ゼロトラスト導入支援ってどんなことやってるの？

Transcript

1. What is the support for introducing Zero Trust like? It's

   a universal story, after all. By Hirokazu Yoshida / At NARA INSTITUTE of SCIENCE and TECHNOLOGY / 2022.4.13

2. θϩτϥετಋೖࢧԉͬͯ 
 ͲΜͳײ͡ͳͷʁ ݁ہ͸ɺීวతͳ࿩ͳΜͩΑ ٢ాͻΖ͔ͣ / ಸྑઌ୺Պֶٕज़େֶӃେֶ / 2022.4.13

3. Hirokazu Yoshida @ CloudNative Inc. Job : Security Engineer Community

   : Security-JAWS Handle Name : fnifni Who am I !?

4. Today's expected audience 
 and their issues • θϩτϥετͷ֓೦͸෼͔ͬͯΔʢຊ࣭తʹਖ਼͘͠ཧղ͍ͯ͠Δ͔͸ผʣ •

   θϩτϥετ͸ʮಋೖ͢Δ΋ͷʯͱࢥͬͯΔ • ࣾձਓ • طଘͷاۀʹରͯ͠θϩτϥετಋೖਪਐͷضΛৼ͍͖͍ͬͯͨ • ࣗ෼ͨͪͰ΋Ͱ͖ͦ͏ͱࢥ͑ΔɺಋೖϓϩηεͷϗϫΠτϖʔύʔΛ࡞Γ ͍͚ͨͲɺ࣮ࡍ໰୊Ͳ͏΍͍ͬͯ͘ͷ͔͸Πϝʔδ͕͍ͭͯͳ͍

5. Attention !!! • ຊࢿྉ͸ಥ؏Ͱ࡞੒ͯ͠·͢ͷͰɺଟগ͓ݟ͍ۤ͠఺͕͋Δͱ ࢥ͍·͢ɻ • ݸਓͷܦݧଇʹجͮ͘෦෼ؚ͕·Ε·͢ɻ • ͔͋͠Βͣྃ͝ঝ͍ͩ͘͞ɻ

6. Today's topic • είʔϓͷ࿩ • ϑΝϯμϝϯλϧͳ࿩ • θϩτϥετಋೖࢧԉͱͯ͠΍͍ͬͯ͘ϑΣʔζྫͷ࿩

7. Today's topicʢRatioʣ • είʔϓͷ࿩ʢ1ʣ • ϑΝϯμϝϯλϧͳ࿩ʢ5ʣ • θϩτϥετಋೖࢧԉͱͯ͠΍͍ͬͯ͘ϑΣʔζྫͷ࿩ʢ4ʣ

8. What to talk about today and what not to talk

   about • ࠓ೔࿩͢͜ͱ • طଘاۀͷ৘ใγεςϜରͯ͠ɺθϩτϥετΛ৫ΓࠐΜͩγεςϜΛσβ Πϯ͠ɺಋೖ͍ͯͨ͘͠ΊͷϑΝϯμϝϯλϧͳߟ͑ํ΍ಋೖɾల։ͷྲྀΕ ʹ͍ͭͯ • ࿩͞ͳ͍͜ͱ • ୯७ͳθϩτϥετ੡඼ͱݺ͹ΕΔ੡඼ͷಋೖखॱ΍Ϣʔεέʔε • ݸผ۩ମతͳΦϖϨʔγϣϯ

9. Today's topic • είʔϓͷ࿩ • ϑΝϯμϝϯλϧͳ࿩ • θϩτϥετಋೖࢧԉͱͯ͠΍͍ͬͯ͘ϑΣʔζྫͷ࿩

10. Common system architectures in companies

11. Common system architectures in companies

12. ϓϩμΫτʹΨνͰ θϩτϥετΛ࣮૷͍ͯ͠Δͷ͸ PagerDuty θϩτϥετωοτϫʔΫ ― ڥք๷ޚͷݶքΛ௒͑ΔͨΊͷηΩϡΞͳγεςϜઃܭ 9.10ɹέʔεελσΟɿPagerDutyͷΫϥ΢υʹґଘ͠ͳ͍ωοτϫʔΫ ΑΓ

13. ࠓ೔͓࿩͢Δͷ͸ ৘ใγεςϜʹରͯ͠ͷ θϩτϥετಋೖࢧԉͷ࿩Ͱ͢

14. Today's topic • είʔϓͷ࿩ • ϑΝϯμϝϯλϧͳ࿩ • θϩτϥετಋೖࢧԉͱͯ͠΍͍ͬͯ͘ϑΣʔζྫͷ࿩

15. Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν

16. Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν

17. ࣾ಺ͷγεςϜΛ ͢΂ͯθϩτϥετʹ͍ͨ͠ΜͰ͢

18. Common Misconceptions • ׬શͳθϩτϥετΞʔΩςΫνϟͷಋೖ͸ҝ͠ಘͳ͍ • ͦ΋ͦ΋ɺϏδωεͦͷ΋ͷ͕Կ͔Λ৴པ͢ΔϓϩηεͰߏ ੒͞Ε͍ͯΔ • Ϗδωεϓϩηε΍ࣾ಺γεςϜͦͷ΋ͷ͔Βɺθϩτϥ ετΛલఏͱͯ͠࡞ΒΕͨͷ͕ɺBeyondCope

