Arcitura Education S90.20 Exam - Topic 1 Question 24 Discussion

Actual exam question for Arcitura Education's S90.20 exam

Question #: 24
Topic #: 1

Services A, B and C belong to Service Inventory A .Services D, E and F belong to Service Inventory B .Service C acts as an authentication broker for Service Inventory A .Service F acts as an authentication broker for Service Inventory B .Both of the authentication brokers use Kerberos-based authentication technologies. Upon receiving a request message from a service consumer, Services C and F authenticate the request using a local identity store and then use a separate Ticket Granting Service (not shown) to issue the Kerberos ticket to the service consumer. A recent security audit of the two service inventories revealed that both authentication brokers have been victims of attacks. In Service Inventory A, the attacker has been intercepting and modifying the credential information sent by Service C (the ticket requester) to the Ticket Granting Service. As a result, the requests have been invalidated and incorrectly rejected by the Ticket Granting Service. In Service Inventory B, the attacker has been obtaining service consumer credentials and has used them to request and receive valid tickets from the Ticket Granting Service. The attacker has then used these tickets to enable malicious service consumers to gain access to other services within the service inventory. How can the two service inventory security architectures be improved in order to counter these attacks?

AThe Data Confidentiality pattern can be applied to messages exchanged by the services in Service Inventory A .The Data Origin Authentication pattern can be applied to messages exchanged by services in Service Inventory B .

BThe Service Perimeter Guard pattern can be applied to Service Inventory A in order to establish a perimeter service responsible for validating and filtering all incoming request messages on behalf of Service C .The Data Origin Authentication pattern can be applied to messages exchanged by services in Service Inventory B .This will ensure the integrity of messages by verifying their origins to the message recipients.

CWS-Secure-Conversation can be used to secure the communication between the authentication broker and service consumers in Service Inventory A .This ensures that Services A and B will contact Service C to request a security context token that will be used to generates a session key for the encryption of the ticket submitted to Service C . The Data Origin Authentication pattern can be applied to messages exchanged by services in Service Inventory B .This will ensure the integrity of messages try verifying their origins to the message recipients.

DWS-Trust can be used to establish secure communication between the authentication broker and the service consumers. After receiving the request message and the corresponding credentials from service consumers, the authentication broker can validate their identity, and if successful, a signed SAML assertion containing all authentication information will be issued. The SAML assertion will then be used to authenticate the service consumers during subsequent communications. Because the messages are signed and encrypted, malicious service consumers cannot access the data. This approach can be applied to counter the threats in both Service Inventories A and B .

Show Suggested Answer

Suggested Answer: A

by Xochitl at May 08, 2022, 12:32 PM

Limited Time Offer

25%

5 months ago

Hmm, this seems like a tricky one. I'll need to think carefully about the corrosion resistance properties of each material option.

upvoted 0 times

...