Abstract: SOA governance initiatives help organizations optimize their service-oriented architecture (SOA) by providing a means to reduce risk, maintain business alignment and show the business value of SOA investments. But, all too often, these initiatives can be seen as daunting projects that are overly broad and complex, that require too many resources and that are too time consuming. In this article, Oracle’s Jyothi Swaroop will explain how organizations can take an incremental approach to SOA governance initiatives to meet their specific needs. This will include an overview of how SOA governance technologies can support specific tactical level projects while ensuring the organization is able to optimize the entire lifecycle of its SOA.
SOA has gained widespread adoption and has proven to be successful beyond pilot and project implementations. There is a rapid increase in organizations moving to enterprise-wide SOA deployments, and those that have found success maturing to large-scale SOA have two things in common. First, they have effective governance practices to keep SOA on track with the business and second, they take an incremental approach to their SOA and its governance initiatives to meet their specific needs.
An SOA governance solution can be adopted in an incremental fashion – no “boil-the-ocean” effort is required. Most industry analysts recommend an incremental approach to governance adoption. It has been my experience that successful SOA implementations start early with tactical projects that yield positive results, which organizations can leverage repeatedly over time to gain the maximum possible value from SOA investments. It is important to augment SOA with governance in such a way that risk is minimized, while maximizing the chances for overall success.
Furthermore, early SOA projects can be initiated with lower risk, thus allowing quick wins and rapid demonstration of measurable success to the business. Then, as the customer's experience grows and the SOA initiative expands, the solution will continue to reinforce good governance practices through its flexible methodology for maintaining the alignment of people, processes and technologies within the organization.
The “Bite-Sized” Approach – A Six Step Plan
When it comes to SOA governance, there's no magic bullet or cookie cutter solution. Every organization has unique characteristics and is at different points within its SOA maturity. However, there are best practices that are common in design that have found success across multiple organizations. This article focuses on some key bite-sized, easy-to-establish practices that warrant consideration by any organization attempting SOA governance.
Step 1 – Understand Your Business
One of the most common reasons organizations struggle to kick-start their SOA governance at a more enterprise-wide scale is their failure to align with business objectives. SOA is an architectural discipline or approach to solving a business problem. Piloting an SOA governance program on something deemed an IT benefit does little to show the business value it will bring to the table.
For example, a large telecommunications organization struggled to get new products into production in less than six months. However, every six to nine months, the regulations that governed their product offerings would change, providing little opportunity to capitalize on and optimize revenue streams. The business needed a way to get to market faster, so they predicated the investment necessary for SOA on the idea that it would decrease their time-to-market for new products by 50 percent.
In order to accomplish that, the business needs to start with a simple inventory of “what you already have.” It is imperative to gain visibility into services that already exist in order to reuse them for new products, thereby decreasing time-to-market. Then, weigh decisions with your good housekeeping information at hand, with the goal of eventually being better aligned.
Establishing this immediate alignment between business and IT goals will set the basis by which their SOA and SOA governance programs would be formed.
In effect, SOA governance bridges the gap between:
- the need for more reusability and efficiency that is driven by need to be more competitive at a lower cost
- the associated complexity that is actually introduced when service interfaces are bolted onto previously-siloed systems, each of which may have had only departmental visibility, and are now integrated in a way that they now all have cross-enterprise visibility
Step 2 - Define Key Metrics for Success
A key element of successful SOA governance is identifying and defining key metrics for measuring success. In the customer example above, the overarching measurement of success was to reduce time-to-market for new products by 50 percent. These overarching success factors, however, must be broken down into measurable milestones. Begin by breaking down how the overall business benefit will be achieved, then establish milestones for measuring progress. As these are established, the process around how your SOA will need to be governed will begin to take shape.
Measuring achievement of the macro and micro success metrics has two major benefits. The first is that measuring the micro-metrics (key milestones) provides visibility into the progression and evolution of SOA, as well as to ensure continuous alignment with the business. The second major benefit is that it supports the business case for continued investment. For example, the telecommunications customer mentioned earlier was able to realize a measurable 70 percent decrease in time-to-market, resulting in greater investment from the business for continuing the SOA program.