19. Common Misconceptions • ׬શͳθϩτϥετΞʔΩςΫνϟͷಋೖ͸ҝ͠ಘͳ͍ • ͦ΋ͦ΋ɺۀ຿Ͱ࢖༻͢Δ৘ใγεςϜػث΍ΞϓϦέʔ γϣϯɺαʔϏε͸ɺθϩτϥετલఏͰ࡞ΒΕ͍ͯͳ͍ • Ͱ͖Δࣄ͸ɺγεςϜͷσβΠϯʹɺθϩτϥετͷཁૉΛ ৫ΓࠐΜͩ΋ͷΛ࡞Γ্͛Δͱ͍͏͜ͱ

20. θϩτϥετ੡඼ങ͖ͬͯͨʂ ࠷৽ٕज़ͳΜ΍Ͱʂ

21. Common Misconceptions • θϩτϥετΛߏ੒͢Δٕज़͸ɺීวతͳٕज़ͷٕज़ͷूੵ • ϑΝΠΞ΢Υʔϧɺূ໌ॻɺ࠷খݖݶͷݪଇɺσόΠεΠϯϕϯ τϦ…etc • θϩτϥετͷจ຺Ͱ͜Ε·Ͱଘࡏ͠ͳ͔ͬͨ΋ͷ͸ɺ 


    ࠓ΋ଘࡏ͍ͯ͠ͳ͍ʢͦΕͬΆ͍΋ͷ͸Ͱ͖ͭͭ͋Δʣ • ৴པͷਪ࿦Τϯδϯ

22. ͜Ε͔Β͸θϩτϥετ΍ʂ ڥք๷ޚͳΜ͔͍ΒΜ͔ͬͨΜ΍ʂ

23. Common Misconceptions • ͦ΋ͦ΋ɺθϩτϥετ͸ڥքܕ๷ޚΛશ͘൱ఆ͍ͯ͠ͳ͍ • ۀ຿Ͱѻ͏ίϯϙʔωϯτͷଟ͘͸θϩτϥετΞʔΩςΫ νϟʹରԠͰ͖ͳ͍΋ͷ͹͔Γ • IoTػثɺෳ߹ػɺ؂ࢹΧϝϥγεςϜɺ 


    ੍ޚܥγεςϜ…etc

24. ΍Δ΂͖͜ͱ͸ ڥք๷ޚ΋΍Γͭͭ ΍Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ʹ޲͚ͯ θϩτϥετͷཁૉΛ৫ΓࠐΜͩγεςϜ ΛσβΠϯ͍ͯ͘͜͠ͱ

25. Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν

26. ͲΜͳཱͪҐஔͰ θϩτϥετಋೖࢧԉΛ΍͍ͬͯΔͷ͔

27. Mindset • ౰ࣄऀاۀͷ୲౰ऀͷཱࣗͱࣗ཯Λଅ͠ɺ৘ใγεςϜΛίϯ τϩʔϧՄೳͳ΋ͷʹ͢Δ • ΍Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ɺ՝୊ʹର͢ΔਐΊํɺߟ͑ํͷ ΨΠυʢίϯαϧτʹ૬ஊʣ • ୲౰ऀࣗ਎͕खΛಈ͔ͯ͠ɺܦݧ͠ɺվળ͍ͯͨ͘͠Ίͷ 


