The rise in service-oriented architecture (SOA) is leading to a convergence of integration gateways optimized for application development and for enabling better governance and security. Forrester analyst Randy Heffner sees API management as an extension of the SOA integration discussion, regardless of how many folks want to think application program interfaces (APIs) are different than SOA. The SOA application gateway can support security, governance and serve as an integration point for SOA-related messaging.
At one end of the spectrum, API management tools from Mashery and Apigee tend toward simpler configurations and assumptions about services, but have a larger set of tools for business developers. At the other end, tools from vendors like Layer 7 have stronger support for governance and security baked in.
Heffner said one risk organizations can run into is starting with a lighter gateway approach and then finding out they need the full depth and breadth of security and management capabilities that another platform offers.
When an enterprise has a need for identity propagation, federated identity and deeper traceability of security, the gateway products can help with that functionality. There may still be a need, however, to bring in a federated identity product like IBM Tivoli Federated Manager or Ping Federate to meet the full needs of the architecture.
Heffner said, "Often it gets too expensive, and an organization will take a compromise approach and find a way to implement a simpler architecture that does not really address the full depth of their security requirements but at least provides some workable compromise."
Supporting modern architectures
The next generation of SOA integration gateways need to seamlessly manage services across the firewall
Mateo Almenta Reca
Existing SOA integration gateways were designed for a previous generation of enterprise architectures. "Today, SOA applications span cloud-based and on-premises services, and the next generation of SOA integration gateways need to seamlessly manage services across the firewall," said Mateo Almenta Reca, director of product management and worldwide sales engineering at MuleSoft.
In addition, many of the existing SOA gateways were designed and optimized for the era of SOAP Web services. Today, enterprises are dealing with a wildly heterogeneous mix of services, endpoints and APIs, and they need to manage them in a single solution. As APIs become increasingly important, an enterprise's SOA gateway needs to provide the foundation for its API management strategy, as SOA governance and API management are closely tied.
Many existing SOA gateways use a hardware appliance model, which is appealing from a deployment standpoint but often proves problematic over time, as they can become single points of failure and they don't tend to scale well. "As volume increases, some enterprises end up provisioning hundreds or thousands of appliances, which is very costly and difficult to maintain," said Almenta Reca. "This approach also proves challenging for private cloud initiatives, as hardware appliances cannot match the elasticity of the cloud."
Modern approaches use in-memory grid technology for performance and scalability. This approach is how huge companies like Google and Facebook are able to scale and solve important use cases like big data analysis in real-time.
When considering a strategy for SOA gateways, it is important to keep your overall integration strategy in mind. "It's not just about managing and securing services and APIs; it also requires creating and designing those services and APIs, hosting and exposing them, creating and engaging communities around them and, most importantly, being able to integrate them," explained Almenta Reca. "You need to think about these strategies together, end to end, and your choice of tools should reflect the same holistic approach."
Managing the hybrid cloud
Traditional SOA architectures were implemented to solve enterprise integration challenges between applications, internal corporate divisions or close partners. The expansion of the hybrid enterprise to adjust for the rise of mobile and cloud technologies demands the secure, reliable external exposure of applications and data assets that had previously been strictly locked down.
Jaime Ryan, partner solutions architect at Layer 7, said older connectivity solutions are missing critical components of this architecture -- virtual deployment, cloud deliverability and scale, federated and delegated identity management, developer management, cloud-spanning operations and metering, extensibility and new message formats and protocols geared toward mobile and cross-platform usage.
Here are examples some of these challenges:
- Support for XML, SOAP, WS-* standards and traditional internal protocols must be complemented by equal support for JSON, OAuth, REST interaction patterns and new protocols such as WebSockets.
- Existing single sign-on identity management tools are built for specific interaction models and well-known users in an internal repository, and can't handle new mobile-friendly identity tokens or the multiple layers of identity (user, developer, application) that come with mobile deployments.
- Traditional service registry/repository platforms can't address external or partner developers, and don't map well to the looser definition, documentation and lifecycle of REST-based API interfaces.
These challenges have expanded the range of governance that SOA integration gateways need to provide. Ryan said, "To address the concerns of the new hybrid enterprise, these solutions need to be able to govern interfaces, identities, developers and service operations and lifecycle."
Ryan recommends organizations consider several best practices:
- Modern integration solutions must be able to expose new REST-style interfaces using either JSON or XML, without having to re-engineer the internal services layer. This may mean dynamic exposure of existing SOAP services as REST, optimization for mobile interaction patterns, compression and caching to reduce bandwidth and latency, and the like.
- OAuth and OpenID Connect constitute the new mobile and API-centric standards for delegated identity and attribution, as an external correlate to traditional SAML-based identity assertions. These need to be bridged too.
- Developer portals, whether geared for public, partner or private developers, need to provide a management layer for the business owner of these interfaces -- defining who has access and how that access will be controlled, metered and potentially monetized.
- These integration solutions must be flexible enough to be deployed wherever the applications and data live, including globalized virtual datacenters and cloud platforms, and manageable from centralized operations and lifecycle management dashboards.
By centralizing the solution around an integration gateway, enterprises can ensure that the policies defined around access control, developer profiles and service lifecycle will be enforced in a secure, scalable fashion. In addition, the gateway provides a point of integration to other backend or cloud-based services.
This was first published in April 2013