隨著網路科技的急速發展，組織在辦公方式上日益多元化，分散的辦公地點、雲端服務和遠端存取，使得組織內外的網路邊界逐漸模糊，導致傳統的網路邊界防禦手段變得不再足夠，零信任架構也因此備受關注，成為應對當前安全挑戰的新趨勢。零信任架構假設所有環境都不可信任，因此無論使用主體處於內部還是外部網路，都要經過驗證和授權，而可解決邊界被穿透的問題。零信任架構有多種實作方式，而軟體定義邊界是其中一種。軟體定義邊界目的是能夠基於用戶身分屬性和請求資源，對連線進行存取控制及給予授權政策的方法，使組織能夠比傳統基於網路位置的存取控制更靈活地管理和調整其網路邊界，以適應不斷變化的工作環境。然而，目前軟體定義邊界的實作方法上，無法做到作業層級的動態存取控制，因為只有在連線時做檢查，也有無法及時反應存取風險的議題。本研究透過引入了風險資料庫的概念，來提供風險資料，以便資源能利用此資料進行存取控制，更進一步強化零信任架構的動態風險存取控制需求，使其更能適應當前複雜且動態的網路環境。

With the rapid development of internet technology, organizational work methods are becoming increasingly diversified. Dispersed office locations, cloud services, and remote access blur the boundaries of networks both within and outside organizations, rendering traditional network boundary defense mechanisms inadequate. Consequently, Zero Trust Architecture (ZTA) has garnered attention as a new trend to address current security challenges. ZTA assumes that all environments are untrusted, requiring verification and authorization for access regardless of whether the user is within the internal or external network, thus solving the problem of boundary penetration. There are various implementation approaches within ZTA, with Software Defined Perimeter (SDP) being one of them. The purpose of SDP is to enable access control and authorization policies based on user identity attributes and requested resources, allowing organizations to manage and adjust their network boundaries more flexibly than traditional network-based access controls to adapt to the constantly changing work environment. However, current implementation methods of SDP lack dynamic access control at the operational level, as checks are only performed during connection, leading to issues with timely response to access risks. This study introduces the concept of a risk database to provide risk data, enabling resources to utilize this data for access control, thereby further strengthening the dynamic risk access control requirements of ZTA to better adapt to the current complex and dynamic network environment.

[1] S. Rose, O. Borchert, S. Mitchell, and S. Connelly, “NIST SP800-207 Zero Trust Architecture Final,” National Institute of Standards and Technology, Aug. 2020. doi: 10.6028/NIST.SP.800-207.
[2] “IBM Security X-Force Threat Intelligence Index 2023,” p. 16.
[3] Cloud Security Alliance, Software Defined Perimeter Specification v1.0. 2014. [Online]. Available: https://cloudsecurityalliance.org/artifacts/sdp-specification-v1-0/
[4] Cloud Security Alliance, Integrating SDP and DNS: Enhanced Zero Trust Policy Enforcement. 2022. [Online]. Available: https://cloudsecurityalliance.org/artifacts/integrating-sdp-and-dns-enhanced-zero-trust-policy-enforcement/
[5] J. Kindervag, “Build Security Into Your Network’s DNA: The Zero Trust Network Architecture,” 2010, [Online]. Available: https://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf
[6] S. Rose, O. Borchert, S. Mitchell, and S. Connelly, “NIST SP800-207 Zero Trust Architecture Drift,” preprint, Sep. 2019. doi: 10.6028/NIST.SP.800-207-draft2.
[7] DoD and CIO, “Department of Defense Global Information Grid Architectural Vision: Vision for a Net-Centric, Service-Oriented DoD Enterprise,” Version 1.0, Jun. 2007. [Online]. Available: https://www.acqnotes.com/Attachments/DoD%20GIG%20Architectural%20Vision,%20June%2007.pdf
[8] Cloud Security Alliance, Software Defined Perimeter Specification v2.0. 2022. [Online]. Available: https://cloudsecurityalliance.org/artifacts/software-defined-perimeter-zero-trust-specification-v2/
[9] Y. Palmo, S. Tanimoto, H. Sato, and A. Kanai, “Optimal Federation Method for Embedding Internet of Things in Software-Defined Perimeter,” IEEE Consum. Electron. Mag., vol. 12, no. 5, pp. 68–75, Sep. 2023, doi: 10.1109/MCE.2022.3207862.
[10] “Angular ver12.2.0.” [Online]. Available: https://www.npmjs.com/package/@angular/cli/v/12.2.0
[11] Pivotal, “Node.js Downloads.” [Online]. Available: https://nodejs.org/en/download/
[12] OpenJS Foundation, “SpringFramework.” [Online]. Available: https://spring.io/projects/spring-framework
[13] Oracle, “MySQL Community Downloads.” [Online]. Available: https://dev.mysql.com/downloads/
[14] NIST Cybersecurity Practice Guide SP 1800-35, Implementing a Zero Trust Architecture. [Online]. Available: https://csrc.nist.gov/pubs/sp/800/207/final
[15] J. Garbis, J. Koilpillai, J. Islam, P. Raman, and S. Mahmud, “Software-Defined Perimeter ARCHITECTURE GUIDE,” 2019.
[16] “IBM QRadar Security Intelligence Platform.” [Online]. Available: https://www.ibm.com/docs/zh-tw/qsip/7.5?topic=deployment-qradar-architecture-overview
[17] Cloud Security Alliance, SDP Architecture Guide, v2 ed. 2019. [Online]. Available: https://cloudsecurityalliance.org/artifacts/sdp-architecture-guide-v2
[18] Cloud Security Alliance, Software-Defined-Perimeter-and-Zero-Trust.pdf. 2020. [Online]. Available: https://cloudsecurityalliance.org/artifacts/software-defined-perimeter-and-zero-trust
[19] A. Sallam, A. Refaey, and A. Shami, “On the Security of SDN: A Completed Secure and Scalable Framework Using the Software-Defined Perimeter,” IEEE Access, vol. 7, pp. 146577–146587, 2019, doi: 10.1109/ACCESS.2019.2939780.
[20] Cybersecurity and Infrastructure Security Agency Division, Zero Trust Maturity Model, 2.0. [Online]. Available: https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model