面臨金融科技（Fintech）帶來的威脅與衝擊，傳統金融機構必須進行數位化轉型，積極導入雲端運算搭配人工智慧應用，透過行動應用程式提升使用者體驗拉近客戶關係，以滿足消費者在不同階段的需求，創造更多的金融商品和機會。
因為金融機構拉網路骨幹，在地端自建機房採用最新架構及應用程式的成本太高，因此使用雲端服務就成為一個可能的選項。多家雲端服務供應商，採取客製化彈性的服務策略，降低資訊科技前期投資大量成本，提高靈活性、業務敏捷性、可擴展性，迎合市場需求的應變能力。導入雲端運算之前，必須選擇符合國際標準規範的雲端服務供應商，實施適當的資訊安全措施，以保護敏感個人資料、避免揭露客戶的隱私。
這幾年台灣金融監督管理委員會參考國際金融服務的發展路徑，陸續提出了許多資訊安全規範，金融機構資訊安全標準作業程序規範，金融業內稽內控的營運作業安全規範，以及上市上櫃公司的法規，要求資料落地台灣，就算報部申請雲端應用卻不見得能通過審核。隨著2023年雲端資訊服務委外規範修訂鬆綁，金融機構如何遵守金管會的資訊安全法規，完成導入雲端運算的各項準備，塑造金融科技共同發展的雲端生態系，促進新的商業模式應用，提高金融服務的執行效率，達到更好的使用者滿意度。
本研究探討雲端運算發展、安全性規範及國際標準，搭配金管會開放雲端委外作業安全規範，說明雲端運算基礎架構設計，如何選擇雲端運算平台，以及移轉服務上雲端的步驟，依據安全基礎藍圖及國際認證標準，進行風險控管措施。導入開放銀行API管理平台的應用案例，說明Google Apigee私有雲及混合雲的高可用架構，達到金融業雲端資訊安全合規性，實務應用面可能遇到的挑戰，及未來的因應策略。

The rapid development of financial technology (Fintech) poses both threats and impacts on traditional financial institutions. Taiwan's financial industry is undergoing digital transformation, actively adopting cloud computing in conjunction with artificial intelligence applications. Through mobile applications, they enhance user experience, strengthen customer relationships, and create more financial opportunities.
However, the cost is too high for planning new architectures and applications in on-premises data center with the establishment of their own network backbone to ISP. Using public cloud services has become a possible option. The cloud service providers are offering customized and flexible services, reducing upfront IT investment costs, and enhancing flexibility, and responsiveness to market demands.
To shape the ecosystem of cloud-based financial technology, Taiwan's Financial Supervisory Commission (FSC) has introduced various cloud service information security regulations. These efforts aim to achieve widespread and convenient financial services for the public. Considering the gradual relaxation of regulations concerning data localization in Taiwan, it becomes essential for companies to comply with the FSC's operational security standards, internal controls, and external requirements of listed companies before embracing cloud computing.
This study explores the development of cloud computing, security regulations, and international standards, complemented by the FSC's regulations on open cloud outsourcing operations. How to choose cloud computing platforms, and the steps for service migration to the cloud. The study also provides a case study on the application of an open banking API management platform, explaining Google Apigee's private and hybrid cloud architecture to achieve cloud information security compliance in the financial industry. Furthermore, it discusses potential challenges and response strategies in the future.