Once key metrics are identified, it's also critically important to understand how they'll be measured. Simply knowing what the key metrics are can drive governance decisions, but part of the governance program should also be to help measure the achievement of those key metrics. This is greatly supported by identifying the proper process and procedures for measurement, but may also require investing in software that aids in surfacing key metrics.
Step 3 – Introduce SOA Governance Non-Intrusively with BAT (Built-in, Automated and Transparent)
Nobody wants to be governed. Nobody wants to change the way her or she works. This is basically a change-acceptance problem. When talking about people, processes and technologies, the people and processes challenges are typically the hardest ones to solve. This is where SOA governance is most beneficial.
SOA governance is not about rigid architectural paradigms. It is about BAT – being built-in, automated and transparent. BAT eases the adoption problem by providing the described SOA Governance benefits in a non-intrusive fashion. Most organizations consider SOA governance an after-thought, which usually takes a long winding road to architectural quagmires. Therefore, an SOA governance solution should be built into your SOA infrastructure from the very beginning. SOA governance tools, such as repositories and registries, should be well integrated with core SOA infrastructure tools such as the services bus.
SOA governance should be automated. All SOA artifacts should be introspected and harvested automatically. Application interfaces, services, schemas, etc. should all be identified automatically by the repository. Service dependency and re-use tracking are key to demonstrating the business value of SOA. Automatic SOA change management helps with real-time assessment of what can go wrong with every change made to the SOA fabric.
Lastly, SOA governance should be transparent. The repository and registry should work behind the scenes without impacting day-to-day SOA activities. SOA governance should not need a massive consulting engagement. In fact, once deployed, no one should know it exists.
Step 4 - Create a Rewards Program (Just as Airlines Do)
Gaining adoption of SOA governance processes isn't without its challenges. Most organizations will encounter resistance to the governance process without an incentive program to encourage their participation and compliance. Most adopt some element of the carrot-and-stick approach to incentivize their organization to adopt governance activities. Organizational culture typically determines how much carrot and how much stick to apply.
Some organizations choose a pure stick approach. One customer in Europe chose to make compliance with the governance process a mandatory part of everyone's MBO. Essentially, an employee may hurt his chance for a bonus or continued employment if the process wasn't followed properly. While this approach works for this particular company, it's not typical. This approach can be demoralizing and discourage understanding the true value of governance. Gaps in the governance program that need correction can also be difficult to identify for fear of stepping outside the bounds of the established system.
Some organizations choose the carrot approach. One customer in North America uses a rewards program for complying with various aspects of its governance program. Much like an airline or credit card program, development teams and individuals earn points that can be turned in for gifts, such as an iPod or iPhone. This is often a fairly successful approach since it fosters a competitive environment between teams to see who can earn the most points. The drawback is there are few penalties for not being compliant.
The best case is to provide a mix of carrot and stick. Another organization in North America uses funding as its carrot and stick approach. The teams that follow the process correctly are assured of continued funding for their projects; those that don't aren't. This approach provides the most flexibility. Projects that find gaps in the governance process that prevent them from accomplishing their goals can state their case. This often leads to needed adjustments in the governance process that may not have been identified otherwise.
Whatever incentives an organization chooses to offer, they must be well communicated. An understanding of what rewards and penalties are at stake encourages adopting and following the process.
Step 5 - Enforce Security On All SOA and Cloud Initiatives
Companies worldwide are deploying SOA infrastructures using web services on-premise and in public cloud environments. While web services offer many advantages, they also present challenges, especially in terms of security and management. Many business functions today are powered by SOA services, ranging from forecasting, quoting, ordering and fulfillment, to payment. Attacks on these business critical services can result in loss of revenue and sensitive data. With the proliferations emanating from mobile devices to cloud-based services, the chance of a service being brought down by "friendly fire," such as malfunctioning partner applications, is as likely as by malicious attacks.
