PerfectPhase said:
W3bbo said:
*snip*

We have a app, it's a shrink wrap system installed on the clients infrastructure.  When installed, all our services are protected with X509 certs and a few other things, so from the outside we're quite secure.   Are services are all WS-* type WCF services,
 
I now have a new request from sales, we have to protect access to our services from third parties that are trying to integrate with our system, where the third party is on the same box and the system admin is deemed to be complicit.  Seems they want some sort of 'certified partner' program.
 
So I'm faced with finding a way of identifying which inbound calls to our services are from our services and which are not, given the fact that they have access to our service accounts, binaries and X509 certs!  Kind of like protecting a DRM key in a media player binary.

 

Oh yes, one last thing, no internet access either.

"where the third party is on the same box and the system admin is deemed to be complicit.  Seems they want some sort of 'certified partner' program"

 

huh?  Why they have to be on the same box?  If sales can't afford another box for 3rd parties in the DMZ, then they can not be serious about security.  When on the same box, you may as well do nothing.