[1] Brett King著，孫一仕/周群英/林凱雄譯 (2018/11)。Bank 4.0 金融常在，銀行不再？台北市：金融研訓院。
[2] 王綱 (2021/10)。銀行業與保險業運用雲端服務與個人資料保護之合規研究。國立政治大學法學院碩士在職專班碩士學位論文。
[3] 王宏仁 (2016/02/15)。【iThome 2016年CIO大調查－企業雲端投資總論】。檢自https://www.ithome.com.tw/article/103821 (2023/07/15)。
[4] 黃正傑 (2016/12)。雲端運算應用與實務(第二版)。台灣新北市：全華圖書。
[5] Peter Mell, Timothy Grance(2011)。The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology (Special Publication 800-145)。
[6] 金融監督管理委員會(2020/8/27)。金融科技發展路徑圖。檢自https://www.fsc.gov.tw/websitedowndoc?file=chfsc/202012241229310.pdf&filedisplay=1090827%E9%87%91%E8%9E%8D%E7%A7%91%E6%8A%80%E7%99%BC%E5%B1%95%E8%B7%AF%E5%BE%91%E5%9C%96%E5%A0%B1%E5%91%8A%E6%9B%B8.pdf。
[7] Financial Stability Institute(2020)。Policy responses to fintech: a cross-country overview。Retrieved from https://www.bis.org/fsi/publ/insights23.pdf。
[8] 金融資安行動方案2.0版 (2022/12/27)。金融監督管理委員會。檢自 https://www.fsc.gov.tw/ch/home.jsp?id=96&parentpath=0,2&mcustomize=news_view.jsp&dataserno=202212270001&dtable=News。
[9] 預告修正「金融機構作業委託他人處理內部作業制度及程序辦法」草案 (2023/03/08)。金融監督管理委員。檢自https://www.fsc.gov.tw/ch/home.jsp?id=133&parentpath=0,3&mcustomize=lawnotice_view.jsp&dataserno=202303080001&dtable=NoticeLaw。
[10] 金融機構運用新興科技作業規範(2017/8/31)。值根法律網。檢自https://www.rootlaw.com.tw/LawArticle.aspx?LawID=A040390041060000-1060831 (2023/7/6)。
[11] 黃振楠/林永修/王瑞祥編著(2013/02)。資訊安全與法律特訓教材。台北市：松崗資產管理。
[12] ISO/IEC 27001 Information security management systems。Retrieved from https://www.iso.org/standard/27001 (2023/7/11)。
[13] ISO/IEC 27017 雲端服務之資安控制措施。bsi。檢自https://www.bsigroup.com/zh-TW/security-controls-for-cloud-services-isoiec-27017/ (2023/8/28)。
[14] ISO/IEC 27018:2019。Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors。Retrieved from https://www.iso.org/standard/76559.html (2023/7/11)。
[15] ISO/IEC 27005:2022。Information security, cybersecurity and privacy protection — Guidance on managing information security risks。Retrieved from https://www.iso.org/standard/80585.html (2023/7/30)。
[16] ISO 31000:2018。Risk management — Guidelines。Retrieved from https://www.iso.org/standard/65694.html (2023/7/30)。
[17] 蘇江村。資安風險評鑑標準介紹 – 桃園市政府地政局。檢自https://www.land.tycg.gov.tw/userfiles/Files/morefile1_423_5336_431.pdf (2023/7/31)。
[18] 卓建全 (2021/3/8)。雲端部署模型（Cloud deployment model）。檢自https://ithelp.ithome.com.tw/articles/10255732 (2023/7/31)。
[19] NIST SP 500-292。Fang Liu, Jin Tong, Jian Mao, Robert Bohn, John Messina, Lee Badger and Dawn Leaf (2011/09)。NIST Cloud Computing Reference Architecture. Recommendations of the National Institute of Standards and Technology。Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication500-292.pdf (2023/7/2)。
[20] NIST SP 800-39。Joint Task Force Transformation Initiative (2011/03)。Managing Information Security Risk: Organization, Mission, and Information System View。Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf (2023/7/2)。
[21] NIST Releases Supplemental Materials for SP 800-53 and SP 800-53B: Control Catalog and Control Baselines in Spreadsheet Format (2021/1/26)。Retrieved from https://csrc.nist.gov/News/2021/control-catalog-and-baselines-as-spreadsheets (2023/7/2)。
[22] NIST SP 800-125 (2011/01)。Karen Scarfone, Murugiah Souppaya, Paul Hoffman。Guide to Security for Full Virtualization Technologies。Retrieved from https://csrc.nist.gov/publications/detail/sp/800-125/final (2023/7/2)。
