[WIP] 2. API inbound security pattern [Control Realization]

[WIP] 2. API inbound security pattern [Control Realization] - improvement proposal ()

The diagram reads top to bottom.
•	API consumer connects with valid Access token over HTTPS to the WAF that performs specific controls.
•	WAF forwards the request to the API GW whilst passing external access token. API GW executes then its set of controls.
•	API GW calls token service to SWAP token type
•	API GW finally send the call with internal token to the API component in scope that executes also specific controls


Version	0.1
Also known as	<Not currently known>
Intent
Applicability
Scope
Contributor(s)	Fabien Antiga, Michael Boeynaems, Roos Hubrechtsen
Conditions
References
Dependencies
Variations	API IA Threat Model


NORA-1: External
Client application
NORA-2: DMZ (Demilitarized Zone)
BB-21: Distributed denial of service protection service
BB-17: Web application firewall service
BB-23: Secure service gateway
NORA-4: Back Office
API endpoint
BB-13: Security information and event management service
BB-03: Identity provider service
AC-4(25): Information Flow Enforcement \| Data Sanitization
SI-3: Malicious Code Protection
SC-5: Denial-of-service Protection
CM-7: Least Functionality
AC-3: Access Enforcement
AC-4: Information Flow Enforcement
SI-10: Information Input Validation
SC-13: Cryptographic Protection
SI-3: Malicious Code Protection
SI-4: System Monitoring
AC-12: Session Termination
SC-13: Cryptographic Protection


		NORA-1: External	Client application
		Client application	BB-21: Distributed denial of service protection service
		NORA-2: DMZ (Demilitarized Zone)	BB-17: Web application firewall service
		NORA-2: DMZ (Demilitarized Zone)	BB-21: Distributed denial of service protection service
		NORA-2: DMZ (Demilitarized Zone)	BB-23: Secure service gateway
		BB-21: Distributed denial of service protection service	SC-5: Denial-of-service Protection
		BB-21: Distributed denial of service protection service	BB-17: Web application firewall service
		BB-17: Web application firewall service	SI-3: Malicious Code Protection
		BB-17: Web application firewall service	AC-4(25): Information Flow Enforcement \| Data Sanitization
		BB-17: Web application firewall service	SC-13: Cryptographic Protection
		BB-17: Web application firewall service	BB-23: Secure service gateway
		BB-23: Secure service gateway	SI-3: Malicious Code Protection
		BB-23: Secure service gateway	CM-7: Least Functionality
		BB-23: Secure service gateway	AC-3: Access Enforcement
		BB-23: Secure service gateway	AC-4: Information Flow Enforcement
		BB-23: Secure service gateway	SI-10: Information Input Validation
		BB-23: Secure service gateway	BB-03: Identity provider service
		BB-23: Secure service gateway	API endpoint
		NORA-4: Back Office	API endpoint
		NORA-4: Back Office	BB-03: Identity provider service
		NORA-4: Back Office	BB-13: Security information and event management service
		API endpoint	SI-10: Information Input Validation
		API endpoint	AC-4: Information Flow Enforcement
		API endpoint	AC-3: Access Enforcement
		API endpoint	SI-3: Malicious Code Protection
		API endpoint	SC-13: Cryptographic Protection
		BB-13: Security information and event management service	SI-4: System Monitoring
		BB-13: Security information and event management service	API endpoint
		BB-13: Security information and event management service	BB-17: Web application firewall service
		BB-13: Security information and event management service	BB-03: Identity provider service
		BB-13: Security information and event management service	BB-23: Secure service gateway
		BB-03: Identity provider service	SC-13: Cryptographic Protection
		BB-03: Identity provider service	AC-12: Session Termination