SOA Publication and Location Pattern
Security architecture and controls for SOA publication and deployment
Click on controls in the diagram to view details. Download SVG
When to Use
Whenever you can distinguish between trustworthy callers and less trusted callers. Trustworthiness typically is certified by those that operate or own the provided services.
When NOT to Use
You do not need to implement registry protection if you trust all the potential callers.
Typical Challenges
There are no standards/guidelines that would help to enforce the (implicit) contract. On the market there is some tooling around that help to write policies for contract enforcement/negotiation and then act like a service guard.
Threat Resistance
Threat agents: Rogue employees, rogue developers, rogue suppliers
Assumptions
The WSDL interface (registry entry) of a web-service can be considered an (implicit) contract between the service provider and the service consumer. The ebXML suite of standards has some support for security properties.
Mapped Controls (10)
- AC-01 Access Control Policies and Procedures
- AC-03 Access Enforcement
- AC-05 Separation Of Duties
- AU-01 Audit And Accountability Policy And Procedures
- CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
- CA-04 Security Certification
- CM-01 Configuration Management Policy And Procedures
- CM-03 Configuration Change Control
- SA-03 Life Cycle Support
- SA-08 Security Engineering Principles