You don't have to be a chief information officer to realize that security is becoming a corporate concern as more business is transacted on the Web.

The mounting fears are well founded. Web attacks are growing in sophistication. Data is flowing faster and to more applications and more users. New Web development models, such as Web 2.0 and AJAX, are appearing. Web applications and the business processes they support are becoming more diverse and complex. A slight vulnerability in a Web application that is exploited one day can expose a million records the next. As these vulnerabilities spin out of control, the potential negative impact to a business is immense.

Introduce a new level of sophistication into the IT infrastructure - service-oriented architecture (SOA) - and the security challenge advances to the next level. An SOA infrastructure is designed to make business processes more flexible and faster-moving; however, creating services without adequate governance can quickly get out of control and become a nightmare to manage.

Looking at history, as a result of the explosive growth of the Internet, the boundaries and silos that boxed in many proprietary applications have deteriorated, and regardless of the underlying code or platform, a company's technical and business services have become exposed. Today those same service concepts are used to drive innovative business strategies. Supported by the underlying technology, this vision of component-based applications and reusable modular business process services is SOA.

There are many principles that articulate different viewpoints as to whether SOA should be approached from the top-down or the bottom-up. Regardless of your viewpoint, it is critical to approach an SOA initiative the way you would any strategic project: to establish an overarching governance model and comply with that governance. Otherwise you could leave an organization open to further potential security threats.