    ٕज़ࢧԉ

28. ୲౰ऀ͕ݴ͍ͬͯΔ͜ͱͷ 7-8ׂ͕ਖ਼͘͠ͳ͍

29. Examples of common incorrectness • खஈ͕໨తʹͳͬͯΔύλʔϯ • ʮͳͥͳΒ͹ʯ͕ͳ͘ɺ͍͖ͳΓํ๏࿦͔Βೖ͍ͬͯΔ • θϩτϥετΛಋೖ͍ͨ͠ΜͰ͢ʂ

    • ΤϞςοτରࡦͰ੡඼XXXΛ࢖͍͍ͨͰ͢ʂ

30. Examples of common incorrectness • ࠜڌ͕ബऑͳύλʔϯ • ͋Ε΋ɺ͜Ε΋ɺ΍ͬͨ΄͏͕ྑ͍Ͱ͢ΑͶʢίετ੨ఱҪʣ • ʮͳͥͳΒ͹ʯ͕ͳ͍ͷͰɺ࣮૷ͨ͠ࢪࡦΛ֎ͤͳ͘ͳΔ

31. Examples of common incorrectness • ੡඼Λಋೖ͢Ε͹ͳΜͱ͔ͳΔɺӡ༻͸୭͔ʹ΍ΒͤΕ͹͍͍ͱࢥͬͯ ͍Δύλʔϯ • ϕϯμʔͷཆ෼Ͱ͢Ͷ •

    ݪཧओٛͷύλʔϯ • ηΩϡϦςΟͷͨΊʹXXX͸ېࢭ͠·͠ΐ͏ʂ • ͦΕ΍ͬͯɺ୭͕޾ͤʹͳΔΜͰ͔͢ʁ

32. ૬ख͕๬ΜͰ΋ ૬खͷͨΊʹͳΒͳ͍͜ͱ͸ ܟҙΛ࣋ͬͯ൓࿦͢Δ

33. Examples of common unhelpful things • ൺֱද͸ѱ • ୭͔͕࡞ͬͨൺֱද͸ɺݟͨਓͷࣄ৘ͳΜ͔ؔ܎ͳ͘࡞ΒΕ ͍ͯΔ

    • ͦͷʮ˓ʯ͸ɺ͋ͳͨʹͱͬͯຊ౰ʹʮ˓ʯͰ͔͢ʁ • ࣗ෼ʹͱͬͯ˓͔Ͳ͏͔͸ɺ৮ͬͯΈͳ͍ͱΘ͔Βͳ͍

34. Examples of common unhelpful things • ൺֱද͸ඞཁѱ • ্ਃ͢Δ্Ͱɺൺֱ͔ͨ͠ʁΛ໰ΘΕΔ৔߹͸͋Δ •

    ࣗ෼ͰԖචͳΊͯ࡞ͬͨൺֱද͕࠷ڧ • ٬؍తʁ 
 ͦ΋ͦ΋٬؍తͳൺֱද͕ࣗ෼ͨͪʹͲͷΑ͏ʹϑΟοτ͠ ͍ͯΔͳΜͯɺ୭͕આ໌ͯ͘͠ΕΔΜͰ͔͢Ͷʁ

35. Examples of common unhelpful things • ϕετϓϥΫςΟεͷݬ૝ • ϕετϓϥΫςΟε͸ʮߟ͑ํʯͰ͋ͬͯʮ͜͏΍Ε͹͍͍(How To)ʯͰ͸ͳ͍

    • ࣗ෼ͨͪʹͱͬͯԿ͕Ͳͷఔ౓ඞཁ͔ΛݟۃΊΔඞཁ͕͋Δ • Ͳ͔͔͜Β͖࣋ͬͯͨHow To͕ɺࣗ෼ͨͪʹͱͬͯඞཁे෼Ͱ ͋Δͬͯ୭͕આ໌ͯ͘͠ΕΔΜͰ͔͢Ͷʁ

36. ཁ͸ ࣗ෼ͨͪͷ͜ͱͳΜ͔ͩΒ࢓ࣄ͍ͯͩ͘͠͞ ͱ͍͏͜ͱ

37. Fundamental Topics • θϩτϥετʹ͍ͭͯͷΑ͋͘Δޡղ • θϩτϥετಋೖࢧԉʹ͋ͨͬͯͷϚΠϯυηοτ • θϩτϥετಋೖࢧԉΛ࢝ΊΔ্ͰͷΞϓϩʔν

38. ϗϥʔετʔϦʔ͸Լࡦ

39. Limitations of Horror Stories • ໌֬ͳϦεΫ΍՝୊ʹ͸ରॲͰ͖Δ͕ɺͦΕҎ্͕ͳ͍ • ϦεΫͷ૯ྔ͸ܦӦऀͷհࡏͳ͠ʹ͸ଌΕͳ͍ • ΏʔͯɺͦΜͳͷى͖Δʁͦ͜·ͰΠϯύΫτ͋Δʁ

    
 ଞࣾ͸Ͳ͏ͯ͠ΔͷʁΛಥഁͰ͖ͳ͍ • ৽͍͠ϦεΫ͕ੜ·ΕͨΒɺ·ͨ৽͍͠΋ͷΛങΘͳ͍ͱ͍ ͚ͳ͍ͷʁͱ͍͏ٙ೦Λ෷১Ͱ͖ͳ͍

40. Limitations of Horror Stories • θϩτϥετΛಋೖ͢Ε͹ղܾ͢Δ͔͸ผͷ࿩ • ڥք๷ޚΛ͔ͬ͠Γ΍ͬͨΓɺ৬຿෼ঠΛపఈ͢Ε͹ղܾͰ ͖Δ࿩΋͋Δ •

    θϩτϥετΛಋೖͯ͠ղܾ͠·͠ΐ͏͸๫࿦

41. ϑΝΠφϯεʹ΋໨Λ޲͚Δ

42. It costs a lot of money to do anything. •

    ࠓ·Ͱ΍͍ͬͯͳ͔ͬͨ͜ͱΛ΍ΔͷͰɺجຊతʹ͸ίετ૿ • ͍ͭͷλΠϛϯάͰɺͲͷఔ౓ͷΩϟογϡΞ΢τ͕ੜ͡Δ ͷ͔͸ɺܦӦऀͷॏେͳؔ৺ࣄʢΩϟογϡϑϩʔͱ૬ஊʣ • ࡞੒ͨ͠ϩʔυϚοϓΛجʹɺ͓͕ۚඞཁͳ࣌ظΛఏࣔ͢Δ • ෆཁʹͳΔػث΍ઃඋɺϥΠηϯε͕͋Ε͹ɺ৫ΓࠐΉ

43. εςʔΫϗϧμʔΛר͖ࠐΉ

44. Are you trying to do this with just a few

    people? • ܦӦऀΛ͸͡Ίɺܦཧɺ๏຿ɺਓࣄɺࣄۀ෦໳ͱؔΘΒͳ͍ͱਐΜͰ͍͔ͳ͍ • ܦӦऀɿτοϓϚωδϝϯτɺඞཁͳࢿݯͷׂΓ౰ͯ • ܦཧɿϑΝΠφϯεपΓɺطଘγεςϜͷࢧ෷͍पΓ • ๏຿ɿࣄۀಛੑʹର͢Δ๏తͳ໘ͰͷϑΥϩʔ • ਓࣄɿIDιʔεͱͷ੔߹ • ࣄۀ෦໳ɿϢʔεέʔεɺ࢖͍উखɺۀ຿ޮ཰ͷϑΟʔυόοΫͷๅݿ

