2. Outbound web security pattern [Control Realization]

2. Outbound web security pattern [Control Realization] ()

The diagram reads bottom to top. Connections can be initiated from 
    - a managed virtual desktop (on a trusted network)
    - a managed physical laptop (on a trusted network)
    - an internal application (on a trusted network)
    - a managed physical laptop (on an untrusted network) 

All connections always pass via an outbound zone where controls are enforced, and are only allowed to the remote location via HTTPS, which in turn is tunneled through a leased line, a VPN, or the public Internet.


Version	0.1
Also known as	<Not currently known>
Intent	Securing web access for collaborators that access resources on the public internet.
Applicability	Applicable to all connections initiated from company-managed devices.
Scope
Contributor(s)	Kris Vercauteren, Michael Boeynaems, Roos Hubrechtsen
Conditions
References	https://www.opensecurityarchitecture.org/cms/library/patternlandscape/222-pattern-public-web-server
Dependencies
Variations	OWA Threat Model


NORA-4: Back Office
Internal application service
URL filtering
NORA-6: Client
Browser
Category blocking
SC-7: Boundary Protection
NORA-1: External
Application Component
SC-13: Cryptographic Protection
AC-3: Access Enforcement
SI-3: Malicious Code Protection
SI-10: Information Input Validation
Data sanitization
Allowlisting
Blocklisting
Detailed validation

NORA-2: DMZ (Demilitarized Zone)
STS-38: Malware analysis service
STS-01: Data loss prevention service
STS-22: Cloud access security broker service
SC-7(10): Boundary Protection \| Prevent Exfiltration
Junction
Junction
Junction


		NORA-4: Back Office	Internal application service
		Internal application service	Junction
		Internal application service	Junction
		Internal application service	SI-10: Information Input Validation
		URL filtering	SC-7: Boundary Protection
		NORA-6: Client	Browser
		Browser	Junction
		Browser	Junction
		Browser	SI-10: Information Input Validation
		Category blocking	SC-7: Boundary Protection
		NORA-1: External	Application Component
		Application Component	STS-38: Malware analysis service
		Application Component	SC-13: Cryptographic Protection
		Application Component	AC-3: Access Enforcement
		SI-3: Malicious Code Protection
		SI-10: Information Input Validation
		SI-10: Information Input Validation
		Data sanitization	SI-10: Information Input Validation
		Allowlisting	SI-10: Information Input Validation
		Blocklisting	SI-10: Information Input Validation
		Detailed validation	SI-10: Information Input Validation
		NORA-2: DMZ (Demilitarized Zone)	STS-38: Malware analysis service
		NORA-2: DMZ (Demilitarized Zone)	STS-01: Data loss prevention service
		NORA-2: DMZ (Demilitarized Zone)	STS-22: Cloud access security broker service
		STS-38: Malware analysis service	Application Component
		STS-38: Malware analysis service	SI-3: Malicious Code Protection
		STS-38: Malware analysis service	SC-13: Cryptographic Protection
		STS-38: Malware analysis service	STS-22: Cloud access security broker service
		STS-01: Data loss prevention service	STS-38: Malware analysis service
		STS-01: Data loss prevention service	Application Component
		STS-01: Data loss prevention service	SC-7(10): Boundary Protection \| Prevent Exfiltration
		STS-01: Data loss prevention service	SC-13: Cryptographic Protection
		STS-22: Cloud access security broker service	STS-01: Data loss prevention service
		STS-22: Cloud access security broker service	STS-01: Data loss prevention service
		STS-22: Cloud access security broker service	SC-7: Boundary Protection
		STS-22: Cloud access security broker service	SI-10: Information Input Validation
		STS-22: Cloud access security broker service	SC-13: Cryptographic Protection
		STS-22: Cloud access security broker service	Junction
		SC-7(10): Boundary Protection \| Prevent Exfiltration
		Junction	Internal application service
		Junction	Browser
		Junction	STS-22: Cloud access security broker service
		Junction	STS-22: Cloud access security broker service