I did a SOA Security roundtable Webinar today, one of the more interesting threads was around deployment. We got in to the different models for deploying security. Starting with every mainframers' favorite - the centralized model
Unfortunately, this model makes many assumptions from which technical reality diverges. In an enterprise today, you cannot expect to own both the subject and the object, as well as the session and data in one technology.
The next logical step is high assurance endpoints, the Jericho dream
Problem here is that when you have a 100,000 of anything, it is difficult to manage. You simply don't have enough security gurus to comprehensively address all the distributed endpoints on an ongoing basis.
Next we go to a hybrid model (remembering that hybrids are the most resilient plants in nature)
Now we place various high assurance intermediaries that can provide some security services to the endpoints. The intermediaries are tuned for their specific services say XML Encryption/Decryption, and environment, say B2C or B2B. This model is predicated on how successful and scalable enterprise security mechanisms have worked in the past, think Active Directory, LDAP, and Federation, which all leverage multiple centers that provide services to a wide variety of endpoints.
Gunnar Peterson teaching Web Services Security training, NYC, March 10-11