45. ৘γε΍ηΩϡϦςΟ෦໳͚ͩͰ ਐΊΑ͏ͱ͍ͯ͠·ͤΜ͔ʁ

46. ୭͕Ͳ͏޾ͤʹͳΔͷ͔ ܞΘΔ୲౰ऀͷςϯγϣϯ͕ ΞΨΔ࿩ʹ͠ͳ͍ͱଓ͔ͳ͍

47. ৘γε΍ηΩϡϦςΟ෦໳͕ ෦԰ʹด͜͡΋ͬͯ࢓ࣄ͢Δ࣌୅͸ ͱͬ͘ʹऴΘͬͯΔ

48. Today's topic • είʔϓͷ࿩ • ϑΝϯμϝϯλϧͳ࿩ • θϩτϥετಋೖࢧԉͱͯ͠΍͍ͬͯ͘ϑΣʔζྫͷ࿩

49. general fl ow

50. How long does 
 it take?

51. What will you 
 be able to do?

52. To apply 
 a popular phrase.

53. ͱɺ·͊શମΛ၆ᛌͯ͠ ਐΊ͍ͯ͘ͱ͍͏͜ͱͰ͢

54. Α͋͘ΔΞϯνύλʔϯ

55. anti-pattern • ෦෼తͳཁૉ͚ͩͰ΍Ζ͏ͱ͢Δ͜ͱ • ೝূͱσόΠε੍ޚ͚ͩείʔϓΛߜͬͯ΍Γ͍ͨͰ͢ • ͜ͷ੡඼ͰͰ͖Δͱ͜Ζ͚ͩ΍Γ·͢

56. AsIsͷώΞϦϯά΍σβΠϯ͔Β είʔϓ֎ͷ͜ͱ͕ൈ͚མͪΔ

57. The ones that fall out • ۀ຿ͰAndroid͔ͭͬͯΔΜ͚ͩͲྑ͔ͬͨΜ͚ͩͬʁ • ͳ่͠͠Ͱࢲ෺୺຤࢖͑ͪΌͬͯΔΜͩΑͳʔ •

    ࣮͸VPNͱͷ৯͍߹Θ͕ͤѱ͍ΜͩΑͶ • ͜ͷ୺຤Ͱ͜ͷۀ຿Λ΍ͬͪΌͬͯྑ͔ͬͨΜ͚ͩͬʁ • ੍ޚϙΠϯτʹ࿙Ε͕͋ͬͨʢζϨͯͨʣɻɻɻ׼

58. ෦෼తʹਐΊΑ͏ͱ͢ΔఏҊΛड͚ೖΕΔͳΒ 
 શମͷσβΠϯΛࣗ෼ͰҾ͍ͯ ੔߹ੑΛϋϯυϦϯά͢Δ͜ͱ

59. analysis of current situation

60. What we are doing in our analysis of the current

    situation • ϦεΫ෼ੳ݁ՌͱϦεΫରԠํ਑ͷ֬ೝ • ΍Γ͍ͨ͜ͱɺͳΓ͍ͨ࢟ͷώΞϦϯά • खஈ͕໨తʹͳͬͯͳ͍͔ͷνΣοΫɺͳͥͳΒ͹ͷਂ۷Γ • ۀ຿ʹؔΘΔεςʔΫϗϧμʔͷ֬ೝ • ۀ຿ҕୗ΍ΞϧόΠτͳͲ

61. What we are doing in our analysis of the current

    situation • ݱࡏͷγεςϜߏ੒ͱͦͷߏ੒ʹࢸͬͨഎܠͷ֬ೝ • IDج൫΍σόΠε͸ԿΛ࢖ͬͯΔͷʁ • ࣄ຿ॴ΍૔ݿɺ޻৔ͳͲɺͲ͜ͰͲΜͳۀ຿΍ͬͯΔͷʁ • ͲΜͳΩοςΟϯάͯ͠Δʁڞ༗IDͱ͔࢖ͬͯΔʁ • ωοτϫʔΫߏ੒͸ʁ

62. What we are doing in our analysis of the current

    situation • ۀ຿γεςϜ΍SaaSϥΠηϯεͷ໨࿥ • ͍ͭߪೖͯ͠ɺอकඅͲΕ͘Β͍ʁ • Կͷ໾ׂΛՌ͍ͨͯ͠Δ΋ͷͳͷʁ • ͲΕ͘Β͍ؾʹೖͬͯΔʁ • SSOՄ൱΋Θ͔Δͱͳ͓ྑ͠

63. What we are doing in our analysis of the current

    situation • ݱࡏͷηΩϡϦςΟϙϦγʔͷ಺༰֬ೝ • ఆΊΒΕ͍ͯΔ಺༰͸ɺͲͷΑ͏ʹ࣮૷ɾӡ༻͍ͯ͠Δʁ • ४ڌ͢΂͖ϨΪϡϨʔγϣϯ΍نఆͷ֬ೝ • σβΠϯʹର͢Δ४ڌੑ͸୭͕ͲͷΑ͏ʹߦ͏ͷ͔੔ཧ

64. What we are doing in our analysis of the current

    situation • σʔλͷྲྀ௨ܦ࿏ͷ֬ೝ • ૊৫ͱͯ͠Ͳͷఔ౓ॏཁͳ৘ใ͕ɺͲ͜ʹ഑ஔ͞Ε͓ͯΓɺ ͩΕ͕ɺͲͷσόΠεΛ༻͍ͯɺͲͷΑ͏ͳܦ࿏ͰΞΫηε ͢Δ͔ • ISMS27002Ͱ੔ཧ͞ΕΔσʔλͷ໨࿥Λ֦ு͢Δͷ͕ 
 ൺֱతϦʔζφϒϧ

