"Let's say at the beginning you impose basic authentication type of credentials for them to present credentials to access your services, and you say basic authentication is not good enough any more. Now the Web service spec is out I want to use Web service security in the header. Now you go and change your code and then you force every one of your vendors to change the code. And that is only for one kind of application. Imagine if you actually rolled out a large number of services . . . if you rolled out a full service-oriented architecture into your organization. Now you've got developers writing code all over the place and changing it all the time and then breaking every one of your partners every time they make a change into that particular service. To me that is an absolute nightmare, and if I am a CIO that is the last thing that I want," Boubez says.

"The other much more important question in my mind is whatever happened to loose coupling."

Fortunately, Boubez says, a policy control infrastructure for SOA can be used to engineer loosely coupled SOA architectures capable of spanning security domains.

Under Web services the WSDL document is the interface or contract that defines the syntax of a service, describes an interface, defines the data types the consumer must provide when calling the service, and outlines what a consumer can expect to receive in return. The contract may incorporate some service semantics in comments embedded in the description or through the logical grouping of functionality — such as methods or operations — into a common service unit.

However, Boubez says although WSDL is a powerful technology, CIOs should recognize its limitations. WSDL simply is not adequate to convey these concepts, he says. WSDL is essentially an interface definition language (IDL) conveying API — necessary but insufficient.

"It could be argued that the 'D' in WSDL is not quite complete, since it only goes so far in describing access to a service." That is where policy, policy enforcement and the whole field of what is variously known as extensible markup language (XML) firewalls, XML gateways or Web services gateways come in, providing an enforcement point to handle all Web services traffic and leverage the existing infrastructure from access control to EDI management to PKI into the SOA, he says.

A policy is simply a set of constraints and capabilities that governs how a Web service and its consumers interact. According to Boubez, simple policies typically include rules describing:

• Who can access that service

• What kind of credentials are acceptable

• Whether encryption or signatures are required

• How messages get routed to the service

• What endpoint to use for a particular request

• What service level agreements (SLAs) are in place

• If there are any necessary transformations to be applied.

While the policy concept is a very prevalent and common requirement in every aspect of IT (for example, server configuration files), he says, it is so far non-existent in Web services.