> Archive > Issue LVI: November 2011 > SOA Sets the Stage for Cloud: SOA Governance Makes It Work


SOA Sets the Stage for Cloud; SOA Governance Makes It Work

Published: November 17, 2011 • Service Technology Magazine Issue LVI PDF

Abstract: Cloud computing has been an evolution of the internet and network, virtualization, utility computing, and yes, Service-oriented architecture (SOA). This article will make that case that both SOA and cloud computing contribute to the ability of an organization to be flexible. This article will show that there is a positive correlation between an organization's adoption of SOA and its ability to maximize its usage of cloud computing.

Given this relationship between SOA and cloud computing, it's natural to suspect that SOA Governance might be useful with respect to cloud computing. Indeed, this is the case, and the additional governance roles of Cloud Resource Administrator, Cloud Technology Professional, Cloud Architect, Cloud Security Specialist, and Cloud Governance Specialist will be described and discussed.


I recently co-authored a book with Thomas Erl and other colleagues on SOA Governance [REF-1]. One of the items we started to address in the book is how SOA Governance can assist with cloud computing. This article discusses those thoughts and further delves into this subject matter with a look at SOA and cloud computing, and how SOA Governance can help enterprises harness the promise of the cloud.

How SOA and Cloud Each Contributes to Flexibility

Service-oriented architecture (SOA) presents a compelling value proposition by addressing a distinct set of business challenges that enterprises are faced with today. The fundamental tenet of SOA is that it demands as much commitment from the business imperative to help make the business more flexible and able to meet business goals better, faster, and cheaper, as it expects from the IT department using service design principles.

SOA states that in order for a business to be agile and adaptive, the business needs to represent its core business processes through flexible business models, and then expose its IT infrastructure and application capabilities through a set of shared and reusable services so that each such service can participate in the implementation of the flexible business models. By building flexibility into the business models, through their representation as a set of participating services, enterprises can integrate third-party services into their core business processes, reducing the cycle time and cost of integration with external businesses.

Speaking of being flexible, cloud computing is a specialized type of distributed computing for the usage of remote and measured IT resources. The National Institute of Standards and Technology (NIST) states: "Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." [REF-2]

The benefit of cloud computing that most people associate with the term is its ability to reduce or eliminate capital investment and support a proportional measured usage model. In other words, cloud consumers have access to IT resources by renting instead of purchasing. When that resource is a software program, it must support multi-tenancy, that is, access for different consumers who are isolated from each other.

A second benefit is the potential for better ubiquitous access, with resources accessible anywhere from many different form factors, and availability and reliability, where cloud environments have extensive failover support. The key word in the previous statement is potential. Googling "salesforce outage" produces 341K results with information on a number of outages inconsistent with a 5 9's environment (Note: "5 9's" means 99.999% availability, or less than 6 minutes of down time per year).

Last, but most important, is cloud's ability to be elastic, where resources can be acquired as needed from the cloud to scale to the needs of the business and IT. In particular, this saves time, and as the old saying goes "time is money." The organization is no longer waiting, or that provisioning process is reduced from months/weeks/days to hours/minutes/seconds.

Benefits of SOA for the Three Cloud Delivery Models

A question I am often asked is, "If one is taking an SOA approach, does that help or hurt with cloud computing?" Let's answer that question by exploring the three main cloud computing service delivery models:

1. Software-as-a-Service (SaaS)

  1. a. SaaS is a cloud service model that allows the consumer to use the provider's applications running on a cloud infrastructure. The applications are accessible via an interface such as a web browser. The provider is responsible for managing the software, and provides upgrades and shares resources within the cloud infrastructure. Cloud computing enables new users of the software to be provisioned quickly.
  2. b. SaaS will obviously work well when there is a single, stand-alone function that is being used. A legacy system typically intertwines and combines multiple functions, database access and customer interfaces. Isolating and integrating the SaaS functionality with what already exists would be difficult, if not impossible. On the other hand, separation of concerns is a key SOA principle, which provides for a layered approach of separating out customer presentation / interface, business processes, feature functionality, and data access. It's much easier to take a SOA implementation and identify the service or set of services that make sense to replace with a SaaS service or to make that SOA service into a SaaS service itself. This allows users to combine and reuse the SOA and SaaS services in a manner that allows the business and IT to mix, match and extend those services when needed.

