SOA 2007: The March to Governance

It includes support processes based on best-practices, visibility into technology relationships via good configuration management, and specialized application management products. Each contributes visibility to SOA deployments, helping to transform them from a “black box” to an ordered hierarchy viewed through a clear pane of glass.

Some of the specific challenges discussed by early adopters include the following:

How do we fund software for reuse across the company? One of the big payoffs for companies deploying SOA is reuse. Most view production SOA services as organizational “assets” that increase in value over time as they are used by multiple business services.

However, most companies fund software development projects by department. When one department funds SOA services with its own budget, how do other departments “pay” for use of the service once it is deployed? Although reuse can yield enormous cost benefits for the business, it requires changes in cost allocation for development and use of software assets.

Once a SOA business service is in production, how do we control access to it? SOA services are designed to be loosely-coupled, meaning they publish their interfaces, and can then be used by other services that require their functionality. In the real world, this means that, once SOA services are deployed, they are sitting on the network and available for use.

Many companies report a “free for all” as rogue users and rogue services find and bind to production services. This can wreak havoc with performance and create significant security problems. Without controls in place, for example, an unauthorized user might be able to access sensitive personnel or payroll data. SOA specific management products help eliminate this problem by providing visibility to which services are being used and by whom, and limit access to approved users and/or services.

How do we monitor, manage and measure service levels? This is a significant issue, as the IT industry at large is still grappling with the requirement to manage heterogeneous, distributed and composite non-SOA applications. Managing availability and measuring service levels for loosely-coupled services adds additional complexity. Although a few application management vendors are starting to address this problem, most are behind the curve in terms of delivering products that truly solve it.

How do we apply security, and how much is enough? In addition to the access control issues discussed above, SOA deployments also face security related challenges similar to those encountered in managing distributed, tiered applications.

An additional problem, however is that SOA’s sweet spot is integration. With SOA applications executing both within organizational boundaries and across the extranet, security concerns become paramount. Even error messages generated during execution can contain sensitive information that must be shielded from outside entities.

Talking with SOA early adopters was fascinating. After reading multiple stories of deployment failures, it was refreshing to speak with companies that had leveraged SOA to reap big business gains.

In many cases, these companies had become leaders in their industries by bringing new products to market much faster than competitors. Others reported cost-avoidance by speeding integration projects, enabling them to do more work in less time. All reported challenges, but it appears that companies that are most successful leverage governance to manage technology and to drive the cross-business changes that successful SOA requires.

Julie Craig is a senior analyst with Boulder, Colo.-based Enterprise Management Associates, an industry research firm focused on IT management. Julie can reached at [email protected].