脅威モデリングで考える Kubernetes セキュリティ / CloudNative Days Tokyo 2021 #CNDT2021 #CNDT2021_B

,PIFJ.PSJUB(.01FQBCP *OD $MPVE/BUJWF%BZT5PLZP ڴҖϞσϦϯάͰߟ͑Δ ,VCFSOFUFTηΩϡϦςΟ

(.01FQBCP *OD4FOJPS&OHJOFFS ,PIFJ.PSJUB!NSUD ηΩϡϦςΟରࡦࣨ CMPHTTSGJO NSUD!TTSGJO

.ZSFDFOU"DUJWJUJFT DPOUBJOFSTFDVSJUZEFW HJUIVCDPNNSUDCPVIFLJ

"HFOEB ڴҖϞσϦϯάͱ͸ طଘͷ,VCFSOFUFTڴҖϞσϦϯά ڴҖϞσϦϯά͔ΒݟΔ,VCFSOFUFTΫϥελͷ"UUBDL4VSGBDFT

,VCFSOFUFT4FDVSJUZJT)BSE ,VCFSOFUFT ίϯςφ ίϯςφΠϝʔδ $*ɾ$%ύΠϓϥΠϯ ιϑτ΢ΣΞ FUD ɾෳࡶͳͷͰʮͲ͜ΛकΔ΂͖͔ʯʮԿ͔ΒकΔ΂͖͔ʯ͕෼͔Γʹ͍͘ɺ೉͘͠ײͯ͡͠·͏ cc ,VCFSOFUFTΫϥελ
ɾίϯςφ͚ͩΛηΩϡΞʹͯ͠΋ɺଞͷͱ͜Ζʹ͕݀͋Ε͹ɺΫϥελΛঠѲ͞Εͯ͠·͏ NJTDPOpHSBUJPO 4VQQMZ$IBJO 7VMOFSBCJMJUJFT FUD

Կ͔ΒकΔ͔ɺԿΛकΔ͔ ɾγεςϜ͕ʮͲͷΑ͏ʹ߈ܸ͞ΕΔ͔ʯΛཧղ͢Δ͜ͱ͸๷ޚͷجຊ Կ͔ΒकΔͷ͔εΫϦϓτΩσΟ ߴ౓ͳ߈ܸ ಺෦൜ߦ ԿΛकΔͷ͔ػີσʔλ αʔόʔ ΞϓϦέʔγϣϯ ɾγεςϜɾΞʔΩςΫνϟͷཧղ ԿΛ͢ΔͨΊͷιϑτ΢ΣΞ
αʔϏε ηΩϡϦςΟཁ݅͸ ͲͷΑ͏ͳػີ৘ใΛѻ͏ ͦͷσʔλ΁ͷΞΫηεํ๏͸ σʔλ͸ͲͷίϯϙʔωϯτͰॲཧ͢Δ

ڴҖϞσϦϯάͱ͸ γεςϜͷજࡏతͳڴҖΛ༧ଌ͢ΔͨΊͷϞσϧΛ࡞੒͢Δϓϩηε γεςϜΛந৅Խͯ͠શମ૾Λ၆ᛌ͢Δ͜ͱͰɺڴҖ ϦεΫͱͳΔཁҼ Λݟ͚ͭΔ ڴҖϞσϦϯά㱩ڴҖ෼ੳͰ͋Γɺຊདྷ͸ڴҖͷநग़ͷΈΛߦ͍·͕͢ɺຊηογϣϯͰ͸ରࡦ౳ʹ͍ͭͯ΋৮Ε·͢ɻ

ڴҖϞσϦϯάͷϑϨʔϜϫʔΫ 453*%& 1"45" 5SJLF 33" ݫີʹ͸33"͸ηΩϡϦςΟͷͨΊͷڴҖ෼ੳΛߦ͏ख๏Ͱ͸͋Γ·ͤΜ͕ɺ.P[JMMB,VCFSOFUFTͰ΋ར༻͞Ε͍ͯΔख๏ͳͷͰࡌ͍ͤͯ·͢ɻ ΋ͪΖΜɺ্هҎ֎ͷख๏΋͋Γ·͢ɻ

