Basic Security Requirements

Project TitleCampus API Gateway
Target Release
Epic
Document Status
DRAFT
Document Owner

Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)

Background & Business Value

Basic requirements of security that don't need to be repeated in all the documents.

Goals

  • HTTPS Everywhere
  • Authenticate all calls through the API Gateway
  • Ensure Resource Services are only called by the API Gateway

Out of Scope

  • Usage Scenarios

Assumptions

  • If other requirement documents conflict with these requirements, these requirements will be superseded. These are the baseline requirements that can be overridden in a specialized situations.

Requirements

Ticket(s)TitleUser StoryPriorityNotes

HTTPS EverywhereAs a client developer, I expect all communication to be over HTTPS.MUST HAVE

All Calls AuthenticatedAs a gateway admin, all calls through the gateway need to be authenticated.MUST HAVE
  • No passthru calls to Resource Services

IP RestrictionsAs a gateway admin, all Resource Servers should implement restrictions to prevent unauthorized calls coming from places other than Apigee.MUST HAVE

User Interaction, Design & Architecture

Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

QuestionOutcomeDecision Date