Consider this: a staff portal calls Weather.com's web service for local weather conditions. The portal's web service requests could include host location, so a Boston employee gets Boston weather, for example. This may seem low-risk, but what if the calls are made to the employer's 401(k) provider? The request and underlying security must be identity-centric – coarse-grained, all-or-nothing security will not suffice.
In simple point-to-point web services, scale is manageable because the tight coupling between partners restricts the number of authorized identities. But as companies expose more web services, bulk identities are not sufficient. Companies will require better visibility into who is accessing web services. Coarse- or bulk-level identity is not sufficient.
This is why industry pundits and the press stress the importance of identity management in web services. Initially, people tend to visualize web services as app-to-app, making identity straightforward. But as the point-to-point model expands, identities become more fine-grained and harder to manage.
To reap the full benefits of Service Oriented Architectures while mitigating the security risks, enterprises should couple identity management with web services and adopt these four points:
Companies that adopt identity-centric web services will realize stronger security, better scalability and greater flexibility. Enterprises that rely on coarse-grained security risk potential security breaches.
Merritt Maxim is director of XML technologies for Netegrity, a division of Computer Associates, Inc.