目前應用程式為了提供使用者更貼近需求的服務，會需要取得使用者其他服務的資料，而目前一般會使用OAuth協定：OAuth讓使用者同意授權後，給予要求個資服務的提供者取得使用者資料的令牌。雖然透過令牌方式鑑別身分是一個非常快速又簡便的方法，但不論是誰只要能夠獲取令牌就能拿到使用者的資料，因而帶來安全風險。這樣的做法也被應用在企業網路內，做為單一登入的基礎。但如今因遠距辦公興起，傳統企業網路邊界模糊化，攻擊者只要能突破邊界，就能夠進行後續橫向移動，因此我們需要解決過去只重視邊界的問題，讓傳統以令牌為基礎的鑑別方式在現今邊界模糊的情況下，也能清楚確認客戶端身分，並給予敏感資料。

本研究提出的方法主要是基於零信賴架構原則，零信賴架構是針對傳統強化邊界的方法無法因應現今存取方式改變的問題，而要求不可以是否處於企業內網作為存取控制的依據。不論是誰，只要需要進入內網都需要做身分識別，而每次連線也都會依據此次連線的狀態做權限更動。有鑑於此，本研究提出的框架會在初次使用時做設備綁定，在後續進行授權或提出要求時做身分驗證，確保提出要求的使用者與拿取令牌的使用者為同一人，同時也會透過每次連線的設備狀況做風險評估來進行後續資料授權事宜，相較於傳統透過令牌做身分驗證可能造成的資料外洩，本研究貢獻在於能夠確保使用令牌的使用者身分，同時又可基於使用者每次不同的設備狀況動態更改授權權限，減少資安風險。

The OAuth protocol is widely used for applications to obtain user data from other services to provide personalized services: with the OAuth protocol, an application obtains consent from the user and also obtains the access token for seamless access to user data in a service. Therefore, users do not need to provide data to different applications repeatedly. In this case, if the access token is obtained by malicious actors, they can use it to access the user's data from the service. The OAuth protocol is also used in organizations for authentication and SSO. However, given the recent work-from-home trend, perimeter security safeguards have become less useful, making it easier for malicious actors to cross organizational perimeters and intercept OAuth tokens and utilize them to easily access unauthorized data. We must therefore verify user identities as users use tokens to access data or services.

In this study we thus propose a scheme to enhance a OAuth-based protocol based on the concepts of zero trust. In such a zero trust architecture, systems do not assume the existence of perimeter security safeguards. Systems must check user identity and permissions every time the user wishes to access his/her data. Also, systems should adapt access control policies based on the risks of access requests. In the proposed scheme, security risk assessment tools are installed on user devices. When a user accesses a service with access tokens, the service identifies the device and obtains the risks of the devices, after which the service can determines the user privileges based on the device contexts. This study will hopefully contribute to propose a scheme to extend the OAuth specification toward complying the tenets of a zero trust architecture.

[1] Hardt, D. (2012). The OAuth 2.0 authorization framework. Retrieved from https://datatracker.ietf.org/doc/html/rfc6749.
[2] 王宏仁. (2019). [開放銀行特別報導]金融個資存取如何更安全?開放銀行將引進OAuth2委任授權架構[線上論壇]. 民110年6月15日，取自
https://www.ithome.com.tw/news/133707.
[3] The US Centers for Medicare and Medicaid Services (CMS). (2018). “Blue button 2.0 implementation guide,” Online document. Retrieved from https://bluebutton.cms.gov/assets/ig/index.html.
[4] 聯合新聞網. (2020). 遠距工作的資安風險與防護重點. 民110年6月15日，取自https://udn.com/news/story/6877/4541412
[5] 余至浩. (2018). 臉書驚爆史上最大漏洞攻擊，全球高達5,000萬用戶個資恐遭駭客竊取. 民110年6月15日，取自
https://www.ithome.com.tw/news/126162
[6] Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2019). Zero trust architecture (No. NIST Special Publication (SP) 800-207 (Draft)). National Institute of Standards and Technology.
[7] Wikipedia contributors. (2021). Single sign-on. Retrieved June 20,2021, from https://en.wikipedia.org/wiki/Single_sign-on.
[8] miniOrange. (n.d.) Single Sign On(SSO) using OAuth/OpenID Connect. Retrieved June 25,2021, from https://www.miniorange.com/single-sign-on-(sso)-using-oauth
[9] miniOrange. (n.d.) OAuth2.0 Server/OpenID Connect Server. Retrieved June 25,2021, from https://www.miniorange.com/oauth2-server
[10] Hossain, N., Hossain, M. A., Hossain, M. Z., Sohag, M. H. I., & Rahman, S. (2018). OAuth-SSO: a framework to secure the OAuth-based SSO service for packaged web applications. In 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE) (pp. 1575-1578). IEEE.
[11] Sakimura, Bradley, Jones, Jay. (2014). OpenID Connect Discovery 1.0 incorporating errata set 1. Retrieved from http://openid.net/specs/openid-connect-discovery-1_0.html
[12] Ward, R., & Beyer, B. (2014). Beyondcorp: A new approach to enterprise security. Retrieved June 25 , 2021, from https://www.usenix.org/system/files/login/articles/login_dec14_02_ward.pdf
[13] Gilman, E., & Barth, D. (2017). Zero Trust Networks. O'Reilly Media, Incorporated.
[14] Guide, A. E., Garbis, J., & Chapman, J. W. Zero Trust Security.
[15] Cisco. (2021) Two-Factor Authentication(2FA) from Duo. Retrieved June 26,2021, from https://duo.com/product/multi-factor-authentication-mfa/two-factor-authentication-2fa
[16] Common Methodology for Information Technology Security Evaluation, version 3.1 rev. 5, (2017). Retrieved June 26,2021, from http://www.com moncriteriaportal.org/.
[17] Dulaney, E., & Easttom, C. (2017). CompTIA Security+ Study Guide: Exam SY0-501. John Wiley & Sons.
[18] Microsoft. (n.d.) Keep your computer secure at home. Retrieved June 26,2021, from https://support.microsoft.com/en-us/windows/keep-your-computer-secure-at-home-c348f24f-a4f0-de5d-9e4a-e0fc156ab221
[19] Warner,J. (2021). What is Zero Trust Security?. Retrieved June 26,2021, from https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/