Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Arcitura Education S90.20 Exam - Topic 1 Question 12 Discussion

Service Consumer A submits a request message with security credentials to Service A (1). The identity store that Service A needs to use in order to authenticate the security credentials can only be accessed via a legacy system that resides in a different service inventory. Therefore, to authenticate Service Consumer A, Service A must first forward the security credentials to the legacy system (2). The legacy system then returns the requested identity to Service A (3). Service A authenticates Service Consumer A against the identity received from the legacy system. If the authentication is successful, Service A retrieves the requested data from Database A (4), and returns the data in a response message sent back to Service Consumer A (5). Service A belongs to Service Inventory A which further belongs to Security Domain A and the legacy system belongs to Service Inventory B which further belongs to Security Domain B .(The legacy system is encapsulated by other services within Service Inventory B, which are not shown in the diagram.) These two security domains trust each other. Communication between Service A and the legacy system is kept confidential using transport-layer security. It was recently discovered that a malicious attacker, posing as Service Consumer A, has been accessing Service A .An investigation revealed that these attacks occurred because security credentials supplied by Service Consumer A were transmitted in plaintext. Furthermore, vulnerabilities to replay attacks and malicious intermediaries have been detected. Which of the following statements describes a solution that can counter these types of attacks?Also, list the industry standards required by the proposed solution.
A) Apply the Data Origin Authentication pattern together with the Data Confidentiality pattern in order to establish message-layer security that guarantees the confidentiality and integrity of messages exchanged by Service Consumer A and Service A .Further, a security policy can be created to require that security credentials submitted to Service A must be digitally signed and encrypted and also contain a timestamp to validate the actual time the request was issued. Industry standards that can be used for this solution are WS-Policy, WS-Security-Policy, XMLEncryption, and XML-Signature.
B) Apply the Service Perimeter Guard pattern together with the Trusted Subsystem pattern to establish a perimeter service that can perform security functions on behalf of Service A .Theutility service can verify the validity of the request messages from Service Consumer A by authenticating the request message against an identity store. If the request message is authenticated, the utility service then sends it to Service A for further processing. All communications between Service A and Service Consumer A can be encrypted using the public key of the intended recipient, and signed using the private key of the sender. Industry standards that can be used for this solution are XML-Encryption, XML-Signature, and WS-Trust.
C) Apply the Service Perimeter Guard pattern to establish a perimeter service that can perform security functions on behalf of-Service A .Next, apply the Data Confidentiality pattern so that the security credential information provided by Service Consumer A with the request message is encrypted with the secret key shared between the perimeter service and Service Consumer A .The perimeter service evaluates the credentials and if successfully authenticated, forwards the request message to Service A .Transport-layer security is used to protect message exchanges between Service A and Service Consumer A .
D) Apply the Trusted Subsystem pattern together with the Data Origin Authentication pattern in order to establish a utility service-that performs the security processing on behalf of Service A .Service Consumer A must digitally sign all request messages and encrypt the credential information using the public key of the utility service. The utility service can then verify the security credentials and the digital signature to establish the validity of the request message. If the request message is permitted, the utility service establishes a composite trust domain that encompasses Service Consumer A, Service A, Database A, and the legacy system. Because all communications remain within a single trust domain, malicious intermediaries will not be able to gain access to any exchanged data.

Arcitura Education S90.20 Exam - Topic 1 Question 12 Discussion

Actual exam question for Arcitura Education's S90.20 exam
Question #: 12
Topic #: 1
[All S90.20 Questions]

Service Consumer A submits a request message with security credentials to Service A (1). The identity store that Service A needs to use in order to authenticate the security credentials can only be accessed via a legacy system that resides in a different service inventory. Therefore, to authenticate Service Consumer A, Service A must first forward the security credentials to the legacy system (2). The legacy system then returns the requested identity to Service A (3). Service A authenticates Service Consumer A against the identity received from the legacy system. If the authentication is successful, Service A retrieves the requested data from Database A (4), and returns the data in a response message sent back to Service Consumer A (5). Service A belongs to Service Inventory A which further belongs to Security Domain A and the legacy system belongs to Service Inventory B which further belongs to Security Domain B .(The legacy system is encapsulated by other services within Service Inventory B, which are not shown in the diagram.) These two security domains trust each other. Communication between Service A and the legacy system is kept confidential using transport-layer security. It was recently discovered that a malicious attacker, posing as Service Consumer A, has been accessing Service A .An investigation revealed that these attacks occurred because security credentials supplied by Service Consumer A were transmitted in plaintext. Furthermore, vulnerabilities to replay attacks and malicious intermediaries have been detected. Which of the following statements describes a solution that can counter these types of attacks?

Also, list the industry standards required by the proposed solution.

Show Suggested Answer Hide Answer
Suggested Answer: A

by Laticia at May 07, 2022, 11:12 AM

Limited Time Offer

25%

Off

Get Premium S90.20 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Fidelia
7 months ago
C seems a bit weak without the digital signature part.
upvoted 0 times
...
Dean
7 months ago
A definitely covers all bases with signing and encryption.
upvoted 0 times
...
Peggy
8 months ago
Wait, are we sure the perimeter service can handle all those threats?
upvoted 0 times
...
Shawn
8 months ago
I think B might be more effective with the perimeter service approach.
upvoted 0 times
...
Hui
8 months ago
Sounds like A is the best option for securing those credentials!
upvoted 0 times
...
Jesusa
8 months ago
This is a good one. I think the decision-making process in the business analysis plan is the best answer here. The question is specifically about the business analyst's role, so that makes sense as the right place to define the decision-making approach.
upvoted 0 times
...
Magda
8 months ago
I'm not totally sure about this one. The options all seem similar, but I'll give it my best shot and hope I can eliminate a couple of the choices.
upvoted 0 times
...
Lina
8 months ago
I want to say the BBA actually reduced the number of organizations that deliver services, which seems relevant, but I'm uncertain.
upvoted 0 times
...
Merlyn
8 months ago
Hmm, I'm a bit confused by the concept of traffic groups and how they relate to the BIG-IP Managers. I'll need to review my notes on high availability configurations to make sure I understand the context properly.
upvoted 0 times
...

Save Cancel