{"id":319,"date":"2023-11-26T14:25:59","date_gmt":"2023-11-26T05:25:59","guid":{"rendered":"https:\/\/yokohama-infosec-consulting-service.net\/?p=319"},"modified":"2023-11-27T01:17:05","modified_gmt":"2023-11-26T16:17:05","slug":"%e3%82%bc%e3%83%ad%e3%83%88%e3%83%a9%e3%82%b9%e3%83%88%e3%81%ae%e8%80%83%e3%81%88%e6%96%b9","status":"publish","type":"post","link":"https:\/\/yokohama-infosec-consulting-service.net\/?p=319","title":{"rendered":"\u30bc\u30ed\u30c8\u30e9\u30b9\u30c8\u306e\u8003\u3048\u65b9"},"content":{"rendered":"\n

\u300c\u3053\u308c\u304b\u3089\u306f\u57ce\u306e\u5168\u3066\u306e\u90e8\u5c4b\u306b\u30c9\u30a2\u3092\u4f5c\u308a\u3001\u9375\u3092\u304b\u3051\u3001\u3069\u3093\u306a\u4eba\u304c\u30ce\u30c3\u30af\u3057\u3066\u3082\u3001\u9854\u3092\u898b\u3066\u3001\u958b\u3051\u308b\u304b\u3069\u3046\u304b\u30ea\u30b9\u30c8\u3092\u898b\u3066\u6bce\u56de\u8003\u3048\u307e\u3059\u300d
\u300c\u57ce\u306b\u5165\u308b\u3068\u304d\u306b\u53b3\u91cd\u306a\u30c1\u30a7\u30c3\u30af\u3092\u3057\u3066\u3044\u307e\u3059\u3088\u306d\u3001\u4e00\u5ea6\u5165\u3063\u305f\u4eba\u306f\u4fe1\u7528\u3057\u3066\u3044\u3044\u306e\u3067\u306f\u306a\u3044\u306e\u3067\u3059\u304b\uff1f\u300d
\u300c\u30c1\u30a7\u30c3\u30af\u306f\u5b8c\u5168\u3067\u306f\u306a\u3044\u3057\u3001\u3069\u3053\u304b\u306b\u629c\u3051\u7a74\u304c\u3042\u308b\u304b\u3082\u3057\u308c\u307e\u305b\u3093\u3002\u8ab0\u304b\u304c\u624b\u5f15\u304d\u3092\u3057\u3066\u62db\u304d\u5165\u308c\u308b\u3053\u3068\u3082\u3042\u308a\u307e\u3059\u300d
\u300c\u53b3\u3057\u3059\u304e\u307e\u305b\u3093\u304b\uff1f\u300d
\u300c\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e\u4f1d\u8aac\u3092\u3057\u3089\u306a\u3044\u3093\u3067\u3059\u304b\uff1f\u4e00\u5ea6\u3001\u4fb5\u5165\u3055\u308c\u308b\u3068\u53d6\u308a\u8fd4\u3057\u306e\u3064\u304b\u306a\u3044\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002\u6700\u8fd1\u306e\u60aa\u515a\u306f\u3001\u77e5\u3089\u306a\u3044\u9593\u306b\u57ce\u3068\u5916\u90e8\u306b\u30c8\u30f3\u30cd\u30eb\u3092\u4f5c\u3061\u3083\u3046\u3093\u3067\u3059\u3088\u3002\u4f55\u3067\u3082\u3055\u308c\u3066\u3057\u307e\u3044\u307e\u3059\u300d\u300d
\u300c\u305d\u308c\u3067\u3001\u4fb5\u5165\u3055\u308c\u3066\u3082\u3001\u5b9d\u304c\u5b88\u3089\u308c\u308b\u3088\u3046\u306b\u3059\u308b\u306e\u3067\u3059\u306d\u300d
\u300c\u305d\u3046\u3067\u3059\u3001\u5168\u3066\u306e\u4eba\u3092\u5e38\u614b\u7684\u306b\u4fe1\u7528\u3059\u308b\u3053\u3068\u306f\u3057\u307e\u305b\u3093\u3002\u3067\u3082\u3001\u305d\u306e\u90e8\u5c4b\u306b\u5165\u308c\u308b\u4eba\u3092\u6700\u4f4e\u9650\u306b\u3057\u305f\u3046\u3048\u3067\u3001\u8a8d\u3081\u3089\u308c\u305f\u4eba\u3060\u3051\u3092\u5165\u308c\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002\u4f46\u3057\u3001\u4e2d\u306b\u5165\u308c\u3066\u3082\u4f55\u3067\u3082\u3067\u304d\u308b\u308f\u3051\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u300d<\/em><\/p>\n\n\n\n