65. Formulate overall design

66. άϥϯυσβΠϯͬͯ ͜͏͍͏ֆΛඳ͚͹͑͑Μ΍Ζʁ

67. Is this what the overall design is about?

68. ͜Ε͸ɺͨͩͷֆͰ͢

69. What should be included in the overall design • ϦεΫ΍՝୊ɺ΍Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟

    • AsIsߏ੒ɺToBeߏ੒ɺCanBeߏ੒ • σβΠϯίϯηϓτͱ֤ίϯϙʔωϯτͰߦ͏͜ͱ΍੍ޚͷ֓ཁ • ՝୊౳ͱͷϚοϐϯά

70. What should be included in the overall design • ਐΊΔ্Ͱͷཹҙ఺

    • MDM৐Γ׵͑΍ϢʔβʔӨڹɺηΩϡϦςΟػߏͷ੾Γସ͑ • ϩʔυϚοϓʢ࣮૷ॱংʣͱεέδϡʔϧ • ߪೖϥΠηϯεҰཡʢֹؚۚΉʣ • ഇغ͢ΔγεςϜͱഇغ࣌ظ

71. ͳΔ΄Ͳ Θ͔ΒΜ

72. What should be included in the overall design

73. What should be included in the overall design

74. ཁ͸ ٕज़ͷԡ͠ചΓʹͳͬͯ·ͤΜ͔ʁ ͱ͍͏͜ͱ

75. CanBeߏ੒ͬͯʁ

76. A practical landing place for the time being • Ұ଍ඈͼʹToBeߏ੒ʹ͍͚ͳ͍͜ͱ͸ଟʑ͋Δ

    • ௕͗͢Δεέδϡʔϧ͸ɺਫ਼౓͕ஶ͘͠མͪΔ • ΍ͬͯΈͯɺ͜͏ͩͬͨɾ͜Μͳ͸ͣ͡Ό͸ɺΑ͋͘Δ͜ͱ • ΍Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ʹରͯ͠ɺ௚ۙͰͨͲΓண͖͍ͨঢ়ଶΛ ࣮ݱͰ͖Δߏ੒ΛCanBeߏ੒ͱݺΜͰ·͢

77. identity control

78. Why should we have ID control? • ໨త • ՄೳͳݶΓɺҰҙͷIDͰγεςϜར༻Ͱ͖ΔΑ͏ɺIDΛҰݩ؅ཧ͢Δ

    • ೝূͱೝՄΛҰݩతʹߦ͑ΔΑ͏ʹ͢Δ • ͳͥͳΒ͹ • ୭͕͍ͭԿΛͨ͠ͱ͍͏ϩάʹҙຯΛ࣋ͨͤΔ(൱ೝ๷ࢭ) • ۀ຿ར༻SaaSͷϢʔβʔ؅ཧΛݸผʹߦΘͳ͍ঢ়گΛ࡞Γɺୀ৬ऀ΍෦֎ऀͷΞΫηεΛ๷͙

79. What to do as an identity control ? • ৴པͰ͖ΔIDιʔεͷ֬ೝʢਓࣄDB΍Active

    DirectoryͳͲʣ • ڞ༗IDͷચ͍ग़͠ͱ؇࿨ાஔ • IDιʔε͔ΒIdP΁ͷܨ͗ࠐΈ • SaaSαʔϏε΁ͷSSOઃఆɺϢʔβʔ/άϧʔϓ(σ)ϓϩϏδϣχϯά • ෇ਵͯ͠SaaSଆͷೝՄઃܭ

80. What to do as an identity control ? • SSO͕Ͱ͖ͳ͍αʔϏεʹରͯ͠ͷ؇࿨ાஔ

    • ID΍άϧʔϓϝϯόʔγοϓͷ୨Է͠ͷ࢓૊Έͮ͘Γ • ۀ຿ʹؔΘΔ֎෦εςʔΫϗϧμʔͷID؅ཧͷ࢓૊Έͮ͘Γ • ৔߹ʹΑͬͯ͸ɺෳ਺ͷIdPΛ࢖͍෼͚Δ͜ͱ΋͋Δ

81. device control

82. Why should we have device control? • ໨త • ۀ຿Ͱ࢖͏σόΠεΛಛఆ͠ɺඞཁͳ੍ޚΛ഑৴Ͱ͖Δঢ়ଶΛอূ

    ͢Δ • ͳͥͳΒ͹ • ηΩϡϦςΟ͸࠷΋௿͍ਫ४ʹ߹ͬͯ͠·͏ͨΊɺඞཁͱఆΊͨ 
 ηΩϡϦςΟઃఆ΍ΞϓϦέʔγϣϯΛ࣮֬ʹ഑৴͢Δඞཁ͕͋Δ

83. What to do as an device control • طଘσόΠεʹର͢ΔMDMͷΤϯϩʔϧϝϯτ •

    ΩοςΟϯάͰ΍͍ͬͯΔ͜ͱ΍ηΩϡϦςΟϙϦγʔʹج੍ͮ͘ ޚ΍ػೳͷ੍ݶͷ഑෍ΛMDMͰ഑෍ • AutoPilot΍DEPΛ༻͍ͯɺ৽نσόΠε΁ͷθϩλονσϓϩΠ • ࢀߟɿhttps://www.youtube.com/watch?v=Z-7W4T-IOFk

84. Content Management

85. Why should we have Content Management? • ໨త • ϑΝΠϧαʔόʔʹ͋ΔσʔλΛΫϥ΢υετϨʔδʹҠߦ͠ɺ

    
 ߴ͍Ϩϕϧͷ؂ࠪੑͱΞΫηείϯτϩʔϧɺ଱ো֐ੑɺརศੑΛڗड͢Δ • ϢʔεέʔεʹΑͬͯ͸ɺΫϥ΢υετϨʔδ͕ϑΟοτ͠ͳ͍৔߹͋Γ • ͳͥͳΒ͹ • ڥք಺ͰकΔ΂͖΋ͷΛݮ͡ɺ৘γεͷӡ༻؅ཧෛ୲Λݮ͡Δ͜ͱ͕Ͱ͖Δ