[23] Cloud Special Interest Group-PCI Security Standards Council(2018/04)。Information Supplement: PCI SSC Cloud Computing Guidelines。Retrieved from https://docs-prv.pcisecuritystandards.org/Guidance%20Document/Virtualization%20and%20Cloud/PCI_SSC_Cloud_Guidelines_v3.pdf (2023/7/2)。
[24] 廖文華/張志勇/蒯思齊(2021/2/25)。雲端運算概論。台灣台北市：五南圖書。
[25] Google Cloud Architecture Framework (2022/07/12)。Retrieved from https://cloud.google.com/architecture/framework (2023/7/2)。
[26] Jerry (2021/11/04)。iKala Cloud技術部落格－企業上雲端前五大評估要點整理。檢自https://ikala.cloud/enterprise-cloud-migration/ (2023/7/2)。
[27] T客邦 (2016/07/01)。Google 的跨太平洋海底電纜「Faster」7/1 上線。檢自https://technews.tw/2016/07/01/google-trans-pacific-undersea-cable-will-be-tomorrow-on-the-line/ (2023/7/2)。
[28] Richard Watson (2021/12/3)。Migrating Applications to the Cloud: Rehost, Refactor, Revise, Rebuild, or Replace? 。Gartner Research。Retrieved from https://www.gartner.com/en/documents/1485116 (2023/7/8)。
[29] Jonathan Allen (2021/11/30)。7 Strategies for Migrating Applications to the Cloud, introducing AWS Mainframe Modernization and AWS Migration Hub Refactor Spaces。 Retrieved from https://aws.amazon.com/tw/blogs/enterprise-strategy/new-possibilities-seven-strategies-to-accelerate-your-application-migration-to-aws/ (2023/8/22)。
[30] Matt Tanner (2022/8/10)。What is Cloud Migration? How does it affect a company?。Retrieved from https://www.arcion.io/blog/on-premise-to-cloud-migration (2023/7/8)。
[31] Sudip Sengupta & Shmuel Danan (2023)。NetApp, The 7 Rs of Cloud Migration: 7 Strategies Explained。Retrieved from https://bluexp.netapp.com/blog/aws-cvo-blg-strategies-for-aws-migration-the-new-7th-r-explained (2023/7/8)。
[32] Google Cloud安全基礎藍圖。檢自https://cloud.google.com/architecture/security-foundations (2023/7/2)。
[33] Al-Safwani, N, Hassan, S. and Katuk, N. (2014)。“A Multiple Attribute Decision Making for Improving Information Security Control Assessment”。International Journal of Computer Applications 89, 19-24。
[34] The Notorious Nine：Cloud Computing Top Threats in 2013。Cloud Security Alliance。Retrieved from https://cloudsecurityalliance.org/artifacts/the-notorious-nine-cloud-computing-top-threats-in-2013/ (2023/7/9)。
[35] Security Guidance for Critical Areas of Focus in Cloud Computing 4.0。Cloud Security Alliance。Retrieved from https://cloudsecurityalliance.org/artifacts/security-guidance-v4/ (2023/7/9)。
[36] What is cloud security? 。Google Cloud。Retrieved from https://cloud.google.com/learn/what-is-cloud-security (2023/7/9)。
[37] The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing。Retrieved from https://cloudsecurityalliance.org/research/cloud-controls-matrix/ (2023/8/4)。
[38] Almeida, L. and Respicio, A. (2018)。“Decision Support for Selecting information Security Controls”。Journal of Decision System 27, 173-180。
[39] 張舒婷 (2019/10)。「攜手TSP業者發展開放銀行，財金公司封面故事: 開放銀行篇」。檢自https://www.fisc.com.tw/Upload/ec11fae2-91f9-405f-8ded-24949edfb833/TC/9903.pdf (2023/07/12)。
[40] Vikas Anand (2022/11/19)。Apigee named a leader in the 2022 Gartner Magic Quadrant for Full Life Cycle API Management。Retrieved from https://cloud.google.com/blog/products/api-management/apigee-is-a-leader-in-the-gartner-mq-for-api-management (2023/7/21)。
