Let me just state up front that you're not the only one who's confused about governance, especially around SOA or Web services. The term governance is being used a little bit everywhere these days and has become very overloaded. In various presentations and papers I have tried to define the term based on the concept of corporate governance. To me, governance of an entity is the set of processes and policies that give visibility into and provide accountability for that entity. So for SOA, let's define it as the set of processes that enable the definition, deployment, management, enforcement and compliance audit of corporate policies. I know that's long-winded, but I haven't seen anything that I like better.
Now, in terms of technology, every functional element in that list (definition, enforcement, audit, etc.) will probably require some corresponding infrastructure element. So, how and where do you start? I won't get into a discussion about the benefits of Big Design Up Front (BDUF) or Big Requirements Up Front (BRUF) or other philosophical diversions. Instead I'm going to go by what I've seen in the marketplace so far over the last couple of years. For a typical SOA roadmap, authoring, deploying and enforcing security policies has been the first step towards governance. This is because most SOA roadmaps I have seen are decidedly not BDUF/BRUF: Organizations typically deploy a limited set of Web services for a very specific and narrowly scoped project. Security, access control, privacy and confidentiality issues are typically dealt with at this stage. Logging and auditing requirements for Web services transactions are also typically included. Although hardware based XML acceleration is also usually bundled into some of these requirements, it is not a governance issue, so we'll forget about it for now. As projects mature and Web service usage grows, monitoring service status and enforcing Service Level Agreements (SLAs) is typically the logical next step. And of course having a services registry early on will save you the headaches of renormalization later on. As a result of this evolution profile, you'd expect to see three categories for Web services governance infrastructure to emerge, and you'd be correct. These are: security gateways (policy enforcement points); registries; and management tools. This should give you a good starting point to implement a governance framework.
This was first published in May 2006