Service-Oriented Architecture (SOA) is an emerging paradigm for highly distributed computing aiming at changing the way software applications are designed, delivered and consumed. SOA is triggering a radical shift to a vision of the Web as a computational fabric where loosely coupled services (such as Web services) interact publishing their interfaces inside dedicated repositories, where they can be searched by other services or software agents, dynamically retrieved, composed and invoked, always abstracting from the actual implementation. The proliferation of such services is considered the second wave of evolution in the Internet age, towards the so-called Future Internet (of services).

If from a business point of view SOA makes it easier for legitimate entities to access systems from outside an enterprise boundary, from a security point of view this vision raises new security challenges. Indeed, a SOA might be subject to more than the usual threats to security, because it inherently involves interactions among autonomous unknown entities in a dynamic and open environment. This exposes new opportunities for unauthorized, malicious and illegal entities to misuse and exploit the available services. It is therefore crucial that the security of services and their interactions (also with users) is ensured if SOA is to live up to its promise.

Security policies might represent a natural means to specify the rules and constraints that govern interactions between service endpoints. In this context, a policy specification should define the syntax and semantic for service providers and service requestors to describe their requirements, preferences, and capabilities. Policies might apply to any aspect of the interaction, such as authentication, authorization, trust, auditing, data integrity, data confidentiality, privacy protection, routing, performance, latency, etc. and they should be enforced, monitored and maintained by the SOA. The key challenge in this setting is that security policy compliance (with respect to trust, privacy, business rules, etc.) should be pervasive throughout the SOA. That is, it should be considered in all components of the SOA, as well as at different development stages, including design time, development time, and runtime.

WS-Federation specifications (such as WS-Policy, WS-Trust, WS-SecurityPolicy), have been proposed as a set of standards to cope with the increasing complexity of security and trust requirements for SOA, but they have failed to be widely adopted due to their practical difficulty. The result is that security policy management still represents one of the key challenges to bring SOA to its full potential.