SOA architectures should include a security framework that is designed to secure SOA deployments on-premise, across domain boundaries, and in the cloud. It should do this by providing an easier way to secure, accelerate and integrate XML and other types of data. An XML firewall is a great way to detect and prevent all common attacks against web services.
Threats Blocked by an XML Firewall Include:
- Denial of service attacks
- Command injection attacks
- Malicious code or virus
- Spoofing, tampering, and impersonation
- Data harvesting
- Privilege escalation
As a result, incorporating security as part of your SOA governance checklist can significantly reduce deployment risks and external threats.
Step 6 - Identify Technologies Behind SOA Governance
While SOA governance is not a shrink-wrapped capability that can be implemented off the shelf without addressing organizational and procedural issues, its foundation is based on the ability to enforce and automate policies across the service lifecycle.
This section highlights the key moving parts of an SOA governance system – repository, registry, monitoring and management, centralized policy management and security gateway.
- Repository – The repository serves as the core element to any SOA governance solution. Repository provides a solid foundation for delivering governance throughout the SOA lifecycle by acting as the single source of truth for information surrounding SOA assets and their dependencies. The repository provides a common communication channel for the automated exchange of metadata and service information between service consumers, providers, policy decision points, and additional governance tooling. It provides the visibility, feedback, controls, and analytics to keep your SOA on track to deliver business value. The intense focus on automation helps to overcome barriers to SOA adoption and helps streamline governance throughout the lifecycle.
- Registry – The registry provides a DNS-like reference for SOA. As a fully compliant UDDI v3 registry, it provides a standards-based interface for SOA runtime infrastructure to dynamically discover and bind to deployed service end points. As part of the SOA governance solution, the registry bridges the gap between the design-time and runtime environments through automated synchronization with the repository and core SOA infrastructure.
- Real-time SOA Monitoring and Management – An SOA monitoring and management tool is engineered to deliver value right out of the box with a fully centralized management console. Using it, administrators can easily correlate events and activities for all components across the SOA environment to resolve performance and availability issues faster. With a rich set of service and system level dashboards, administrators can view service levels for key business processes and SOA infrastructure components from a central location.
- Centralized Policy Management – Most organizations implement service-oriented technology architecture with the hope of gaining more business agility through reuse of shared services. As reuse begins to take hold within the organization, however, it becomes critical to manage the consumption of services because your SOA project can quickly spin out of control. A security policy manager provides a solution for governing the interactions with shared services through security and operational policy management and enforcement to ensure service reuse remains under control.
- Security Gateway – A security gateway provides XML firewalling and intrusion detection capabilities. A gateway operates at the DMZ layer where it filters incoming web service request messages for XML content attacks (checking for XML well-formedness, XML document-size, XPath and XQuery injection, XML viruses, etc.).
A security gateway should also protect the SOA infrastructure from cryptographic attacks, SOAP attacks, rogue SOAP attachments and communication attacks. The gateway provides an important layer of DMZ-level security that operates outside of the SOA infrastructure and thereby proactively eliminates risks at their origin.
Even with the bite-sized steps outlined here, establishing an effective SOA governance program can seem overwhelming. How do you know where to start? How much governance is enough? Take advantage of the services vendors offer that help your organization identify where you are in the SOA and SOA governance maturity curve and where to concentrate your efforts in creating a governance program.
Supplement your governance efforts with technologies that put intense focus on automating governance activities. Automating these activities provides multiple benefits, but one of the most important is decreasing the resistance to adoption from the governed body. The best way to approach this is to focus on technologies that provide a non-intrusive approach to automating governance thereby decreasing the probability that the workforce will circumvent the process, and ensuring your governance program remains effective.
And finally, don't treat SOA governance as a separate, distinct discipline. Take a pragmatic approach to SOA governance. Experience shows that pragmatism leads to SOA success. As the organization's SOA evolves, the governance program will evolve with it. Be prepared, however, to reinvent. In many cases, the governance program will need to evolve to reprioritize with these new developments. Having a solid foundation will minimize the amount and effort required to reprioritize and will make the change more seamless.