86. What to do as a Content Management? • ϑΥϧμߏ଄ઃܭɺΞΫηεݖઃܭ •

    άϧʔϓϓϩϏδϣχϯάͱ࿈ಈ • Ϣʔεέʔεʹ߹Θͤͨςφϯτઃఆௐ੔ • Ϣʔεέʔε্ɺ޷·͘͠ͳ͍ಈ࡞ͷ੍ݶઃఆ • ֎෦ڞ༗ํࣜͱͷ੔߹

87. What to do as a Content Management? • σʔλҠߦ •

    ҠߦݩɾҠߦઌͷϚοϐϯά • πʔϧͷ࢖༻Λਪ঑ʢσʔλҠߦ͸ϊ΢ϋ΢Λཁ͢Δʣ • ϝʔϧఴ෇ϑΝΠϧͷΫϥ΢υετϨʔδอ؅ • Ϣʔβʔप஌ࢿྉ࡞੒ɺτϨʔχϯά΍ϫʔΫγϣοϓͷ։࠵

88. Endpoint Protection

89. Why should we have Endpoint Protection? • ໨త • Ξϯν΢ΟϧεͰରԠͰ͖ͳ͍ΤϯυϙΠϯτͷڴҖΛݕग़

    ͠ɺରԠ͢Δ • ͳͥͳΒ͹ • ߴ౓Խ͢Δ߈ܸ͸ɺϚϧ΢ΣΞͰݕग़͢Δ͜ͱ͸ࠔ೉Ͱ͋Γɺ ΠϯςϦδΣϯεΛ׆༻͢Δඞཁ͕͋Δ͔Β

90. What to do as a Endpoint Protection? • ςφϯτઃఆ •

    ར༻͢Δػೳɺར༻͠ͳ͍ػೳͷܾఆɺϩʔϧઃܭ • ॳظల։ • ΦϯϘʔυखॱͷཱ֬ɺ࠷௿ݶͷػೳಈ࡞֬ೝɾಈ࡞Өڹ֬ೝ • طଘΞϯνϚϧ΢ΣΞ੡඼ͷೖΕସ͑ํࣜͷݕ౼

91. What to do as a Endpoint Protection? • ύΠϩοτల։ •

    ֤෦໳͔ΒύΠϩοτϢʔβʔΛืͬͯɺEDRΛಋೖ • ۀ຿Өڹ֬ೝͱνϡʔχϯά • ΞϥʔτରԠͷशख़ͱରԠϑϩʔͷཱ֬ • ࣗࣾͰͷରԠ͕೉͍͠෦෼ͷ֬ೝ

92. What to do as a Endpoint Protection? • SOCࣄۀऀબఆʢΦϓγϣϯʣ •

    ࣗࣾͰରԠ͕೉͍͠෦෼ʹ͍ͭͯɺରԠͯ͠΋Β͑ΔSOCࣄۀऀΛ୳͢ • ӡ༻͸ɺSOCࣄۀऀͰ׬݁͸͠ͳ͍͜ͱʹ஫ҙ • SOCࣄۀऀτϥΠΞϧӡ༻ʢΦϓγϣϯʣ • ࣮ࡍʹͲͷϨϕϧͰରԠΛͯ͘͠ΕΔ͔ɺͲͷΑ͏ͳ΍ΓͱΓ͕ੜ͡Δ͔

93. What to do as a Endpoint Protection? • ੬ऑੑରԠʢ੡඼ʹΑΔʣ •

    ૊৫಺ͷ੬ऑੑΛಛఆ͠ɺରԠΛཁ͢Δ΋ͷΛ൑அ͢Δ • OSઃఆ΍ΞϓϦέʔγϣϯόʔδϣϯʹجͮ͘੬ऑੑ͕ର৅ • ରԠ͸σόΠε੍ޚͷج൫Λར༻͢Δ

94. Shadow IT 
 Countermeasures

95. Why should we have Shadow IT 
 Countermeasures? • ໨త

    • ۀ຿Ͱར༻͍ͯ͠ΔSaaSαʔϏεར༻ͷՄࢹԽͱ੍ޚ • ѱੑίϯςϯπ΁ͷΞΫηε੍ݶ • ͳͥͳΒ͹ • Web௨৴͸ɺσʔλྲྀ௨ͷॏཁͳΩʔϙΠϯτ

96. What to do as a Shadow IT Countermeasures? • ҠߦઃܭɺઃఆͷҠߦ

    • ڥք๷ޚ΍طଘͷηΩϡϦςΟػߏ͕ߦ͍ͬͯΔ੍ޚͷચ͍ग़͠ͱɺ CASB/SWG੡඼΁ͷམͱ͠ࠐΈ • σόΠε౷੍ج൫Λ༻͍ͯɺAgentల։ • େ͖͘͸AgentܕɺAPIܕɺProxyܕͱ͋Δ͕ɺΧόʔൣғͱωοτϫʔΫ τϙϩδͷࣗ༝౓Λߟྀ͢ΔͱAgentܕ͕ϑΝʔετνϣΠε

97. What to do as a Shadow IT Countermeasures? • νϡʔχϯά

    • ςφϯτࣝผొ࿥ • SSL෮߸ʹΑΔӨڹΛड͚ΔSaaSɺWebαʔϏεʹ͍ͭͯɺআ֎ઃఆͳͲ ͷ࣮ࢪ • Ҡߦઃఆͷ౤ೖ • ΧςΰϦϑΟϧλϦϯάɺෆ৹ͳυϝΠϯ΁ͷ઀ଓ੍ݶઃఆͳͲ

