First Next-Generation Security Study Group in Architecture

Overview

• Date and time: February 24, 2022 (Thursday) from 13:00 to 15:00
• Location: Online
• Agenda:
  1. Opening
  2. Agenda
     1. Cybersecurity Strategies, Priority Plan, and Development Policies
     2. Technical Review Meeting
     3. Zero Trust Architecture Application Guidelines
     4. Technical Report on Continuous Diagnostic and Responsive Security Architecture (tentative name)
     5. Free discussion
  3. Adjournment

Material

• Proceedings (PDF/101KB)
• Exhibit 1: cybersecurity Strategies (PDF / 2,319 kb)
• Document 2: Zero Trust Architecture Application Guidelines (PDF / 2,740 kb)
• Document 3: Technical Report on Continuous Diagnostic and Responsive Security Architecture (tentative name) (PDF / 2,333 kb)
• Agenda (PDF/888KB)

References

• Reference Material 1 NIST SP800-207 "zero trust Architecture"
• Reference Material 2: NEDO 2020 CDM Basic Survey Results Report (PDF / 8,268 kb)
• Reference Material 3 Adoption of NEDO's 2021 CDM Feasibility Study (PDF / 1,137 kb)

Summary of the Proceedings

Date and

• Thursday, February 24, 2022, from 1:00 p.m. to 3:00 p.m.

US>

• Held online

Attendees

Member of the

• Tetsutaro Uehara (Professor, Faculty of Information Science and Technology, Ritsumeikan University)
• Shoji Kono (Chief Security Officer, Technology Management Office, Microsoft Japan, Ltd.)
• Shigeru Kimura (Evangelist / Architect, Security Business, Cisco Systems, LLC)
• Atsuhiro Goto (President of the Graduate University of Information Security) * Individual interview will be held on Wednesday, March 2, 2022.
• Natsuhiko Sakimura, President of the OpenID Foundation
• Yusuke Tahara (General Manager, Integration Service & Planning Department, LAC Co.,Ltd. Integration Promotion Division)
• Morifumi Narahara (Chief IT Architect, Tanium GK)
• Toshio Nawa (Executive Director / Senior Analyst, Cyber Defense Research Institute Co., Ltd.) * Individual interview will be held on Friday, March 4, 2022.
• Norihiko Maeda (Director of President Office, FFRI,Inc. Security)
• Mitsuhiko Maruyama (Partner, PwC Consulting LLC)

Observer

• National Center of Incident Readiness and Strategy for Cybersecurity (NISC)
• Hiroki Takakura (National Institute of Informatics)

Digital Agency (Secretariat)

• Group of Strategy and Organization Security Risk Management Team

Information-Technology Promotion Agency, Japan

• Digital Architecture Design Center

Summary of the proceedings

• The secretariat explained Document 1 "cybersecurity Strategies, etc.," Document 2 "Guidelines for Zero Trust Architecture Application Policies," and Document 3 "Technical Report on Continuous Diagnostic and Responsive Security Architecture (tentative name)."
• In the free discussion on "Guidelines for the Application of zero trust", the following statements were mainly made.
• Since there are both advantages and disadvantages in zero trust, it is necessary to describe them side by side. It is necessary to clarify the scope of each ministry and agency because some of their systems require stability and some of their systems are based on boundary-type defense, not on the premise that they are connected to the Internet.
• The zero trust will carry out monitoring carefully. In addition, since there are cases in which operation cannot be outsourced, the operation load may increase. Therefore, it is necessary to formulate principles with operation in mind.
• The zero trust is the North Star, and trusted environments will remain for the time being. Financial institutions in particular have a strong sense that trusted environments are out of scope. If trusted environments are to remain, risks must be identified, reported to top management, and approved.
• Amazon, Microsoft, Google, Cisco, and others are promoting content that is useful for zero trust, such as "OpenID Continuous Access Evaluation Profile1.0" and "OpenID Shared Signals and Events Framework Specification 1.0," which will be useful references for this initiative.
• It is not possible to protect information by zero trust, but it is necessary to clarify the scope of protection after clarifying the purpose.
• Although boundary defense and zero trust are treated in a confrontational manner, the concept of boundary defense using the zero trust Architecture has begun to emerge, and the composition may change in the future. Therefore, it is not necessary to overemphasize the transition to zero trust.
• A zero trust may be keyword first, but in practice it is very difficult to implement. A good point to make is that zero trust begins when it is built.
• As an example of an overseas private enterprise, when accessing a website after building a zero trust, if the user continuously accesses the website for six hours, the website may be infected with malware. Continuous assessment is important.
• Currently, the standard is a mixture of zero trust and perimeter defense. In addition, if there is any suggestion regarding the migration, it will be a hint from the user's point of view.
• I would like to hear more about network-based zero trust, such as microsegmentation, SDN, and IBN.
• The load will increase from the viewpoint of user convenience, and it is advisable to mention efforts to reduce the load on users.
• You have to be careful not to create a situation where you can't do it even if you are told to do so because the operational load will increase.
• It is difficult to manage 100% of assets, and in recent years, it has become even more difficult due to the utilization of the cloud, etc. It is necessary to implement it with determination.
• Regarding digital identity, it seems to be difficult in Japanwhich is not in the form of job-type employment. It is also a matter of feasibility after the security clearance is dealt with.
• The JNSA Working Group on Identity is well versed in things like ID management, and I think it would be a good idea to work together.
• It is easier to understand if the discussion is based on successful examples of organizations that have introduced Zero Trust Architecture.
• On the whole, it is assumed that cyber risks can be found, but it should be mentioned that latent risks should be found, and it is necessary to discuss the implementation of persistent authority confirmation, authentication and authorization for devices and authentication.
• With the application of the zero trust, changes in existing work will be significant, and changes in physical fitness and awareness will be required. Readers need to be prepared, and this should be clearly stated.
• Since the targets to be protected, such as assets, network accounts, workflow, and data, are clearly specified, they need to be explained so that there is no inconsistency. In addition, services such as operational flow need to be included, and it is necessary to monitor not only the entry and exit but also the series of flow.
• Assets and resources need to be consistent with definitions such as cybersecurity strategies.
• It is necessary to explain the outline of the zero trust carefully, such as why it is necessary to shift from role-based to attribute-based authentication and why additional authentication such as multi-factor authentication is necessary.
• From a risk-based perspective, threat intelligence is a necessary aspect, and an intelligence policy engine is important. It is also recommended to introduce examples from the private sector.
• The monitoring is based on eDiscovery of the United States, and each activity can be stored on the time axis and quickly viewed.
• Maturity is important. Looking at SP800171 and Risk Management Framework, the maturity is about 60%. The guidelines are idealistic and have challenging contents. For example, it is difficult to manage certificates such as API encryption, etc. It is necessary to work with considerable determination.
• In the free discussion on "Technical Report on Continuous Diagnostic and Responsive Security Architecture (tentative name)", the following remarks were mainly made.
• Ideal configuration management, where vulnerability of IT assets is not related to human error, and configuration management, which is state management, does not make the difference between good and bad, would be ideal in the form of a learning feedback loop.
• As some companies have already introduced SIEM, they should consider providing data to other systems.
• The overseas AWARE scores are constantly checked, and the most advanced approach is to link the scores with ABAC for zero trust certification. Overall, it would be good to link the CRSA score with ABAC.
• It is necessary to be aware that the target is not a static point but a moving target, so it is important to spiral up while making good improvements.
• It is necessary to clarify the division of roles with the original SOC and NOC.
• From the outset, it is necessary to discuss how to respond to an emergency.

Greater than or