Therefore, some manner of legacy re-factoring that follows SOA principles, as shown in Figure 1, would help set the stage for cloud.

Figure 1 – Using SOA to Re-Factor a Legacy Application

2. Platform-as-a-Service (PaaS)

  1. a. PaaS is a cloud service model that allows the consumer to provision and deploy onto the cloud infrastructure new or additional copies of a hardware architecture and software framework on an as-needed basis. As new users manifest or existing users have increased provisioning needs, the PaaS is able to provide the underlying platform quickly and cheaply.
  2. b. SOA is well designed to leverage PaaS given its principle of separation of concerns. As increased load occurs, not only must additional service endpoints be created on a server, but this will also sometimes require the replication of the underlying hardware architecture and software framework on a new server. For SOA, the service bearing the load and its underlying platform need replication, not the entire suite of applications, presentation layer, data layer, etc. SOA is much more efficient, therefore, in using PaaS.

3. Infrastructure-as-a-Service (IaaS)

  1. a. IaaS is a cloud service model that allows the consumer to provision various resources. This includes, but is not limited to, processing, storage, and networks where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The provider is responsible for managing these resources and can provision new resources as needed quickly.
  2. b. The argument for SOA with IaaS is similar to the one for PaaS above. As SOA breaks down the legacy application into its "separation as a concern" component portions, the need to provision the underlying infrastructure will only be for the component part (e.g., the function endpoint, or the data service or the presentation layer) as opposed to the entire application.

So, my argument in the above description of main service delivery models nets out to a ringing endorsement of the statement that "SOA helps position the organization better for cloud computing." Of course, saying that SOA can help pave the way for cloud computing and actually getting there are two different things. Being organized the right way. Having the right roles and responsibilities. Doing real application optimization so that you're best positioned to take advantage of the benefits of cloud computing. SOA can provide these potential benefits to your organization, but the ability to do so as quickly as you'd like can be facilitated by SOA governance.

How SOA Governance Helps Achieve Cloud Objectives

SOA governance typically provides control points to manage the service lifecycle. This means the ability to control and track changes to services, and to place controls over who can change a service and that they do so in a repeatable fashion following the governance policies. Therefore, a service-enabled organization is going to be in a much better position to leverage the full benefits of the cloud. Successful adoption of SOA invariably requires changes to development processes and individual roles and responsibilities. It requires everyone involved in IT development to take a cross-project, cross-line-of-business enterprise approach to defining common requirements and development priorities. This means applying SOA governance.

Although there is no single "one size fits all," perfect SOA organizational structure to enable such a transformation, we have found that establishing a small group dedicated entirely to achieving the success of SOA works well in practice. Depending on the individual organization, such a group may be called a SOA Center of Excellence or SOA Enablement Team; alternatively, SOA enablement may be treated as a program and be managed under the Program Management Office or a team under the control of the Enterprise Architecture Board. The name and reporting structure are far less important than the skills used and the analysis, design, development, testing, and operational processes used.

It is absolutely critical that the SOA enablement team include both senior technical and senior business leaders who are sufficiently empowered to help ensure that business and IT interests are fully aligned. The team also needs to have the necessary authority to make and enforce new standards and working practices. Depending on the style of the organization, these new standards and working practices may have to be endorsed by an authority such as an Enterprise Architecture Board or Program Management Office.

An organizational structure to enable services for an organization might, therefore, look something like this:

Figure 2 – Organizing for Services

With cloud, some additional roles and responsibilities are articulated in the Erl et al SOA Governance book and the corresponding SOA Glossary that should be considered for addition to Figure 2 or an equivalent organizational chart. Let's delve into each of those roles:

  1. Cloud Resource Administrator - "A Cloud Resource Administrator is responsible for administering a cloud service and other types of cloud-based IT resources. This role is proficient with cloud computing technologies and mechanisms and will typically begin its involvement with the initial deployment of a service and then assume the responsibility of maintaining a cloud service implementation in relation to its surrounding cloud-based infrastructure and resources.

