Henryk, this is not much different from the application security (including all interfaces and UI, business logic layer, and data access).
Since policies are usually expressed via rules, you can automate not only policy creation and storage but also development and run-time policy enforcement (though the latter is managerial, not governance function) In Governance, you have to identify types of risk and threats, define mitigating and remediating means (methods, instruments/tools, controls), and specify the security control procedures. Based on this you may need using WS*-Security and related standards or may not need them at all. The only 'specific' in SOA security is the specific of security in distributed environment. Since 75-80% security violations happen inside the companies, SOA security stresses inter-service security. Another special aspect is in the service comparability. In SOA, the service design should not consider and build-in special knowledge about future consumers and the environment where it might be used. This means, that service resources may have no idea about the end-user identities and credentials, i.e. it would not make sense propagating them inside the services. For the audit purposes, you can have full and strong security control of the user at the initial request point and use security trust federation below that point while collecting the IDs of the services and components that have been engaged into the user's request processing. Good luck, - Michael ________________________________ From: henryk mozman <[EMAIL PROTECTED]> To: [email protected] Sent: Tuesday, December 2, 2008 6:01:34 AM Subject: [service-orientated-architecture] policy-driven security Hello all, I am looking into SOA policy-driven security (as in Governance) What is the current of this technology ? Henryk