98. What to do as a Shadow IT Countermeasures? • ՄࢹԽ಺༰ͷ֬ೝ

    • SaaSαʔϏεͷར༻ঢ়گ͔ΒɺରԠํ਑Λݕ౼ • ར༻෦໳ͱͷௐ੔΍͢Γ߹Θͤ • ՄࢹԽ݁Ռʹج੍ͮ͘ޚઃఆ

99. What to do as a Shadow IT Countermeasures? • DLP

    • ૊৫Ͱอޢ͢΂͖σʔλΛਖ਼نදݱͰఆٛͰ͖Δ͔͕ΧΪ • ϑϦʔϋϯυͰߦ͏ʹ͸೉౓͕ߴ͗͢Δʢݸਓ৘ใͱ͔ʣ • ࣄۀಛੑͱσʔλͷྲྀ௨ܦ࿏Λे෼ʹ뱌Ͱ͖Ε͹ɺൺֱతγϯ ϓϧʹ࢖͏͜ͱ͸Մೳʢࣙॻɺ֦ுࢠɺϑΝΠϧαΠζͳͲʣ

100. Breaking away 
 from VPN

101. Why are you breaking away from VPNs? • ໨త •

     ݸʑͷࣾ಺ΞϓϦέʔγϣϯ΍ΦϯϓϨϛεγεςϜʹରͯ͠ɺ 
 ೝূʹجͮ͘ΞΫηείϯτϩʔϧΛఏڙ͢Δ • ͳͥͳΒ͹ • VPN͸ɺωοτϫʔΫ΁ͷΞΫηεڐՄʹରͯ͠ɺIAP͸ΞϓϦ έʔγϣϯʹରͯ͠ɺϢʔβʔ͝ͱͷ઀ଓڐՄΛఏڙ͢Δ

102. What does getting out of a VPN do? • ઀ଓର৅γεςϜʢ㲈VPNʹґଘ͍ͯ͠ΔγεςϜʣͷચ͍ग़͠

     • ϙʔτɺIPΞυϨεɺFQDNɺґଘ͢ΔDNSΛ֬ೝ • ࣾ಺γεςϜͷૄ௨Մೳͳ৔ॴʹίωΫλΛ഑ஔ͢Δ • ର৅γεςϜ΁ͷ઀ଓݕূ • ཪͰΞΫηε͍ͯ͠ΔURLͳͲͷ͋ͿΓग़͠

103. What does getting out of a VPN do? • ϩʔϧઃܭ

     • ϩʔϧ͝ͱʹར༻͢ΔΞϓϦέʔγϣϯηοτΛఆٛ • ϓϩϏδϣχϯάͨ͠άϧʔϓʹجͮ͘ • ίωΫλνϡʔχϯά • εϧʔϓοτ΍Մ༻ੑͷௐ੔͕ඞཁͰ͋Ε͹

104. What does getting out of a VPN do? • VPNଘஔͷγφϦΦʹ͍ͭͯͷݕ౼ʢΦϓγϣϯʣ

     • ߴ͍Մ༻ੑΛཁ͢ΔαʔϏε͕͋Ε͹ɺόοΫΞοϓճઢͱ͠ ͯVPNΛଘஔ͢Δ͜ͱ΋ΞϦ • අ༻΍ΩοςΟϯάɺӡ༻ෛՙͷ௿ݮʹ͸ͳΒͳ͍ͷͰɺ 
 ϦεΫϚωδϝϯτͱͯ͠ͷ൑அ͕ඞཁ

105. log management

106. Why do you do log management? • ໨త • ֤SaaS΍ηΩϡϦςΟ੡඼ʹࢄΒ͹Δϩά΍ΞϥʔτΛू໿

     ͠ɺγεςϜΞϥʔτΛ၆ᛌ͢Δ͜ͱͰରԠ͢΂͖Πϯγσϯτ ΛݟۃΊΔ • ͳͥͳΒ͹ • ֤੡඼ͷϩάͷ૬ޓ֬ೝͷखؒΛݮΒ͠ɺରԠͷࣗಈԽʹܨ͛Δ

107. What does log management do? • ετʔϦʔͷཱ֬ • ͩΕ͕ɺ୭ʹରͯ͠ɺͲͷΑ͏ͳ͜ͱΛઆ໌Ͱ͖ͨΒউͪͰ͋Δ͔ •

     ऩूର৅ϩάͷબผ • ετʔϦʔʹؔΘΔϩά΍ॏཁσʔλΛϗετ͢ΔαʔϏεɺ͓ΑͼϦεΫΞη εϝϯτͷ݁Ռɺൃݟత౷੍ʢϩάʹΑΔݕग़ʣ͕ରԠࡦͱͯ͠ڍ͛ΒΕͨγε ςϜ͕ର৅ • ͳΜͰ΋ू໿͸ɺΞϯνύλʔϯ

