隨著科技的快速發展,API(應用程式介面)已成為數位轉型的關鍵技術之一。API提高了系統間便利性、促進系統整合與創新合作。然而,伴隨著API使用的爆炸性增長,安全風險顯著上升,尤其是身份驗證與授權相關的問題。 為了應對API面臨的安全威脅,各界提出了API框架的概念。歐盟在2020年提出了一個適用於政府環境的API框架,包含12項實施建議。然而,該框架在身份識別和存取管理(IAM)方面的指引尚有不足。在零信任安概念的潮流下,身份已成為新的安全邊界,可以通過IAM機制來強化身份認證和細粒度存取控制,貫徹最小權限原則。 本研究旨在探討並改善歐盟提出的API框架,將基於屬性的存取控制(ABAC)和零信任的概念整合到安全流程中,提出一個基於ABAC的API安全框架,提高API在動態和複雜環境中的靈活性和安全性,通過動態評估使用者、資源和環境的屬性來決定存取權限,提供更細粒度和情境相關的安全控制能力。這一框架讓API設計和開發人員在制定和設計API時有明確的參考依據,從而提高API的安全。本研究期望能為API安全領域提供新的視角和實踐框架,助力組織在實現數位轉型的同時,有效保護API及相關資源免受安全威脅,協助組織向零信任安全邁進。 ;With the rapid advancement of technology, APIs (Application Programming Interfaces) have become crucial for digital transformation. APIs enhance system convenience, integration, and innovation. However, their explosive growth has significantly increased security risks, especially in authentication and authorization. To address API security threats, various frameworks have been proposed. In 2020, the EU introduced an API framework for government environments with 12 implementation recommendations. However, it lacks sufficient guidance in identity and access management (IAM). With the rise of zero trust security, identity is the new security perimeter. Strengthening identity authentication and fine-grained access control through IAM mechanisms enforces the principle of least privilege. This study aims to improve the EU′s API framework by integrating attribute-based access control (ABAC) and zero trust concepts. It proposes an ABAC-based API security framework to enhance flexibility and security in dynamic environments. By evaluating user, resource, and environment attributes dynamically to determine access permissions, it offers more fine-grained, context-related security controls. This framework provides clear guidelines for API designers and developers, improving API security. The study aims to offer a new perspective and practical framework for API security, helping organizations achieve digital transformation while protecting APIs and related resources from security threats, and advancing towards zero trust security.
