Getting from abstract security requirements to a secure SOA is the challenge in the area of model-driven security. To facilitate a consistent security configuration of multiple systems in an SOA, dependencies and contradictions between different requirements need to be taken into consideration. Therefore, a conceptional security model has been developed that enables the description of security policies as a set of abstract security intentions, which can be translated automatically into concrete security policies (e.g. WS-Policy).