓʹΈࠐΉ
• ϓϩηεϙϦγʔͰͳ͘ΈͰकΔɻϓϩηεͰकΔՕॴɺί
ϛϡχέʔγϣϯ͕ۃྗൃੜ͠ͳ͍Α͏ʹ͢Δ or ϦζϜΛ࡞Γ͍͢
ۀઃܭϓϩηεΛෑ͘
!36
Slide 37
Slide 37 text
ΤϨΧͰΤϯδχΞΛੵۃ࠾༻தʂ
ΧδϡΞϧ໘ஊ͓͍ͪͯ͠·͢ʂ
We’re hiring