Diagram:

Your browser does not support SVG files! We recommend you upgrade to the latest version of Firefox, Safari orOpera so you receive patterns with hyper-linked controls.

Legend: Not applicable.

Description: This pattern describes the controls needed to make sure that services can only be used and located by authorized service consumers. Describe any additional architectural principles that may be reflected in the pattern.

Assumptions: The WSDL interface (registry entry) of a web-service can be considered an (implicit) contract between the service provider and the service consumer. The ebXML suite of standards has some support for security properties.

Typical challenges: There are no standards/guidelines that would help to enforce the (implicit) contract. On the market there is some tooling around that help to write policies for contract enforcement/negotiation and then act like a service guard.

Indications: Whenever you can distinguish between trustworthy callers and less trusted callers. Trustworthiness typically is certified by those that operate or own the provided services.

Contra-indications: You do not need to implement registry protection if you trust all the potential callers.

Resistance against threats: Threat agents: Rogue employees, rogue developers, rogue suppliers

References:

• NIST Special Publication 800-95: Guide to Secure Web Services
• Standards for securing web services
• Securing service based interactions

Classification: Middle ware

Release: 08.02

Authors: Aurelius

Reviewer(s): Spinoza

Control details

AC-01 Access Control Policies and Procedures
AC-03 Access Enforcement
AC-05 Separation Of Duties

AU-01 Audit And Accountability Policy And Procedures

CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
CA-04 Security Certification

CM-01 Configuration Management Policy And Procedures
CM-03 Configuration Change Control

SA-03 Life Cycle Support
SA-08 Security Engineering Principles