Consider this: a staff portal calls Weather.com's web service for local weather conditions. The portal's web service requests could include host location, so a Boston employee gets Boston weather, for example. This may seem low-risk, but what if the calls are made to the employer's 401(k) provider? The request and underlying security must be identity-centric – coarse-grained, all-or-nothing security will not suffice.
In simple point-to-point web services, scale is manageable because the tight coupling between partners restricts the number of authorized identities. But as companies expose more web services, bulk identities are not sufficient. Companies will require better visibility into who is accessing web services. Coarse- or bulk-level identity is not sufficient.
This is why industry pundits and the press stress the importance of identity management in web services. Initially, people tend to visualize web services as app-to-app, making identity straightforward. But as the point-to-point model expands, identities become more fine-grained and harder to manage.
