I just came across (well, Neil pointed me to it) this post from Todd Biske, an SOA Enterprise Architect at MomentumSI in which he discusses the implications of a service-oriented approach for identity. Todd raises an important question:

what “identity” is in the context of service security

This is something I discuss in our identity management report

However, identities are not just important to humans’
interactions with IT systems. The advent of technologies such as RFID tagging,
the deployment of software services acting as proxies for real people, the
proliferation of digital media assets and so forth are leading to the
realisation that identity applies equally to the management of access to digital
resources.

Coming at this from the perspective of an SOA architect, Todd highlights a number of other important issues:

The problem gets even more complicated when dealing with composite services. If policies are based on system identity, what system identity do you use on service requests?

and

If this wasn’t enough, you also have to consider how to represent identity on processes that are kicked off by system events...Events are purely information. Service requests represent an explicit requests to have action taken. Events do not. Events can trigger action, and often do, but in and of themselves, they’re just information. This now poses a problem for identity.

He's absolutely right to highlight these issues. The question is how do you deal with them. The first step is to rethink identity management architecture and shift away from a focus on identity management as a set of applications for user management, provisioning, authentication etc. Such a rethink will also address a variety of other challenges and should adhere to a number of core tenets:

• Identity management needs to transition from an architectural approach which is user-centric to one which is identity-centric
• The authentication mechanisms must reflect the levels of risk and the granularity of the resources associated with that risk, without over-burdening the individual
• Hybrid identity data integration approaches are required to combine the benefits of metadirectory and virtual directory technologies, allied with tooling to assist with data reconciliation
• There is a need to authorise access to business functions and information at the level of each service using policy-based approaches to the definition and enforcement of access control requirements
• A federated approach is required for the mediation of the relationships at the heart of identity management, which in turn depends on managing and brokering the trust that underpins those relationships
• Identity management capabilities must be delivered as distributed infrastructure services, which exploit existing serives and are defined according to clear contracts which are enforced through policies
• Roles must be modelled at the intersection of identities, entitlements and organisational structures and managed as part of the broader identity management lifecycle.