Arcitura Education S90.20 Exam - Topic 1 Question 11 Discussion
Service Consumer A sends a request to Service A (1). Service A replies with an acknowledgement message (2) and then processes the request and sends a request message to Service B (3). This message contains confidential financial data. Service B sends three different request messages together with its security credentials to Services C .D .and E (4, 5, 6). Upon successful authentication, Services C .D .and E store the data from the message in separate databases (7.8, 9). Services B .C .D, and E belong to Service Inventory A, which further belongs to Organization B .Service Consumer A and Service A belong to Organization A .Organization B decides to create a new service inventory (Service Inventory B) for services that handle confidential data. Access to these services is restricted by allocating Service Inventory B its own private network. Access to this private network is further restricted by a dedicated firewall. Services C, D and E are moved into Service Inventory B, and as a result. Service B can no longer directly access these services. How can this architecture be changed to allow Service B to access Services C, D and E in a manner that does not jeopardize the security of Service Inventory B while also having a minimal impact on the service composition's performance?
A) The Service Perimeter Guard pattern is applied together with the Brokered Authentication pattern. A new perimeter service is created to intercept all request messages sent to services inside the private network (inside Service Inventory B),before they reach the firewall. The perimeter service also acts as the authentication broker that authenticates request messages sent to Services C, D, and E by evaluating the accompanying security credentials and issuing a security token to be used by Service B when accessing Services C, D, and E .
B) The Service Perimeter Guard pattern is applied together with the Message Screening pattern. A new perimeter service iscreated specifically for Service Inventory B .This service filters all messages before they reach the firewall and further evaluates the IP address of the messages to verify the identity of the message originators. If the originator is successfully authenticated, then the perimeter guard checks the request message for potentially malicious content. If the request message does not contain malicious content, it is sent through the firewall to proceed to Services C, D, and E for further processing.
C) The Brokered Authentication pattern is applied by extending the firewall functionality with a single sign-on mechanism. Because the firewall already restricts accesses to Service Inventory B, adding authentication logic to the firewall optimizes the performance of the overall security architecture. Service B needs to be authenticated by the authentication broker only once in order to get a security token that can be used to access Services C,D,and E .This eliminates the need for Service B to authenticate several times during the same service composition.
D) The Data Confidentiality pattern is applied together with the Direct Authentication pattern. A new utility service is created tovalidate request messages sent to Service Inventory B .Service B must encrypt the message content using the utility service's public key and attach its own digital certificate to the request message. This message is first evaluated by the firewall to filter out requests from disallowed sources and can then be forwarded to the utility service, which then verifies the identity of the message originator (using a digital certificate) and decrypts the request message contents. If the originator is authorized to access Services C, D, and E, the appropriate request messages are sent to these services.
MENU
Fannie
7 months agoTonja
7 months agoBenedict
8 months agoNelida
8 months agoJestine
8 months agoOdette
8 months agoEdward
8 months agoCarla
8 months agoLuis
8 months agoMireya
8 months ago