Zero Trust Basics<\/strong><\/h2>\n\n\n\n

\u30bc\u30ed\u30c8\u30e9\u30b9\u30c8\u306e\u6982\u5ff5\u3068\u306a\u308a\u307e\u3059\u3002<\/strong><\/p>\n\n\n\n

\n

Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust
is never granted implicitly but must be continually evaluated. Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments,and the interconnecting infrastructure. The initial focus should be on restricting resources to those with a need to access and grant only the minimum privileges (e.g., read, write, delete)needed to perform the mission.
The Trusted Internet Connections (TIC) and agency perimeter firewalls provide strong internet gateways. This helps block attackers from the internet, but the TICs and perimeter firewalls are less useful for detecting and blocking attacks from inside the network and cannot protect subjects outside of the enterprise perimeter (e.g., remote workers, cloud-based services, edge devices,
etc.)<\/p>\n\n\n\n

NIST Special Publication 800-207 (2 Zero Trust Basics)<\/strong>
https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-207.pdf<\/a><\/p>\n<\/blockquote>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

\u30bc\u30ed\u30c8\u30e9\u30b9\u30c8\u3068\u306f\u8cc7\u7523\u4fdd\u8b77\u306b\u91cd\u70b9\u3092\u7f6e\u3044\u305f\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306e\u8003\u3048\u65b9\u3067\u3001\u4e00\u56de\u4e00\u56de\u306e\u30a2\u30af\u30bb\u30b9\u3092\u6c7a\u3057\u3066\u6697\u9ed9\u7684\u306b\u4fe1\u7528\u305b\u305a\u6bce\u56de\u78ba\u8a8d\u3057\u307e\u3059\u3002\u30bc\u30ed\u30c8\u30e9\u30b9\u30c8\u306e\u4ed5\u7d44\u307f\u306f\u3001\u8ab0\u304b\u3089\u3001\u3069\u306e\u8cc7\u7523\u3078\u306e\u30a2\u30af\u30bb\u30b9\u304b\u3092\u3001\u4f55\u304b\u3089\u4f55\u51e6\u3078\u306e\u30a2\u30af\u30bb\u30b9\u304b\u3092\u3001\u5e38\u306b\u76e3\u8996\u3057\u307e\u3059\u3002\u8cc7\u7523\u3068\u306f\u4eba\u3001\u7269\u304b\u3089\u8a8d\u8a3c\u60c5\u5831\u3001\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u74b0\u5883\u306a\u3069\u4f01\u696d\u304c\u5229\u7528\u3057\u3066\u3044\u308b\u3082\u306e\u5168\u3066\u304c\u5bfe\u8c61\u3068\u306a\u308a\u307e\u3059\u3002\u6700\u521d\u306f\u3001\u8cc7\u7523\u306e\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u4eba\u306b\u5236\u9650\u3092\u304b\u3051\u3001\u3055\u3089\u306b\u6700\u4f4e\u9650\u306e\u6a29\u9650\u3057\u304b\u4e0e\u3048\u306a\u3044\u3053\u3068\u304b\u3089\u59cb\u3081\u307e\u3059\u3002
\u5f93\u6765\u306eTIC\u3082\u5883\u754c\u578b\u30d5\u30a1\u30a4\u30e4\u30fc\u30a6\u30aa\u30fc\u30eb\u3082\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u304b\u3089\u306e\u5f37\u529b\u306a\u9632\u5fa1\u58c1\u3068\u306a\u3063\u3066\u3044\u3066\u3001
\u5916\u90e8\u304b\u3089\u306e\u9632\u5fa1\u306b\u306f\u512a\u308c\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u5185\u90e8\u306e\u76e3\u8996\u3084\u3001\u5185\u90e8\u306b\u5165\u3089\u308c\u305f\u6575\u304b\u3089\u306e\u9632\u5fa1\u306f\u5341\u5206\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u3057\u304b\u3082\u3001\u5916\u90e8\u306b\u5c55\u958b\u3055\u308c\u3066\u3044\u308b\u3001\u30ea\u30e2\u30fc\u30c8\u696d\u52d9\u7528\u306e\uff30\uff23\u7b49\u306f\u5b88\u308c\u307e\u305b\u3093\u3002<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

