S90.20 試験問題を無料オンラインアクセス

Service A provides a customized report generating capability. Due to infrastructure limitations, the number of service consumers permitted to access Service A concurrently is strictly controlled. Service A validates request messages based on the supplied credentials (1). If the authentication of the request message is successful, Service A sends a message to Service B (2) to retrieve the required data from Database A (3). Service A stores the response from Service B (4) in memory and then issues a request message to Service C (5). Service C retrieves a different set of data from Database A (6) and sends the result back to Service A (7). Service A consolidates the data received from Services B and C and sends the generated report in the response message to the service consumer (8).

It has been discovered that attackers have been gaining access to confidential data exchanged between Service A and Service B, and between Service A and its service consumers. What changes can be made to this service composition architecture in order to counter this threat?

• A.None of the above
• B.Apply the Service Perimeter Guard pattern in order to protect message exchanges between Service A and its service consumers. Apply the Direct Authentication pattern in order to protect message exchanges between Service A and Service B.
• C.Apply the Data Origin Authentication pattern to protect the final report sent by Service A to its service consumer. Service A can generate a message digest of the final report, after which it can sign the digest with its own private key. It then can send both the final report and the signed message digest to its service consumer. This service consumer can generate its own message digest, decrypt the signed digest using the public key of Service A (which proves that Service A sent the message), and then compare the two digests. If the digests match, it guarantees that the final report was not tampered with during transmission.
• D.Apply the Direct Authentication pattern in order to protect message exchanges between Service A and its service consumers and between Service A and Service B.
  This approach will establish a password-based authentication mechanism that relies on a local identity store and will therefore prevent access by attackers.

Service Consumer A sends a request message with an authentication token to Service A, but before the message reaches Service A, it is intercepted by Service Agent A (1). Service Agent A validates the security credentials and also validates whether the message is compliant with Security Policy A.
If either validation fails, Service Agent A rejects the request message and writes an error log to Database A (2A). If both validations succeed, the request message is sent to Service A (2B).
Service A retrieves additional data from a legacy system (3) and then submits a request message to Service B Before arriving at Service B, the request message is intercepted by Service Agent B (4) which validates its compliance with Security Policy SIB then Service Agent C (5) which validates its compliance with Security Policy B.
If either of these validations fails, an error message is sent back to Service A.
that then forwards it to Service Agent A so that it the error can be logged in Database A (2A). If both validations succeed, the request message is sent to Service B (6). Service B subsequently stores the data from the message in Database B (7).
Service A and Service Agent A reside in Service Inventory A.
Service B and Service Agents B and C reside in Service Inventory B.
Security Policy SIB is used by all services that reside in Service Inventory B.
Service B can also be invoked by other service consumers from Service Inventory B.
Request messages sent by these service consumers must also be compliant with Security Policies SIB and B.

Access to the legacy system in Service Inventory A is currently only possible via Service A, which means messages must be validated for compliance with Security Policy A.
A new requirement has emerged to allow services from Service Inventory B to access the legacy system via a new perimeter service that will be dedicated to processing request messages from services residing in Service Inventory B.
Because the legacy system has no security features, all security processing will need to be carried out by the perimeter service.
However, there are parts of Security Policy A that are specific to Service A and do not apply to the legacy system or the perimeter service. Furthermore, response messages sent by the perimeter service to services from Service Inventory B will still need to be validated for compliance to Security Policy B and Security Policy SIB.
How can the Policy Centralization pattern be correctly applied without compromising the policy compliance requirements of services in both service inventories?

• A.In order for Security Policy A to be centralized so that it can be shared by Service A and the new perimeter service, messages sent to the perimeter service from services in Service Inventory B will need to continue complying with Security Policy A, even if it requires that the messages contain content that does not relate to accessing the legacy system. In order to centralize Security Policy B it will need to be combined with Security Policy SIB, which means that the functionality within Service Agents B and C can be combined into a single service agent.
• B.The parts of Security Policy A that are required for access to the new perimeter service need to be removed and placed into a new security policy that is shared by Service A and the perimeter service. Messages sent by services accessing the perimeter service from Service Inventory B will need to be compliant with the new security policy. Because the perimeter service is dedicated to message exchange with services from Service Inventory B, response messages sent by the perimeter service can be designed for compliance to Security Policy B and Security Policy SIB.
• C.Due to the amount of overlap among Security Policy A, Security Policy B, and Security Policy SIB, the Policy Centralization pattern cannot be correctly applied to enable the described message exchange between the perimeter service in Service Inventory A and services in Service Inventory B.
• D.A single centralized security policy can be created by combining Security Policy A, Security Policy B.
  and Security Policy SIB into a single security policy that is shared by services in both Service Inventory A and Service Inventory B.
  This means that the new perimeter service can share the same new security policy with Service A.
  This further simplifies message exchange processing because request messages sent by services in Service Inventory B to the new perimeter service need to comply to the same security policy as the response messages sent back by the perimeter service to the services in Service Inventory B.

