While many in the industry deride Web Services as lacking security and fear their ability to permeate transactions through the (gasp) firewall, there is a large, potential emergent benefit coming from Web Services and SOA and that is interopeable and widely distributed standards (and implementations!) for security mechanisms. SAML, XACML, WS-* just to name a few. With few examples (PGP being one), the industry has never had the ability to conduct security across domains and technologies. Given that security is a system property, this has the chance to be a major improvement in the security space.
Before Web Services, domain perimeter mechanisms like firewalls were already being punched through by RMI-IIOP and DCOM. So the decision should not be framed as web services versus some notion of a "strong perimeter" enforced by a firewall, but rather, if a distributed application is required to traverse a firewall (or other border) what technologies have the most robust security mechanisms to manage this risk?
Additionally, distributed applications are frequently intgerating a host of disparate systems and technolgies, since security is a property of the system (or transaction use case lifecycle) shouldn't security properties be as portable as possible?
Comments