Tenets of Zero Trust<\/h2>\n\n\n\n

ZERO TRUST\u306e\u30ea\u30bd\u30fc\u30b9\u306b\u5bfe\u3057\u3066\u306e\u8003\u3048\u65b9\u306f\u4ee5\u4e0b\u3068\u306a\u308a\u307e\u3059\u3002<\/strong><\/p>\n\n\n\n

\n
    \n
  1. All data sources and computing services are considered resources.<\/li>\n\n\n\n
  2. All communication is secured regardless of network location.<\/li>\n\n\n\n
  3. Access to individual enterprise resources is granted on a per-session basis.<\/li>\n\n\n\n
  4. Access to resources is determined by dynamic policy\u2014including the observable state of client identity, application\/service, and the requesting asset\u2014and may include other behavioral and environmental attributes.<\/li>\n\n\n\n
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.<\/li>\n\n\n\n
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.<\/li>\n\n\n\n
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.<\/li>\n<\/ol>\n\n\n\n

    NIST Special Publication 800-207 (2.1 Tenets of Zero Trust)
    https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-207.pdf<\/a><\/p>\n<\/blockquote>\n\n\n\n

      \n
    1. \u3059\u3079\u3066\u3092\u30ea\u30bd\u30fc\u30b9\u5bfe\u8c61\u3068\u307f\u306a\u3057\u307e\u3059\u3002<\/li>\n\n\n\n
    2. \u3059\u3079\u3066\u306e\u901a\u4fe1\u3092\u4fdd\u8b77\u3057\u307e\u3059\u3002<\/li>\n\n\n\n
    3. \u30bb\u30c3\u30b7\u30e7\u30f3\u306f\u4e00\u56de\u6bce\u306b\u8a8d\u8a3c\u3057\u307e\u3059\u3002<\/li>\n\n\n\n
    4. \u30ea\u30bd\u30fc\u30b9\u3078\u306e\u30a2\u30af\u30bb\u30b9\u306f\u5e38\u306b\u52d5\u7684\u306b\u7ba1\u7406\u3055\u308c\u305f\u30dd\u30ea\u30b7\u30fc\u306b\u5f93\u3063\u3066\u8a31\u53ef\u3055\u308c\u307e\u3059\u3002<\/li>\n\n\n\n
    5. \u5168\u3066\u306e\u30ea\u30bd\u30fc\u30b9\u306e\u4e00\u8cab\u6027\u3068\u6a5f\u5bc6\u6027\u3092\u76e3\u8996\u3057\u6e2c\u5b9a\u3057\u307e\u3059\u3002<\/li>\n\n\n\n
    6. \u5168\u3066\u306e\u30ea\u30bd\u30fc\u30b9\u3078\u306e\u8a8d\u8a3c\u3068\u8a8d\u53ef\u306f\u6bce\u56de\u53b3\u683c\u306b\u884c\u308f\u308c\u307e\u3059\u3002<\/li>\n\n\n\n
    7. \u4f01\u696d\u306f\u3067\u304d\u308b\u304b\u304e\u308a\u3001\u30ea\u30bd\u30fc\u30b9\u306e\u72b6\u614b\u3092\u53ce\u96c6\u3057\u3001\u305d\u308c\u3092\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306e\u6539\u5584\u306e\u305f\u3081\u306b\u4f7f\u7528\u3057\u307e\u3059\u3002<\/li>\n<\/ol>\n\n\n\n

      <\/p>\n\n\n\n

      <\/p>\n\n\n\n

      A Zero Trust View of a Network<\/h2>\n\n\n\n

      ZERO TRUST\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u5bfe\u3057\u3066\u306e\u898b\u65b9\u306f\u4ee5\u4e0b\u3068\u306a\u308a\u307e\u3059\u3002<\/strong><\/p>\n\n\n\n