108. What does log management do? • อଘظؒͷܾఆʢن੍΍๏ྩʹجͮ͘ʣ • ϩάऩूج൫ͷબఆͱܾఆ •

     ϩάऩूର৅ͱͷܨ͗ࠐΈ͕༰қͳ੡඼͕͋Δ͔ • ϑΝʔετνϣΠε͸ɺΫϥ΢υܕSIEM • Ͱ͖Ε͹ɺεϞʔϧελʔτՄೳͳ੡඼Λબఆ

109. What does log management do? • ֤αʔϏεͱSIEMͱͷܨ͗ࠐΈ • ஍ຯͰҰ൪ॏ͍ɻ҆қʹ࡞ΓࠐΈʹ૸Δͷ͸ې෺ •

     ϩʔϧઃܭ • ϩά͸୭ʹͰ΋ݟΒΕͯྑ͍΋ͷͰ͸ͳ͍

110. What does log management do? • ݕग़ϩδοΫͷ࡞੒ • ετʔϦʔ΍ϦεΫΞηεϝϯτͷ݁Ռʹجͮ͘࡞ΓࠐΈ •

     ࣗಈରԠ͸ɺઌͣ͸௨஌͔Β • ରԠΛ͍ͯ͘͠தͰɺ͓ܾ·ΓͷରԠ಺༰ΛࣗಈԽ͍ͯ͘͠ • ΤϯϦονϝϯτɺ௥ՃௐࠪͳͲ

111. What does log management do? • ՄࢹԽςϯϓϨʔτͷ࡞੒ • ετʔϦʔ΍ϦεΫΞηεϝϯτͷ݁Ռʹجͮ͘࡞ΓࠐΈ •

     ؂ࢹઃఆ • ՝ۚঢ়گɺϩάྲྀೖঢ়گɺΫΤϦʔ࣮ߦঢ়گ…etc

112. ͱɺ·͊ ʮθϩτϥετಋೖࢧԉʯ͸ ͜Μͳײ͡ͰਐΊ͍ͯ͘༁Ͱ͢

113. conclusion • ΍Γ͍ͨ͜ͱɾͳΓ͍ͨ࢟ΛجʹɺʮͳͥͳΒ͹ʯΛ໌֬ʹͯ͠ɺ ৘ใγεςϜͷσβΠϯʹθϩτϥετͷཁૉΛ৫ΓࠐΜͰ͍͘ • ࣮૷ʹ͋ͨͬͯ͸ઐ໳஌͕ࣝඞཁ͕ͩɺࣗ෼ͰखΛಈ͔ͯ͠ɺܦݧ ͱϑΟʔυόοΫʹج͍ͮͯίϯτϩʔϧ͍ͯ͘͠Α͏ʹ͠ͳ͍ ͱɺखʹෛ͑ͳ͍୅෺ʹͳΔ • ಛผͳ͜ͱ͕ͳ͚Ε͹ɺID౷੍ˠσόΠε౷੍͔Β࢝ΊΔ

114. ͓ͳ͔͍ͬͺ͍Ͱ͔͢ʁ

115. One more things

116. θϩτϥετಋೖͷ޲͜͏ଆ

117. ബʑצ͍͍ͮͯΔͱࢥ͍·͕͢ ͋Γͱ͋ΒΏΔ৘ใ͕ू·͖ͬͯ·͢

118. Things that have gathered when you notice them • ୺຤ͷΠϯϕϯτϦ৘ใʢ୭ͷεϚϗʹͲͷΞϓϦ͕ೖͬͯΔʁʣ

     • WebӾཡ৘ใʢ୭͕͍ͭͲΜͳαΠτʹΞΫηεͨ͠ʣ • ςΩετ৘ใʢ୭͕ͲΜͳϫʔυΛ౤ߘ͔ͨ͠ͳʣ • Ґஔ৘ใʢ୭ͷσόΠε͸Ͳ͜ʹ͋Δʁʣ

119. ݸਓ৘ใͬͯ஌ͬͯΔʁ

120. Yes. These are private information • ID౷੍͞Εͨੈք؍Ͱ͸ɺ΄ͱΜͲͷσʔλʢϩάʣʹUPN΍ϝʔϧΞυϨεʹඥ෇͘ • ۀ຿Ͱ࢖༻͢Δ৘ใγεςϜͷϞχλϦϯά͸ɺ৘ใηΩϡϦςΟ΍࿑ಇऀͷ৬຿ઐ೦ٛ຿౳ ͷݟ஍͔Βɺۀ຿্ͷඞཁੑ͕ೝΊΒΕΔ

     • ଞํͰɺࣄۀऀʹͱͬͯࣝผ͞ΕͨIDͱݸਓͱͷর߹͸༰қͰ͋Δ͜ͱ͔Βɺ͜ΕΒͷσʔλ ͸ݸਓࣝผੑΛ༗͠ɺݸਓ৘ใʹ֘౰͢Δ͜ͱ͕ҰൠతͰ͋Δ • ैͬͯɺϞχλϦϯά͸ݸਓ৘ใอޢ๏ͷن੍ର৅Ͱ͋Δͱ͍͑Δ • ϞχλϦϯά͸ɺϓϥΠόγʔ΍ਓ֨ݖͷ৵֐ʹΑΔଛ֐ഛঈ੥ٻૌুͰ૪ΘΕΔ͜ͱ΋͋Δ શ೔ຊ৘ใॲཧֶशৼڵڠձ ൛ ݸਓ৘ใอޢ࢜ೝఆࢼݧ ެೝςΩετୈ2൛ 571ʙ572ทΑΓൈਮʢҰ෦ཁ໿ʣ

121. Yes. These are private information https://www.meti.go.jp/policy/it_policy/privacy/050805_guideline.pdf

122. ཁ͸ ϞχλϦϯάͰಘͨ৘ใ͸ɺ ݸਓ৘ใͱͯ͠ར༻ൣғΛ໌֬ʹͯ͠ ར༻͢Δͱ͍͏͜ͱ

123. ͯ͞ɺੈͷதθϩτϥετͱڣΜͰ͍Δ ϕϯμʔ͕௓ྊ᪎ᬚͯ͠·͕͢

124. ͜ͷ͜ͱʹݴٴ͠ͳ͍ͷ͸ ͳͥͰ͠ΐ͏͔Ͷʁ

125. Έͳ͞Μ΁ͷ॓୊ʹ͓͖ͯ͠·͢˒

126. Thank you !