In the last week I had several conversations with different IT vendors and end users which led to a discussion about the value of identity services within a service-oriented architecture. The IT companies came from different market segments. One example is E2E, a swiss company which develops a tool for model-driven architecture and the resulting applications. They have started defining such identity (and other security) services within their models. Other persons I spoke with came for example from the BSM (Business Service Management) space.
The well-known business values for identity services within a SOA concept are mainly the ability to not only build business processes but to build secure business processes and the reduced development costs. The latter is true because it is more efficient to use pre-defined services instead of reinventing the wheel of security for every single application (and, to note, to reinvent something which usually has five edges instead of being round…).
Another point is that there usually won’t be “compliant” applications without a set of pre-defined identity services – the alternative often is to code at least some aspects of security, even in applications which were developed with the SOA concept in mind.
That leads to one other real big advantage of identity services: They make software audits much easier – and thus avoid some of the struggles you often observe between the security guys and the application developers. With a consistent service-oriented approach and the use of pre-defined identity services, software audits become much easier. You only have to audit a version of a service once. Afterwards, it’s only about analyzing the “orchestrated” application models and the additional code. When security is delivered through services, you have much less to worry about when doing software audits. Besides, the audit of changes becomes much easier – you have to either analyze the changes in services or in the applications itself. By the way: The more these applications are really model-based and orchestrated and the less custom, application-specific code there is, the easier are software audits.
The guys from E2E told me that in some case they could reduce the time for a software audit from 4 weeks to some 36 hours. Even while the effect isn’t necessarily that big – there is a clear, positive effect. And it is an effect in terms of money, in terms of time and, given this, sometimes even in time to market. May be the biggest effect is that identity services makes you the developer’s best friend through reducing the pain of software audits.