Services need identities too is the major point made by IBM's Raj Nagaratnam on SOA security.   Few organizations understand that SOA is a more complicated technology than a straight J2EE application.  Given that services are loosely coupled, security becomes more complicated.   Raj states people are thinking about individual services how to reuse them but they’re moving to where it’s a model where multiple services could be composed to traditionally security measures that oriented towards a single application or a service. But then, we compose these multiple technology services into business services and policies need to be managed at a very high level and not just at technology like a web service level but holistic business service level." I encourage you to read the full article.