The steady march of service-oriented architecture (SOA) and XML-based Web services into the enterprise is catching up with the security-minded among us. Don't get me wrong. It's not like the security management team hasn't been paying attention. They have been. It's just that many organizations over the past couple of years have only been experimenting with SOA approaches and thus it was a bit premature for the more operational focused portions of IT to get deeply involved. However, as these IT experiments have started to transition to important, business-enabling deployments, it has become time to bring in the people who can address security and management at an enterprise level.

The big challenge with SOA is that a key part of its appeal also happens to be the source of its IT management Achilles heel. SOA by definition is loosely coupled, highly granular, and often widely distributed and multi-step. In addition it can combine both internal and external services, some implementation dependent, some platform independent.