How to force third party service respect the security?

Question

I have to come up with an integration process to allow existing system to use external data providers. The system is a medical timetable web site, using ASP.NET MVC, that allows the patients to schedule their appointments to doctors.

As far as I go you can see on a figure below:

All the providers must expose my contract ISuperIntegration which will be develop by me. I won't be developing External service 1 and External service 2, they will be developed by other companies.

Here the issue comes: basing on the concept of that I could require the way providers should setup their services to communicate with my website properly, I want to forbid for another third party clients consume "External Service 1" and "External Service 2", Or at least make it difficult to do that.

Here is a list of stuff I am setting:

1. ISuperIntegration interface. It contains operations related to my domain such as GetSchedule, GetDoctors and so on.
2. Transport protocol. I don't want it to be complicated so I'm thinking about using HTTP.
3. And could define some general recommendations but they could be easily avoided.

At the moment I'm thinking of using HTTPS with certificate authentication. It would require the implementer to setup their infrastructure so my web site could properly consume the data.

If I would go with basic HTTP, the implementer would just leave their service to be easily consumed by anyone else, which I don't want.

I hope my question is clear. Will be happy to give any other explanations you want.

I'll really appreciate any your responses, commits. Thank you!

Answer 1

I'd always use HTTPS for things like this. Let's just say that's the cost of doing business. You simply cannot have anyone with a sniffer grab that kind of traffic out of the sky. There's a reason why all banking etc. use HTTPS for things that should be secure.

Apart from that, web services have pretty standard mechanisms for security, I'd recommend looking at OAuth over HTTPS. There are plenty of implementations for that.

If your talking about basic web sites, I'd use a standard security mechanism as well like group based security (which boils down to a username + password). Again, there are plenty of implementations for that.

Basically my main word of advice is: don't go inventing stuff when it comes to security. If you're not an expert, you're probably going to get it wrong, and end up with something that can be intercepted by a third party or (much) worse.