SP-004: SOA Publication and Location Pattern
Legend: Not applicable.
Description: This pattern describes the controls needed to make sure that services can only be used and located by authorized service consumers. Describe any additional architectural principles that may be reflected in the pattern.
Assumptions: The WSDL interface (registry entry) of a web-service can be considered an (implicit) contract between the service provider and the service consumer. The ebXML suite of standards has some support for security properties.
Typical challenges: There are no standards/guidelines that would help to enforce the (implicit) contract. On the market there is some tooling around that help to write policies for contract enforcement/negotiation and then act like a service guard.
Indications: Whenever you can distinguish between trustworthy callers and less trusted callers. Trustworthiness typically is certified by those that operate or own the provided services.
Contra-indications: You do not need to implement registry protection if you trust all the potential callers.
Resistance against threats: Threat agents: Rogue employees, rogue developers, rogue suppliers
- NIST Special Publication 800-95: Guide to Secure Web Services
- Standards for securing web services
- Securing service based interactions
Related patterns: Uses the server module, is related to internal and external SOA service usage.
Classification: Middle ware
AC-01 Access Control Policies and Procedures
AC-03 Access Enforcement
AC-05 Separation Of Duties
AU-01 Audit And Accountability Policy And Procedures
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
CA-04 Security Certification
CM-01 Configuration Management Policy And Procedures
CM-03 Configuration Change Control
SA-03 Life Cycle Support
SA-08 Security Engineering Principles