GP.Access Security: Difference between revisions

From OIAr
Jump to navigation Jump to search
(intermediate save)
(No difference)

Revision as of 17:34, 1 January 2015


This is a Generic Pattern document GP Access Security Version: 0.3 OIAr logo
Document type: Generic Pattern Owner:

J.A.H. Schoonderbeek



Description

This Generic Pattern belongs to "Business Support". An implementation of this Pattern can be used to secure access to back-end resources. By and large, it performs either or both of the following two tasks:

  • It can use the combination of Connection Handling and Filter function to deny traffic to pass to the back-end resource, until proper authentication and authorization have occurred, so as to shield the protected resources against unauthorized access;
  • It can use the combination of Data Scanning and a Filter function, to shield the protected resources from malicious or malformed traffic.

If needed, Encryption functionality can secure the communication between the consumers of the back-end resource and the Access Security pattern itself, and/or between the Access Security pattern and the back-end resource itself. Note that for many security operations, the traffic between consumers and back-end resources need to be unencrypted, so as to allow inspection by this Generic Pattern.

Furthermore, Reduction may be used to allow compression of the data traffic between consumers and the Access Security service, for efficient data transfers. Note that for many security operations, the traffic between consumers and back-end resources need to be uncompressed, so as to allow inspection by this Generic Pattern.

This service is often combined with Access Distribution; such a combination may be realized as an "access path".

Services realized

This Pattern realizes the following service(s):

  • Access Security (This service is used to secure access to back-end resources.)

Functional and Integration view

This is the graphic representation of the functional model of this Generic Pattern:

Generic Pattern Access Security
Generic Pattern Access Security


Generic Pattern Composition

This pattern is an aggregation of the following (mandatory and optional) functions, expressed in Generic Functions:

Icon Function Inclusion Rationale

Services connected with this Generic Pattern

This Generic Pattern has the following mandatory and optional relations with adjacent Generic Services.

Service Adjacency Summary Rationale
Data Transport recommended This service transports data between automated systems. While virtually all Generic Patterns have a relation with Data Transport, this relation is more noteworthy for Access Security, since the designer will have to fit Access Security correctly between a Data Transport instance and the IT resource for which it is securing access. The presence of (one or more instances of) Data Transport service serves to model all concerns relating to the correct fit.
Authentication & Authorization optional This service can validate an identity claim, and it can validate the permissions required for an action, as part of an Authentication & Authorization process. The Authentication & Authorization service can be used to authenticate consumers for the protected back-end resource (usually at the location where Session Handling takes place) and/or to authorize access to the protected back-end resource .

Authorization can also take place based on traffic characteristics, data characteristics and/or other conditions. The effect can be that consumers are denied access to the back-end resource based on many criteria, such as:

  • multiple failed authentication attempts;
  • denial of Service traffic patterns;
  • blacklisting of consumers based on characteristics such as network address or machine name;
  • suspect behaviour such as incorrect reverse lookups or incorrect or incomplete answers to challenges;
  • absence of up-to-date antivirus at the consumer machine.

These criteria can be managed within the Access Security implementation itself, but they may just as well be managed using a separate Authorization service.

Facilities Monitoring optional This service allows its users to monitor IT facilities with the aim of guarding operational continuity or security. Access Security is usually employed to secure access to the IT resource that this Pattern is protecting. Thus, many events that occur in an Access Security facility are of interest to Security staff. This means it is desirable to have the facility report directly to (a Security instance of) Facilities Monitoring.

Applied Patterns based on this Generic Pattern

The following Applied Patterns are based wholly or in part on this Generic Pattern: