|Page maturity |
This page has maturity level 3 (usable)
|Document type:||Generic Pattern||Owner:|
|An implementation of this Pattern can be used to secure access to back-end resources.|
This Generic Pattern belongs to "Business Support". An implementation of this Pattern can be used to secure access to back-end resources. By and large, it performs either or both of the following two tasks:
- It can use the combination of Connection Handling and Filter function to deny traffic to pass to the back-end resource, until proper authentication and authorization have occurred, so as to shield the protected resources against unauthorized access;
- It can use the combination of Data Scanning and a Filter function, to shield the protected resources from malicious or malformed traffic.
If needed, Encryption functionality can secure the communication between the consumers of the back-end resource and the Access Security pattern itself, and/or between the Access Security pattern and the back-end resource itself. Note that for many security operations, the traffic between consumers and back-end resources need to be unencrypted, so as to allow inspection by this Generic Pattern.
Furthermore, Reduction may be used to allow compression of the data traffic between consumers and the Access Security service, for efficient data transfers. Note that for many security operations, the traffic between consumers and back-end resources need to be uncompressed, so as to allow inspection by this Generic Pattern.
This service is often combined with Access Distribution; such a combination may be realized as an "access path".
This Pattern realizes the following services:
- Access Security (This service is used to secure access to back-end resources.)
Functional and Integration view
This is the graphic representation of the functional model of this Generic Pattern:
Generic Pattern Composition
This pattern is an aggregation of the following (mandatory and optional) functions, expressed in Generic Functions:
Services connected with this Generic Pattern
This Generic Pattern has the following mandatory and optional relations with adjacent Generic Services.
|Data Transport||recommended||This service transports data between automated systems.||While virtually all Generic Patterns have a relation with Data Transport, this relation is more noteworthy for Access Security, since the designer will have to fit Access Security correctly between a Data Transport instance and the IT resource for which it is securing access. The presence of (one or more instances of) Data Transport service serves to model all concerns relating to the correct fit.|
|Authentication & Authorization||optional||This service can validate an identity claim, and it can validate the permissions required for an action, as part of an Authentication & Authorization process.||The Authentication & Authorization service can be used to authenticate consumers for the protected back-end resource (usually at the location where Session Handling takes place) and/or to authorize access to the protected back-end resource .
Authorization can also take place based on traffic characteristics, data characteristics and/or other conditions. The effect can be that consumers are denied access to the back-end resource based on many criteria, such as:
These criteria can be managed within the Access Security implementation itself, but they may just as well be managed using a separate Authorization service.
|Facilities Monitoring||optional||This service allows its users to monitor IT facilities with the aim of guarding operational continuity or security.||Access Security is usually employed to secure access to the IT resource that this Pattern is protecting. Thus, many events that occur in an Access Security facility are of interest to Security staff. This means it is desirable to have the facility report directly to (a Security instance of) Facilities Monitoring.|
Applied Patterns based on this Generic Pattern
The following Applied Patterns are based wholly or in part on this Generic Pattern: