(I originally wanted to do a post called “Six degrees of SOA”, linking the security challenges of chains of services across enterprise boundaries to the familiar “six degrees of separation”; how do you create trust in such an environment?)
Craig is thinking along similar lines:
“SAP is not likely to just tell their customers to open their systems up to the public internet like I have done for the demos (shhh don’t tell) but rather that some serious thought will have to go into the topic of security especially data security and introducing that data into a collaborative environment allowing for multiple editors and modifiers of the data that is still control by the overall system to ensure data integrity.”
This is a HUGE issue. As a SAP security consultant I’m dealing with enterprise customers on a day to day basis, and their challenges are driven not only by their own concerns, but also by auditors and regulators coming up with stuff like SOX, data protection acts and countless other regulations. Basically it’s about making sure nobody messes with corporate assets (which quite often rightfully belong to shareholders), and being able to prove that the controls they put in place cover the risks adequately.
The big topic is Enterprise Risk Management, and that is already hard to do in todays environments.
Enterprise SOA and Web 2.0 apps open up a whole new can of worms, and I’m not sure enterprises are willing to tackle this right now. This is something Web 2.0 companies need to consider if they’re aiming for the enterprise (which I think they should: there’s a legitimate market which could immensely benefit from that kind of technology). My bet is that the first vendor to actually do that will be miles ahead.