資訊科技的迅速發展不僅帶來了無限的商機和便利，同時也為企業帶來了更多的風險和挑戰。隨著企業業務和管理模式的轉變，以及現代化辦公方式的普及，傳統的資訊安全架構已無法滿足企業的需求。在疫情影響下更加促進了工作模式的轉變，遠端辦公、自攜設備（Bring Your Own Device, BYOD）等新型工作模式愈來愈普遍出現於企業環境中，使企業設備和網路環境變得更加複雜和分散，網路的安全邊界也變得更加模糊。企業需要導入各種新的科技技術進行數位轉型，以保持競爭力和不斷進步的動力。然而，企業在使用這些新科技工具的同時，也必須考慮到其帶來的風險。資訊安全已成為企業不可或缺的一環，無論企業的規模如何，一旦資訊被洩漏或遭受網路攻擊，將對企業造成巨大的損失和公關危機，尤其在中小企業資源有限的環境下，更應有效運用資源。採用新型的零信任資訊安全架構能更貼近現今新型工作模式，透過「永不信任，隨時驗證」的零信任核心概念，賦予企業新的資安防護思維和方法，降低企業面臨的資安風險和威脅。本研究提供了一套適用於中小企業之資安零信任框架，協助其選擇適切的零信任解決方案，減少中小企業在導入零信任解決方案時的複雜程度，同時提供相關的參考和建議。

The rapid development of information technology has brought about limitless business opportunities and convenience and posed more significant risks and challenges for enterprises. With the transformation of business operations and management models, coupled with the prevalence of modern office practices, traditional information security architectures still need to meet the demands of enterprises. The influence of the pandemic has further accelerated the shift in work patterns, with the increasing prevalence of remote work and Bring Your Own Device (BYOD) initiatives in the corporate environment. This trend has led to a more complex and dispersed network and device environment within enterprises, blurring network security boundaries. Enterprises need to adopt various new technologies for digital transformation to maintain competitiveness and the momentum for continuous progress. However, while using these new technological tools, they must also consider the risks they bring. Information security has become an indispensable part of enterprises. Regardless of the enterprise's size, any information leakage or cyber-attacks can result in substantial losses and public relations crises. This is especially the case for small and medium-sized enterprises operating in resource-constrained environments, where resources must be used efficiently. The new Zero Trust information security architecture aligns more closely with the new work patterns. By adhering to the core concept of Zero Trust, "Never Trust, Always Verify," enterprises can adopt a new mindset and methods for protecting information security, reducing the risks and threats they face.
This study provides a Zero Trust security framework suitable for small and medium-sized enterprises, helping them select appropriate Zero Trust solutions, reducing the complexity when introducing Zero Trust solutions, and providing relevant references and suggestions.

Adkins, H., Beyer, B., Blankinship, P., Lewandowski, P., Oprea, A., & Stubblefield, A. (2020). Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems. O’Reilly Media.

Bada, M., & Nurse, J.R.C. (2019). Developing cybersecurity education and. awareness programmes for small- and medium-sized enterprises (SMEs). Information and Computer Security, 27(3), 393-410.

Buck, C., Olenberger, C., Schweizer, A., Völter, F., & Eymann, T. (2021). Never. trust, always verify: A multivocal literature review on current knowledge and research gaps of zero-trust. Computers & Security, 110, Article number: 102436.

IEEE Innovation at Work. (2021). How the COVID-19 Pandemic is Impacting Cyber
Security Worldwide. Retrieved from
https://innovationatwork.ieee.org/how-the-covid-19-pandemic-is-impacting-cyber-security-worldwide/.

Kindervag, J. (2010). Build security into your network’s DNA: The zero trust. network architecture. Forrester Research, 1-26.

Bijon, K. Z., Krishnan, R., & Sandhu, R. (2013). "A framework for risk-aware role based. access control", 2013 IEEE Conference on Communications and Network Security (CNS), 462-469.

Lee, B., Vanickis, R., Rogelio, F., & Jacob, P. (2017). Situational Awareness based. Risk-adaptable Access Control in Enterprise Networks. 2017 2nd International Conference on Internet of Things, Big Data and Security (IoTBDS), 400-405.

Marsh, S. P. (1994). Formalising Trust as a Computational Concept. University of. Stirling, United Kingdom.

National Institute of Standards and Technology. (1995). An Introduction to Computer Security: The NIST Handbook (NIST Special Publication 800-12), U.S. Department of Commerce. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-12.pdf

National Institute of Standards and Technology. (2020). Zero Trust Architecture (NIST Special Publication 800-207), U.S. Department of Commerce.
Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

National Institute of Standards and Technology. (2022). Implementing a Zero Trust Architecture (2nd Preliminary Draft) (NIST Special Publication 1800-35), U.S. Department of Commerce. Retrieved from
https://csrc.nist.gov/publications/detail/sp/1800-35/draft

Office of Management and Budget. (2022). M-22-09: Improving the Federal. Government’s Cybersecurity through a Zero Trust Architecture. The White House. Retrieved from
https://www.whitehouse.gov/omb/memoranda/2022/m-22-09/

Osborn, B., McWilliams, J., Beyer, B., & Saltonstall, M. (2016). BeyondCorp: Design to Deployment at Google. Security, 41(1), 28-34.

Rupeika-Apoga, R., Petrovska, K., & Bule, L. (2022). The Effect of Digital. Orientation and Digital Capability on Digital Transformation of SMEs during the COVID-19 Pandemic. Journal of Theoretical and Applied Electronic Commerce Research, 17, 669-685.

Syed, N. F., Shah, S. W., Shaghaghi, A., Anwar, A., Baig, Z., & Doss, R. (2022). Zero trust architecture (ZTA): A comprehensive survey. IEEE Access, 10, 57143-57179.

Teerakanok, S., Uehara, T., & Inomata, A. (2021). Migrating to Zero Trust. Architecture: Reviews and Challenges. Security and Communication Networks, 2021, 9947347.

Vanickis, R., Jacob, P., Dehghanzadeh, S., & Lee, B. A. (2018). Access Control. Policy Enforcement for Zero-Trust-Networking. 2018 29th Irish Signals and Systems Conference (ISSC), United Kingdom.

中華民國經濟部（2022）。111年中小企業白皮書，
取自： https://www.moeasmea.gov.tw/list-tw-2345

行政院國家資通安全會報技術服務中心（2022）。政府零信任網路說明，
取自：https://www.nics.nat.gov.tw/ZeroTrustMain