The simplest and most common approach to security for service-oriented architecture (SOA) is to route service requests over a virtual private network. This provides adequate security for simple, coarse-grained requirements, it works with SOAP, REST and non-Web services protocols, and it is adequate even for many external integration scenarios. Yet not all security scenarios are simple, and for more complex needs and fine-grained SOA security, architects must do considerably more planning and design. To craft a comprehensive strategy and architecture for SOA security, architects must consider a wide diversity of security requirements, business scenarios, and application infrastructure, weaving together multiple products, standards, and custom-built components into a flexible and robust SOA security solution.