453*%& ڴҖ ҙຯ ྫ 4QPPpOH ͳΓ͢·͠ ଞϢʔβʔ΁ͷͳΓ͢·͠ ωοτϫʔΫ্Ͱͷผ୺຤΁ͷͳΓ͢·͠ 5BNQFSJOH վ᜵ɺσʔλͷมߋ
ϑΝΠϧ΍%#ɺωοτϫʔΫܦ࿏ͷվ᜵ 3FQVEJBUJPO ൱ೝɺ߈ܸ͍ͯ͠ͳ͍͜ͱΛओுͰ͖Δɻ ϩάͱͯ͠ه࿥͕࢒Βͳ͍ *OGPSNBUJPO%JTDMPTVSF ެ։͞ΕΔ΂͖Ͱͳ͍৘ใ͕Ӿཡ͞ΕΔ Τϥʔϝοηʔδ΍ϩάʹൿಗ͢΂͖৘ใؚ͕·ΕΔ "$-ͷෆඋ %FOJBMPG4FSWJDF αʔϏε๦֐ɺਖ਼ৗʹαʔϏεΛఏڙͰ͖ͳ͍ɻ ॲཧͷॏ͍ΤϯυϙΠϯτͷଘࡏ େྔͷΞΫηεɺσΟεΫ༰ྔͷѹഭ &MFWBUJPOPG1SJWJMFHF ݖݶঢ֨ɺҙਤͨ͠Ҏ֎ͷݖݶΛऔಘ͞ΕΔɻ ೚ҙͷίʔυΛ࣮ߦͰ͖Δ࢓૊Έͷଘࡏ ೝূɾೝՄͷෆඋ

%'% %BUB'MPX%JBHSBN ڴҖϞσϧର৅ͷίϯϙʔωϯτΛྻڍ͠ɺσʔλͷྲྀΕ΍ͲͷΑ͏ͳσʔλΛѻ͏͔هࡌ͢Δ

%'% %BUB'MPX%JBHSBN ϓϩηεσʔλͷೖग़ྗΛߦ͏΋ͷɻ8FCαʔϏε΍04ϓϩηεͳͲ σʔλετΞӬଓɾҰ࣍هԱྖҬɻΩϟογϡ΍%#ͳͲ ֎෦ΤϯςΟςΟ௚઀੍ޚͰ͖ͳ͍΋ͷɻϢʔβʔɺ֎෦αʔϏεͳͲ σʔλϑϩʔ֎෦ΤϯςΟςΟɺϓϩηεɺσʔλετΞؒͷσʔλͷྲྀΕ ৴པڥքԿ͔Λ੍ޚ͢Δͱ͜ΖʹҾ͘ڥքઢɻωοτϫʔΫɺϗετɺ૊৫ ڥքઢΛ௒͑Δ߈ܸʹࡽ͞ΕΔՄೳੑ͕ߴ͍ͱ͜Ζ

%'% %BUB'MPX%JBHSBN $/$''JOBODJBM6TFS(SPVQ 453*%& IUUQTHJUIVCDPNDODGpOBODJBMVTFSHSPVQUSFFNBTUFSQSPKFDUTLTUISFBUNPEFM

ڴҖͷಛఆ ڴҖͷಛఆΛ؆୯ʹ͢ΔͨΊʹ453*%&7BSJBOUT͕͋Δ 453*%&QFS&MFNFOU %'%ͷ͢΂ͯͷཁૉʹରͯ͠ɺ9ͷνΣοΫϚʔΫ͕͋Δ 453*%&ͷڴҖΛಋग़͢Δ 453*%&QFS*OUFSBDUJPO ৴པڥքͱަࠩ͢Δσʔλϑϩʔʹண໨͠ɺڴҖΛಋग़͢Δ γεςϜͷن໛΍ෳࡶ౓ʹΑͬͯ1SPT$POT͋Δ

"UUBDL5SFF ൃݟͨ͠ڴҖʹ͍ͭͯɺ۩ମతͳ߈ܸख๏Λྻڍ͢Δ FHผͷϢʔβʔʹͳΓ͢·͠Ͱ͖ΔڴҖ 4QPPpOH FHผͷϢʔβʔʹͳΓ͢·͠Ͱ͖ΔڴҖ 4QPPpOH ͳΓ͢·͢ख๏ͱͯ͠ʮෆਖ਼ϩάΠϯʯʮ౪ௌʯ͕ߟ͑ΒΕΔ ʮෆਖ਼ϩάΠϯʯΛ໨తͱͨ͠৔߹ɺͦͷख๏ͱͯ͠ ʮ૯౰Γ߈ܸʯʮϦετܕ߈ܸʯ͕ߟ͑ΒΕΔ ໨తͱखஈΛ໦ߏ଄Ͱදݱ͍ͯ͘͜͠ͱͰɺ
߈ܸύλʔϯΛ၆ᛌͰ͖ɺ ߈ܸ͕Ͱ͖ͳ͘ͳΔ৚݅Λಋग़Ͱ͖Δ

