Sunday, May 31, 2009

SOA Governance and its challenges

By Sandrick Melbouci
From DSOFT Technologies


Service Oriented Architecture enables enterprises to pursue business and technical strategies that promote the exposure of business functionality within and between enterprises in consistent, published, secure and contractual fashion.
However, Service Oriented Architecture is not a solution that comes in tidy box. It is more about new way of design, it is more about culture then it is about technology.
To ensure success of any SOA implementation, it is necessary to include some type of governance that define the policies and practices all services should follow.

Why some SOA implementations failed?

SOA Governance is probably the most talked and most delicate topics in SOA nowadays. About 5 to 6 years ago, many organizations approached SOA as implementing a web service. There was no attention to SOA Governance. This may be explained differently, but the situation reminds me of a practice of some IT managers – just get it to work and take a look at the design later. As we all know, any temporal fix becomes a permanent solution with consequences dealt with later at higher cost.
In one of the my consulting jobs, the organization thought that SOA was a new integration technology that will magically integrate all their existing assets. One of the managers asked me to start looking at the code to perform this funny integration. When I told him what SOA meant, he got a chock of his life. Without going into details, many organizations built hundreds of services/components and run into scalability, performance, manageability and integration problems.
One of the main reasons of this type of difficulties is that service-oriented, design, implementation was not governed at all or governed with traditional software development without any clues on service orientation [1] methodologies.
In this article, we will present SOA and its Governance policies to address these problems.

What is SOA?
Multiple definitions of SOA were presented in the literature, I will summarize some of them in here. SOA is architectural style who's goal is to achieve re-usability and loosely coupling paradigm among interacting agents. Within SOA, services are mechanisms by which needs and capabilities are brought together.
SOA operates in an integrated business-technical context as opposed to traditional business-IT separation.
Anne Thomas Manes from Burton Group said, “SOA is a style of systems architecture, not integration architecture. It’s about refactoring capabilities into services, not about integrating application silos”.

What is SOA Governance?
Governance is set of rules, policies and regulations under which an organization functions as well as the processes that ensure compliance. SOA governance refers to processes that ensures that services and applications are developed so that they are aligned with :
  • Best practices
  • Business requirements
  • Laws
  • SLAs
SOA Governance has two main component:
  • Design Time Governance also called "SOA governance framework", captures information about the services and policies.
  • Runtime Governance or sometimes called as "Service life cycle management", enforces the policies during the execution, management and service discovery.
The need for enterprise governance is business oriented to integrate business initiatives (supply chain, order management,...) with IT initiatives (EAI, Web service, ...). The companies needs to move from "develop now and integrate later" to "develop for integration". To ensure business continuity, reduce cost and complexity and limit corporate liability, the companies shall define the policies and procedures early in project life cycle to allow:
  • Prevention of service proliferation and promote reuse
  • Define Services with the right granularity
  • Utilize a formal service description model with appropriate metadata
  • Develop and implement best practices for interoperability
  • Approach SOA on how it will be deployed and consumed
  • Manage and monitor service health, performance and Quality of service
  • Audit and measure compliance
  • Define and manage Policies and contracts centrally
  • Central registry-repository to describe all services and associated metadata
  • Service mediation and discovery

Design Time Governance (Governance Framework)
There are mainly four phases to SOA governance framework: Plan, define, Enable and Measure.
  • Plan Phase, the overall business and IT requirements are understood and documented
  • Define Phase, the SOA governance approach is established based on corporate, enterprise and IT governance environments
  • Deploy Phase, governance mechanisms are put into place, the organization is educated, and governance policies are deployed.
  • Measure Phase, policy compliance and effectiveness are monitored and audited.

Runtime Governance Compliance (Service Lifecyle management)
The runtime governance encapsulate the phases to model, assemble and deploy. These 3 phases are broken into two separate facets:
  • Service Development and Delivery Management
  • Support Infrastructure and Management
Service Development and Delivery Management
Service Development and Delivery addresses the essential needs to govern the services development through the established governance framework. The areas of focus are mostly:
  • Change and release management - What, When and by whom a service can be changed
  • Requirements and Quality Management - Ensure services are developed in compliances with business requirements and compliance.
  • Design and Construction - Ensure the best practices and design principles are appied for maximum.
  • Asset reuse.
  • Service Versioning
  • Service Retirement
  • Process Management - Continual auditing to make sure that the process is followed
Support Infrastructure and Management

  • Distributed, cross-boundary services and access present security risks
  • Rapid deployment and loose coupling of services
  • Performance and prioritization of services
Service Security
  • Need to manage identities and access control cross multiple platform, applications, business partners and entities
  • Need for E2E security architecture that can be deployed and integrated with existing and disparate security models
  • Need to define encryption policies
  • Need to consistently enforce security policies
Service Management
  • Federate identity and access control
  • Secure services and applications
  • Consistently enforce security policy
Service Virtualization
  • Support scaling infrastructure resources
  • Prioritize infrastructure across multiple services and/or business processes (composite/dynamic applications)
  • Accelerate application performance by distributing the composites across multiple infrastructure resources.
Service Registry and Repository
Service Registry contains the policies, description and metadata for each service present in the enterprise. It provides a mechanism to find services and their metadata.

SOA governance requires policy control and audit framework that spans the security, service definition, identity domain, service consumption and people. A SOA governance framework requires some means to consistently define some policy and managing it through its lifecycle and provisioning from central accessible policy registry and enforcing its execution across distributed systems.
Enterprises will only benefit and further improve their competitive advantage and quality of service by utilizing an automated policy governance. By doing so, the organizations will be able to leverage both their IT assets and human capital.

By Sadi Melbouci

[1] SOA Design Patterns, Thomas Erl, 2009
[2] SOA-RA public Review
[3] Reference Model Service Oriented Architecture
[4] Does web service make a service for SOA


evgueni said...

agree. some things (interfaces) need to be agile. some things (services, backbone) need to be rigid.

Anonymous said...

Thank you. This is precise and well explained. Is it possible to provide more details for design time governance?

tjain said...

short and sweet into to SOA Governance.


Franklin said...

Nicely put in layman terms. Unfortunately most of the vendors today provide a Monolithic solution to SOA, which itself defeats the purpose of SOA. The new Vendor buzzword is "Positioning your Products"!!

Anonymous said...

Agree mostly but the management in enterprises are not educated yet to successfully implement SOA. I haven't seen a company yet that successfully implemented SOA in any how. As a CTO, the problem I have seen in large companies is to change the culture. As Rumsfield said, you go to war with what you have not what you wish you had. The same applies to large organizations.

Thank you