Like medieval city planners, IT professionals and others have traditionally thought of security as an edge game. Given a firewall and access control to the network, we can do a reasonable job securing a business. However, the economic shifts spoken of previously have driven the need to integrate systems not only internally, but with trading partners and customers as well. This trend is fueled by XML and the creation of standards for exchanging data and the increasing trend to decentralized computing that is embodied in service-oriented architectures (SOAs) and web services. But this trend has ramifications for business security: we can no longer treat the edges of the network as a secure perimeter.

When integration is driven by business, rather than IT needs, security policies need to talk about documents, data, actions, people, and corporations instead of machines and networks. This new security model is infinitely more complex than the old "secure perimeter" model. But even if you can define your identity strategy, how do you ensure that it is properly implemented across dozens or even hundreds of systems, and, at the same time, control access to fields of a database or paragraphs of a document?