    A primary concern of the Cloud Resource Administrator is the tuning of on-demand scalability and pay-per-usage mechanisms offered by the cloud environment. In third-party cloud platforms, there may be a variety of options for dynamic scaling and access to shared and virtualized IT resources. Some of these options may have billing implications, while others may introduce performance or behavioral factors. The Cloud Resource Administrator administers the cloud service and is "proficient with cloud computing technologies and mechanisms and will typically begin their involvement with the initial deployment of a service." [REF-3]

    Another potential difference between the Cloud Resource Administrator and an IT Administrator is that this resource may be affiliated with the organization that owns the cloud resource. In this manner, the cloud administrator is part of the "rental" fee that is being paid for the cloud resource. In addition to the roles and responsibilities that are laid out in the cloud commercial agreement, the Cloud Resource Administrator should be the person responsible for maintaining cloud service levels in accordance with the Service Level Agreement (SLA) between the customer and cloud organization.

  2. Cloud Technology Professional - one who is "required to build, deploy, or work with cloud-based services" and "needs to be proficient with the core technologies, technical mechanisms, and fundamental security concerns ... of a cloud environment." [REF-4] This individual will understand and be proficient in the concepts and how to implement for the three main cloud computing service delivery models discussed previously, SaaS, PaaS, and IaaS, and follow the cloud architecture as defined by the Cloud Architect. This professional must be able to identify the common threats to the cloud resources and be able to identify the best practices for and deploy cloud security mechanisms.

  3. Cloud Architect - this specialist is an expert on "cloud-based technology architecture, design patterns, mechanisms" and can author "detailed architectural specifications of cloud-based solutions and platforms." [REF-4] This individual will work across the organization, including the business and IT leadership, to understand the business and technology need for cloud computing. and progress the organization in the right direction for usage of cloud. They should lead in defining business goals that the cloud technology will help realize and have metrics and Key Performance Indicators (KPI's) that are used to give a current and historical picture of the ability of the cloud to meet those business goals. They should have a detailed knowledge of PaaS, IaaS, and SaaS, and understand the solutions on the market. This individual will be proficient in the technology architecture that underlies cloud platforms. They will understand best practices for cloud architecture and be able to architect using best practice design patterns, principles, and practices necessary to properly engineer the cloud environment. Typically, this person will have an enterprise architecture background, and experience with SOA, or at least the concept of services in some shape or form.

  4. Cloud Security Specialist - one who has "expertise specific to security threats ... pertaining to cloud-based services." [REF-4] This is a key role, as it is security that is keeping most organizations from using the cloud to the extent that they should. This individual should have a background in security for distributed systems, such as is commonly needed for SOA, and will often be someone from the existing security staff who is looking to enhance their skills. This will be a huge head start in understanding the issues that the security specialist is likely to run into as processes are relocated from behind the safety of the data center firewall into a private, public, or hybrid cloud. Dealing with security in multiple zones, federated identity management, and data encryption are typical of the challenges that the cloud security specialist will face and must resolve. The Cloud Governance specialist must work closely with this person so that the cloud security solutions that are selected are governed and managed in a consistent manner across the organization.

  5. Cloud Governance Specialist - this specialist focuses on governance for "mechanisms, technologies, solutions, and IT resources that reside and operate within cloud environments." [REF-4] Clearly, this individual will need to work closely with their colleagues mentioned previously. As decisions are made, for example, as to how cloud security will be specified for the organization by the Cloud Security Specialist, this governance role will need to make sure that appropriate governance control points are built into the cloud provisioning process. For example, a control point that validates that the SaaS design is using the standardized cloud identity federation would be one. Another good place to add a governance control point for the cloud would be during integration test and prior to production deployment, when a standardized set of security test cases would be tested with enforcement being that the cloud deployment is delayed.


Cloud governance involves applying policies to the use of cloud services. This will enable the organization to deploy to cloud in a repeatable and best practices fashion, have proper security for the usage of the cloud, and make sure that there is the right level of usage so that cloud saves money and doesn't become a sinkhole.

With governance and security in place, cloud computing can be used in safety and confidence. Service Level Agreements should be in place to make sure that you are getting value you're your money. Specific cloud patterns should be put in place as it is determined that they work for your organization. In the final analysis, you need to be as thoughtful and intentional with your cloud resources as you are with any IT resource.


[REF-1] "SOA Governance, Governing Shared Services On-Premise and in the Cloud," Erl et al. Prentice-Hall, April 2011,

[REF-2] "The NIST Definition of Cloud Computing (Draft)." National Institute of Science and Technology. January, 2011,


[REF-4] "SOA Governance, Governing Shared Services On-Premise and in the Cloud," Erl et al. Prentice-Hall, April 2011, p. 114