[41] Apigee Edge for Private Cloud 簡介。檢自https://docs.apigee.com/private-cloud/v4.50.00/overview (2023/7/21)。
[42] What is Apigee? 。Retrieved from https://cloud.google.com/apigee/docs/api-platform/get-started/what-apigee (2023/7/21)。
[43] ABN AMRO Developer Portal。Retrieved from https://developer.abnamro.com/ (2023/7/21)。
[44] Apigee Edge for Private Cloud Monitoring best practices。Retrieved from https://docs.apigee.com/private-cloud/v4.50.00/monitoring-best-practices (2023/7/22)。
[45] Apigee Edge Monetization overview。Retrieved from https://docs.apigee.com/api-platform/monetization/basics-monetization (2023/8/29)。
[46] Apigee Edge for Private Cloud Installation topologies。Retrieved from https://docs.apigee.com/private-cloud/v4.19.06/installation-topologies (2023/7/22)。
[47] Apigee Edge for Private Cloud Port requirements。Retrieved from https://docs.apigee.com/private-cloud/v4.50.00/port-requirements (2023/7/22)。
[48] What is Apigee hybrid? 。Retrieved from https://cloud.google.com/apigee/docs/hybrid/v1.10/what-is-hybrid (2023/7/21)。
[49] Apigee Hybrid Multi-region deployment。Retrieved from https://cloud.google.com/apigee/docs/hybrid/v1.10/multi-region.html (2023/7/21)。
[50] Rajeshmi (2023/1/4)。Best Practices for Designing Apigee Topology and Sizing for Anthos Deployment。Retrieved from https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/Best-Practices-for-Designing-Apigee-Topology-and-Sizing-for/ta-p/506612 (2023/7/21)。
[51] davissean, API Governance Reference。Retrieved from https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/API-Governance-Reference/ta-p/78755 (2023/8/20)。
[52] Jacobs, The API Product Mindset。Google Cloud Blog。Retrieved from https://cloud.google.com/blog/products/api-management/the-api-product-mindset (2023/8/20)。
[53] Anwer, M. and Gill, A. (2020)。Developing an Integrated ISO 27001 and GDPR based Information Privacy Compliance Requirements Model, ACIS 2020 Proceedings 20。
[54] Cloud Controls Matrix and CAIQ v4 (2021/6/7)。Cloud Security Alliance。Retrieved from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/ (2023/7/22)。
[55] CCM v4.0 Implementation Guidelines (2021/9/13)。Cloud Security Alliance。Retrieved from https://cloudsecurityalliance.org/artifacts/ccm-v4-0-implementation-guidelines/ (2023/8/20)。
[56] 林宜隆 (2016/11/6)。大數據應用時代：雲端安全化及雲端鑑識化之新思維與新趨勢。人事月刊第375期。檢自 https://www.dgpa.gov.tw/uploads/dgpa/files/201701/3c9ad5ea-9a35-4517-beff-952d94fef2b0.pdf (2023/7/12)。
[57] 周旺瑩 (2021/05)。 AHP和TOPSIS方法在選擇隱私控制措施的應用-以臺灣金融機構為例。國立臺灣科技大學資訊管理系EMBA碩士在職專班碩士學位論文。
[58] Sound Practices: Implications of fintech developments for banks and bank supervisors (2017/08)。Basel Committee on Banking Supervision。Retrieved from https://www.bis.org/bcbs/publ/d415.pdf (2023/7/12)。
[59] 顏勝豪 (2022/8/22)。金融業於雲端轉型過程中應用系統大規模上雲策略。國泰金控。檢自https://s.itho.me/ccms_slides/2022/8/2/ce5ab67f-8ac1-48b9-ae92-96c77fa56bd1.pdf (2023/7/22)。
[60] 謝人俊/林耀傑 (2020/05)。數位金融環境下銀行經營型態的演變與對策。中央銀行金融業務檢查處。檢自 https://www.tpefx.com.tw/uploads/download/tw/8.%20The%20evolution%20and%20countermeasures%20of%20bank%20management%20pattern%20in%20the%20digital%20financial%20environment.pdf (2023/7/22)。
[61] 王仁甫。2023年金融資安合規管理與法遵新趨勢。財團法人台灣駭客協會 (HITCON)。