SOA Internal Service Usage Pattern
Security architecture and controls for SOA internal service deployment
Release: 08.02 Authors: Aurelius Updated: 2025-07-04
Click on controls in the diagram to view details. Download SVG
Typical Challenges
- In addition to adherance to service level agreement for a single service, end-to-end QoS management is critical for composite services. The dynamic nature of web services makes end-to-end QoS management a major challenge
- Performance of transaction authorization: cost of security per transaction is considerable, this will drive coarse grained services
Threat Resistance
TBD. List of the threats that the pattern can resist.
Assumptions
- Service authentication with SSL x 509 certificates, i.e. trust established via internal issuing CA
- Transaction authentication with SAML tokens
- Every transaction is authorized independently
- The enterprise service bus (ESB) is implemented in a distributed manner, meaning it is included in each component that contributes to the service deliver.
Mapped Controls (14)
AC: 5AU: 1IA: 3SC: 4SI: 1
- AC-01 Access Control Policies and Procedures
- AC-03 Access Enforcement
- AC-04 Information Flow Enforcement
- AC-06 Least Privilege
- AC-07 Unsuccessful Login Attempts
- AU-02 Auditable Events
- IA-01 Identification And Authentication Policy And Procedures
- IA-02 User Identification And Authentication
- IA-07 Cryptographic Module Authentication
- SC-05 Denial Of Service Protection
- SC-08 Transmission Integrity
- SC-09 Transmission Confidentiality
- SC-23 Session Authenticity
- SI-10 Information Accuracy, Completeness, Validity, And Authenticity