初探零信任網路架構與資安法之互動

A Preliminary Research on the Interaction between Zero Trust Architecture and the Cyber Security Management Act

隨著針對特定目標所採取的網路攻擊越來越盛行，網路資安的防護成為一件亟需重視的事情。零信任網路架構即在此情形下被提出，許多企業、組織或政府機關，開始重新檢視過去防護著重於內、外網路區隔的妥適性。
本文從零信任架構之基礎出發，首先介紹零信任架構的概念與運作機制，以利讀者了解去除網路邊界的概念與傳統網路架構在各方面的差異，此外並從技術的角度帶讀者認識零信任架構的框架組成與決策演算之設計方式，包括身分和設備的驗證與相關的機制，以對零信任網路架構這個概念建立更全面的認識。接著，透過對國際上重要國家相關政策推動情形的觀測與追蹤，除說明零信任架構確為各國所認同，可能是能夠應對網路資訊安全威脅的有效解決方案外，亦可觀察各國所處之推動或投入之階段與相關作為，以為我國之參考。第三，本文以我國現行法規中與資訊安全最直接相關之資通安全管理法為經，以導入零信任之各階段為緯，盤點並分析在現行資安法規下，如果係已落實各項應辦事項與控制措施之機關，在導入零信任架構時所需採行之控制措施是否已足夠、或仍需補強，亦即探討零信任架構與我國資安法規之互動關係，最後提出對於我國政府機關推動零信任架構時之法制與政策建議。

Abstract
With the increasing prevalence of network attacks against specific targets, the protection of network information security has become an urgent issue. The Zero Trust Architecture (ZTA) was proposed under this circumstance, and many enterprises, organizations or government agencies began to re-examine the suitability of the previous protection that focused on the separation of internal and external networks.
Starting from the fundamental concepts of ZTA, this article introduces the operation mechanism of ZTA for readers understanding the difference between the traditional network and ZTA in various aspects. Second, through the observation and tracking of the relevant policy promotion situation of important countries in the world, in addition to showing that the ZTA is indeed recognized by all countries and may be an effective solution to the threat of network information security, it can also observe the situation in which countries are located. Thirdly, this article takes the Cyber Security Management Act, which is the most directly related regulation to information security currently in Taiwan as the main point, followed by the steps of introducing ZTA. Through the comparison, the article may find out whether the regulation is sufficient for introducing the ZTA. Finally, this article makes legal and policy recommendations for government agencies to promote ZTA.