2. API inbound security pattern [Control Realization]

2. API inbound security pattern [Control Realization] ()

The diagram reads top to bottom.
•	API consumer connects with valid Access token over HTTPS to the WAF that performs specific controls.
•	WAF forwards the request to the API GW whilst passing external access token. API GW executes then its set of controls.
•	API GW calls token service to SWAP token type
•	API GW finally send the call with internal token to the API component in scope that executes also specific controls


Version	0.1
Also known as	<Not currently known>
Intent
Applicability
Scope
Contributor(s)	Fabien Antiga, Michael Boeynaems, Roos Hubrechtsen
Conditions
References
Dependencies
Variations	API IA Threat Model


NORA-1: External
API client
NORA-2: DMZ (Demilitarized Zone)
STS-21: Distributed denial of service protection service
STS-17: Web application firewall service
STS-23: Secure service gateway
NORA-4: Back Office
API endpoint
STS-13: Security information and event management service
STS-03: Identity provider service
AC-4(25): Information Flow Enforcement \| Data Sanitization
SI-3: Malicious Code Protection
SC-5: Denial-of-service Protection
CM-7: Least Functionality
AC-3: Access Enforcement
AC-4: Information Flow Enforcement
SI-10: Information Input Validation
SC-13: Cryptographic Protection
SI-3: Malicious Code Protection
SI-4: System Monitoring
AC-12: Session Termination
SC-13: Cryptographic Protection
AC-3: Access Enforcement


		NORA-1: External	API client
		API client	STS-21: Distributed denial of service protection service
		NORA-2: DMZ (Demilitarized Zone)	STS-17: Web application firewall service
		NORA-2: DMZ (Demilitarized Zone)	STS-21: Distributed denial of service protection service
		NORA-2: DMZ (Demilitarized Zone)	STS-23: Secure service gateway
		STS-21: Distributed denial of service protection service	SC-5: Denial-of-service Protection
		STS-21: Distributed denial of service protection service	STS-17: Web application firewall service
		STS-17: Web application firewall service	SI-3: Malicious Code Protection
		STS-17: Web application firewall service	SC-13: Cryptographic Protection
		STS-17: Web application firewall service	STS-23: Secure service gateway
		STS-17: Web application firewall service	SI-10: Information Input Validation
		STS-23: Secure service gateway	SI-3: Malicious Code Protection
		STS-23: Secure service gateway	CM-7: Least Functionality
		STS-23: Secure service gateway	AC-3: Access Enforcement
		STS-23: Secure service gateway	AC-4: Information Flow Enforcement
		STS-23: Secure service gateway	SI-10: Information Input Validation
		STS-23: Secure service gateway	STS-03: Identity provider service
		STS-23: Secure service gateway	API endpoint
		NORA-4: Back Office	API endpoint
		NORA-4: Back Office	STS-03: Identity provider service
		NORA-4: Back Office	STS-13: Security information and event management service
		API endpoint	SI-10: Information Input Validation
		API endpoint	AC-4: Information Flow Enforcement
		API endpoint	AC-3: Access Enforcement
		API endpoint	SI-3: Malicious Code Protection
		API endpoint	SC-13: Cryptographic Protection
		STS-13: Security information and event management service	SI-4: System Monitoring
		STS-13: Security information and event management service	API endpoint
		STS-13: Security information and event management service	STS-17: Web application firewall service
		STS-13: Security information and event management service	STS-03: Identity provider service
		STS-13: Security information and event management service	STS-23: Secure service gateway
		STS-03: Identity provider service	SC-13: Cryptographic Protection
		STS-03: Identity provider service	AC-12: Session Termination
		STS-03: Identity provider service	AC-3: Access Enforcement