"UUBDL5SFF "UUBDL5SFFͷ࡞੒ʹ͸߈ܸख๏ʹؔ͢Δ஌͕ࣝඞཁͱ͞ΕΔ ˠ࡞੒ऀͷ஌ࣝ΍ܦݧʹґଘͯ͠͠·͏ "UUBDL-JCSBSZͳͲɺ߈ܸύλʔϯΛ஝ੵͨ͠ϥΠϒϥϦΛࢀߟʹ͢Δ $"1&$IUUQTDBQFDNJUSFPSH "55$,IUUQTBUUBDLNJUFSPSH IUUQTBUUBDLNJUSFPSHNBUSJDFTFOUFSQSJTFDPOUBJOFST IUUQTXXXNJDSPTPGUDPNTFDVSJUZCMPHTFDVSFDPOUBJOFSJ[FEFOWJSPONFOUTXJUIVQEBUFEUISFBUNBUSJYGPSLVCFSOFUFT ίϯςφ,VCFSOFUFTͷ"55$,΋ଘࡏ͢Δ

ϦεΫ΁ͷରԠ ରࡦͷ༏ઌ౓Λߦ͏ͨΊʹϦεΫධՁΛߦ͏ $744IUUQTXXXJQBHPKQTFDVSJUZWVMO$744IUNM %3&"%IUUQTFOXJLJQFEJBPSHXJLJ%3&"%@ SJTL@BTTFTTNFOU@NPEFM .JUJHBUJPO؇࿨ࡦɺѱ༻Λࠔ೉ʹ͢Δ &MJNJOBUJOHػೳΛഉআ͢Δ 5SBOTGFSSJOHผͷԿ͔ʹϦεΫΛ೚ͤΔFHೝূΛ֎෦αʔϏεʹ೚ͤΔ "DDFQUJOHϦεΫΛड͚ೖΕΔ ࠜຊతͳղܾࡦ͕ଘࡏ͠ͳ͍έʔε΋͋Δ

طଘͷ,VCFSOFUFTڴҖϞσϦϯά

,VCFSOFUFTͷڴҖϞσϦϯά w 4FDVSJUZ"VEJU8( 5SBJMPG#JUT 33" IUUQTHJUIVCDPNLVCFSOFUFTDPNNVOJUZUSFFNBTUFSTJHTFDVSJUZTFDVSJUZBVEJUpOEJOHT

3BQJE3JTL"TTFTTNFOU 33" w αʔϏεʹؔ͢Δ࣭໰ w ࢓૊ΈɺίϯϙʔωϯτϦετɺϓϩτίϧɺσʔλͷอଘՕॴ΍อଘͷํ๏ͳͲ w $POUSPM'BNJMJFT γεςϜͷػີੑɺ׬શੑɺՄ༻ੑΛอޢ͢ΔͨΊͷٕज़తͳཁૉʹ͍ͭͯ w
"VUIPSJ[BUJPO "VUIFOUJDBUJPO 4FDSFUT.BOBHFNFOU /FUXPSLJOH FUD w ίϯϙʔωϯτ͝ͱʹ$POUSPM'BNJMJFTͷධՁ w ۩ମతͳ߈ܸͷγφϦΦྻڍͱਂࠁ౓౳ͷධՁɺ୹ظతɾ௕ظతͳରࡦ w .P[JMMBͷ33"ςϯϓϨʔτΛΧελϚΠζ͍ͯ͠Δ IUUQTJOGPTFDNP[JMMBPSHHVJEFMJOFTSJTLSBQJE@SJTL@BTTFTTNFOUIUNM

$POUSPM'BNJMJFT LVCFMFU ೝূͳ͠Ͱ઀ଓͰ͖ΔαʔϏε͕͋Γɺ ͜ͷϙʔτʹΞΫηεͰ͖Δ߈ܸऀʹ 1PETQFDͳͲͷ৘ใ͕࿙Ӯ͢Δ

'JOEJOHT LVCFMFU ߈ܸʹ͍ͭͯͷධՁ ɾ߈ܸऀ͸৵ೖࡁΈ͔ɺ಺෦Ϣʔβʔ͕લఏ ɾϫʔΫϩʔυͷ৘ใ΍Ұ෦ͷΫϨσϯγϟϧ͕ ࿙Ӯ͢ΔՄೳੑ ରࡦʹ͍ͭͯ ɾϙʔτ͸σϑΥϧτͰด͡ΔΑ͏ʹมߋ ɾϙʔτ͸N5-4ʹΑͬͯอޢ

,VCFSOFUFTͷڴҖϞσϦϯά w $/$''JOBODJBM6TFS(SPVQ 453*%& IUUQTHJUIVCDPNDODGpOBODJBMVTFSHSPVQUSFFNBTUFSQSPKFDUTLTUISFBUNPEFM

"UUBDL7FDUPST IUUQTHJUIVCDPNDODGpOBODJBMVTFSHSPVQUSFFNBTUFSQSPKFDUTLTUISFBUNPEFM

(JU-BC,VCFSOFUFT"HFOU w (JU-BC,VCFSOFUFT"HFOU IUUQTBCPVUHJUMBCDPNCMPHUISFBUNPEFMJOHLVCFSOFUFTBHFOU IUUQTBCPVUHJUMBCDPNIBOECPPLTFDVSJUZUISFBU@NPEFMJOHIPXUPIUNM ,VCFSOFUFTࣗମͷڴҖϞσϦϯάͰ͸͋Γ·ͤΜ͕ɺ ,VCFSOFUFTͱΠϯςάϨʔγϣϯ͢Διϑτ΢ΣΞͷࣄྫͳͷͰɺڍ͍͛ͯ·͢

ՍۭͷΫϥελΛڴҖϞσϦϯά͢Δ

ՍۭͷΫϥελͷ%'% ؆୯ͷͨΊʹҰ෦লུ͍ͯ͠·͢

453*%&QFS*OUFSBDUJPO ߈ܸऀͱϓϩηεؒͷσʔλϑϩʔʹݶఆ͍ͯ͠·͢ 453*%&ͷநग़΋Ұ෦ͷΈͰ͢

"55$, &YQPTFE%BTICPBSE "SHP$% "SHP8PSLMPBE (SBGBOB ,VCFSOFUFT%BTICPBSE IUUQTB[VSFNJDSPTPGUDPNFOVTCMPHEFUFDUMBSHFTDBMFDSZQUPDVSSFODZNJOJOHBUUBDLBHBJOTULVCFSOFUFTDMVTUFST IUUQTXXXJOUF[FSDPNCMPHDPOUBJOFSTFDVSJUZOFXBUUBDLTPOLVCFSOFUFTWJBNJTDPOpHVSFEBSHPXPSLqPXT ࣄྫ

"55$, $MPVE$SFEFOUJBMT,VCFDPOpH ΤϯυϙΠϯτ୺຤ͷอޢ΋ඞཁ

"UUBDL5SFF "UUBDL5SFFʹͯ͠۩ମతͳ ߈ܸख๏Λྻڍ͢Δ

4VNNBSZ ڴҖϞσϦϯάɾڴҖ෼ੳͰજࡏతͳϦεΫΛચ͍ग़͢͜ͱ͕Ͱ͖Δ γεςϜɾσʔλΛอޢ͢Δʹ͸ɺͲ͜ΛकΕ͹Α͍͔͕ݟ͑ͯ͘Δ ΋ͪΖΜສೳͰ͸ͳ͍͠ɺͦΕΛߦ͏ͨΊͷτϨʔχϯά΋ඞཁ ,VCFSOFUFT΍ίϯςφͷ"55$,Λࢀরͯ͠۩ମతͳ߈ܸख๏Λ஌Δ Ϋϥελ߈ུͷͨΊʹԿΛ଍͕͔Γʹ͢Δͷ͔ɺ߈ܸΛӬଓԽ͢ΔͨΊʹԿΛ࢓ֻ͚Δͷ͔ ˠࣗ෼ͨͪͷ࡞ٕͬͨज़ج൫΍ιϑτ΢ΣΞͷ"55$,ͷ࡞੒ͯ͠׆༻͢Δ ݟ͔ͭͬͨڴҖΛνΣοΫϦετԽͯ͠αʔϏε։ൃʹ׆͔͢

脅威モデリングで考える Kubernetes セキュリティ / CloudNative Day...

脅威モデリングで考える Kubernetes セキュリティ / CloudNative Days Tokyo 2021 #CNDT2021 #CNDT2021_B

mrtc0

More Decks by mrtc0

Other Decks in Programming

Featured

Transcript