Services A, B, and C reside in Service Inventory A and Services D, E, and F reside in Service Inventory B.
Service B is an authentication broker that issues WS-Trust based SAML tokens to Services A and C upon receiving security credentials from Services A and
C. Service E is an authentication broker that issues WS-Trust based SAML tokens to Services D and F upon receiving security credentials from Services D and E.
Service B uses the Service Inventory A identify store to validate the security credentials of Services A and C.
Service E uses the Service Inventory B identity store to validate the security credentials of Services D and F.

It is decided to use Service E as the sole authentication broker for all services in Service Inventories A and B.
Service B is kept as a secondary authentication broker for load balancing purposes. Specifically, it is to be used for situations where authentication requests are expected to be extra time consuming in order to limit the performance burden on Service E.
Even though Service B has all the necessary functionality to fulfill this new responsibility, only Service E can issue SAML tokens to other services.
How can these architectures be modified to support these new requirements?

• A.Because both Service B and Service E issue SAML tokens, these tokens are interchangeable. In order for both services to receive the same amount of authentication requests, a shared key needs to be provided to them for signing the SAML tokens. By signing the SAML tokens with the same key, the SAML tokens generated by Service B cannot be distinguished from the SAML tokens generated by Service E.
• B.When time consuming authentication requests are identified, Service E can forward them to Service B.
  Upon performing the authentication, Service B sends its own signed SAML token to Service E.
  Because Service E trusts Service B.
  it can use the Service B- specific SAML token to issue an official SAML token that is then sent to the original service consumer (that requested authentication) and further used by other services.
• C.Because the federation requirements ask for SAML tokens generated by Service E, Service B cannot function as an authentication broker. To address the load balancing requirement, a new utility service needs to be introduced to provide functionality that is redundant with Service E.
  This essentially establishes a secondary authentication broker to which Service E can defer time-consuming authentication tasks at runtime.
• D.To provide load balancing, a service agent needs to be implemented to intercept all incoming requests to Service E.
  The service agent uses a random distribution of the authentication requests between Service B and Service E.
  Because the request messages are distributed in a random manner, the load between the two authentication brokers is balanced.

Service Consumer A submits a request message with security credentials to Service A (1).
The identity store that Service A needs to use in order to authenticate the security credentials can only be accessed via a legacy system that resides in a different service inventory. Therefore, to authenticate Service Consumer A, Service A must first forward the security credentials to the legacy system (2). The legacy system then returns the requested identity to Service A (3). Service A authenticates Service Consumer A against the identity received from the legacy system. If the authentication is successful, Service A retrieves the requested data from Database A (4), and returns the data in a response message sent back to Service Consumer A (5).
Service A belongs to Service Inventory A which further belongs to Security Domain A and the legacy system belongs to Service Inventory B which further belongs to Security Domain
B. (The legacy system is encapsulated by other services within Service Inventory B, which are not shown in the diagram.) These two security domains trust each other.
Communication between Service A and the legacy system is kept confidential using transport-layer security.

No intermediary service agents currently exist between the two service inventories.
However, it has been announced that due to the introduction of new systems, some intermediary service agents may be implemented in the near future. Additionally, the legacy system has been scheduled for retirement and will be replaced by a new identity management system that will provide a new identity store. Because the new identity store will need to serve many different systems, there are concerns that it could become a performance bottleneck. As a result, services (including Service A and other services in Security Domains A and B) will not be allowed to directly access the new identity store.
Which of the following statements describes a solution that can accommodate the requirements of the new identity store, the authentication requirements of Service A, and can further ensure that message exchanges between Security Domains A and B remain confidential after intermediary service agents are introduced?

• A.Apply the Trusted Subsystem pattern by abstracting away the new identity management system using a utility service that authenticates the request from Service A and then uses its own credentials to retrieve the requested identity from the new identity management system. For the utility service to authenticate Service As request, it needs to be provisioned with a new identity database that contains identities for all authorized service consumers of the new utility service. In order to secure the communication between Service A and the new utility service, use message-layer security as it provides security over multiple hops considering the need to secure the message in case an intermediary is introduced in future.
• B.Apply the Brokered Authentication pattern to establish an authentication broker. Instead of Service A directly authenticating Service Consumer A, Service Consumer A submits a request message with security credentials to the authentication broker, which authenticates Service Consumer A against the new identity store and then issues a SAML token to Service Consumer A that it can use for message exchanges with other services, if necessary. In order to secure cross-service inventory message exchanges, the Data Confidentiality pattern is applied to establish message-layer security.
• C.Apply the Trusted Subsystem pattern to implement a utility service abstracting the new identity management system. Service A forwards Service Consumer As credentials to the utility service to verify Service Consumer As identity. The utility service authenticates the request originating from Service A.
  After successful authentication, the utility service uses its own credentials to retrieve the requested identity, and then send the identity to Service A, Therefore, effectively reducing the processing need of the identity management system.
  The current transport-layer security can still be used, in order to secure the communication between Service A and the new utility service, as it more efficient than the message-layer security.
• D.Replicate the identity database used by the new identity management system. Because the Security Domains A and B trust each other, protection of the identity store is guaranteed. Use Service Agents to monitor changes to the identity database used by the new identity management system and to update the replica. This would satisfy the security needs of Service A, would eliminate the need to request services from Service Inventory B, and ensure that current identity information is available for Service A.
  Because Service A would not need to access services across different trust domains, the current transport- layer security is sufficient.