      \n
        \n
      1. The entire enterprise private network is not considered an implicit trust zone.<\/li>\n\n\n\n
      2. Devices on the network may not be owned or configurable by the enterprise.<\/li>\n\n\n\n
      3. No resource is inherently trusted.<\/li>\n\n\n\n
      4. Not all enterprise resources are on enterprise-owned infrastructure.<\/li>\n\n\n\n
      5. Remote enterprise subjects and assets cannot fully trust their local network connection.<\/li>\n\n\n\n
      6. Assets and workflows moving between enterprise and nonenterprise infrastructure should have a consistent security policy and posture.<\/li>\n<\/ol>\n\n\n\n

        NIST Special Publication 800-207 (2.2 A Zero Trust View of a Network)
        https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-207.pdf<\/a><\/p>\n<\/blockquote>\n\n\n\n

        1. \u5185\u90e8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u4fe1\u983c\u3055\u308c\u305f\u9818\u57df\u3068\u306f\u898b\u306a\u3057\u307e\u305b\u3093\u3002
        2. \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u4e0a\u306e\u6a5f\u5668\u306f\u5168\u3066\u304c\u4f01\u696d\u306b\u3088\u3063\u3066\u6240\u6709\u3055\u308c\u3066\u3044\u308b\u308f\u3051\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002
        3. \u4fe1\u983c\u3055\u308c\u305f\u30ea\u30bd\u30fc\u30b9\u306f\u5b58\u5728\u3057\u306a\u3044\u3002
        4. \u5168\u3066\u306e\u30ea\u30bd\u30fc\u30b9\u304c\u4f01\u696d\u306e\u30a4\u30f3\u30d5\u30e9\u306e\u4e2d\u306b\u5b58\u5728\u3057\u3066\u3044\u308b\u308f\u3051\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002
        5. \u30ea\u30e2\u30fc\u30c8\u4e0a\u306e\u30ea\u30bd\u30fc\u30b9\u306e\u901a\u4fe1\u3092\u6697\u9ed9\u7684\u306b\u4fe1\u7528\u3057\u307e\u305b\u3093\u3002
        6. \u30ea\u30bd\u30fc\u30b9\u304c\u4f01\u696d\u304b\u3089\u4ed6\u306b\u79fb\u52d5\u3059\u308b\u3068\u304d\u3067\u3082\u4e00\u8cab\u3057\u305f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u653f\u7b56\u3084\u4f53\u5236\u304c\u7dad\u6301\u3055\u308c\u308b\u3079\u304d\u3067\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"\u300c\u3053\u308c\u304b\u3089\u306f\u57ce\u306e\u5168\u3066\u306e\u90e8\u5c4b\u306b\u30c9\u30a2\u3092\u4f5c\u308a\u3001\u9375\u3092\u304b\u3051\u3001\u3069\u3093\u306a\u4eba\u304c\u30ce\u30c3\u30af\u3057\u3066\u3082\u3001\u9854\u3092\u898b\u3066\u3001\u958b\u3051\u308b\u304b\u3069\u3046\u304b\u30ea\u30b9\u30c8\u3092\u898b\u3066\u6bce\u56de\u8003\u3048\u307e\u3059\u300d\u300c\u57ce\u306b\u5165\u308b\u3068\u304d\u306b\u53b3\u91cd\u306a\u30c1\u30a7\u30c3\u30af\u3092\u3057\u3066\u3044\u307e\u3059\u3088\u306d\u3001\u4e00\u5ea6\u5165\u3063\u305f\u4eba\u306f\u4fe1\u7528\u3057\u3066\u3044\u3044\u306e\u3067\u306f\u306a\u3044\u306e\u3067\u3059\u304b\uff1f\u300d […]","protected":false},"author":1,"featured_media":323,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-319","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledge"],"_links":{"self":[{"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=\/wp\/v2\/posts\/319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=319"}],"version-history":[{"count":13,"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=\/wp\/v2\/posts\/319\/revisions"}],"predecessor-version":[{"id":390,"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=\/wp\/v2\/posts\/319\/revisions\/390"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=\/wp\/v2\/media\/323"}],"wp:attachment":[{"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yokohama-infosec-consulting-service.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}