SOA governance and Web services management

SOA governance basics

As defined by WhatIs.com, SOA governance refers to the processes used to oversee and control the adoption and implementation of service-oriented architecture (SOA) in accordance with recognized practices, principles and government regulations. SOA governance can provide optimal service quality, consistency, predictability and performance. It may also ensure that personnel follow prescribed policies and correct system problems or policy infractions as they occur.

Gartner VP and distinguished analyst Anne Thomas Manes defines SOA governance in four words: "governance makes the rules." Of course she and best-selling IT author Thomas Erl, her coauthor on the SOA governance primer SOA governance: Governing Shared Services On-Premise and in the Cloud, have a lot more than four words to say about SOA governance. When SearchSOA.com Contributor Colleen Frye talked it over with the two famed SOA aficionados, they gave their thoughts on the adoption curve of SOA governance, finding the right style of governance for a particular SOA, establishing an SOA governance program office, the possibility of Agile governance and more.

Still more great advice comes from Todd Biske, an experienced enterprise architect and author of his own book on SOA governance. Biske gave us six tips to help improve chances of SOA project success, including advice on drawing the big picture and establishing a center of excellence, plus four more. More recently, Biske went into detail about how to enforce SOA governance without becoming the bad guy. Much of that advice is on how to establish realistic expectations up-front and prepare the IT organization for success.

Cloud governance issues

As longtime SOA experts look toward cloud computing, they see a lot of exciting new possibilities and a lot of young companies going out and making the same old mistakes. According to Joe McKendrick, SOA analyst, expert and blogger, many of the challenges of governing a cloud architecture are much the same as the service-oriented architecture problems of yesteryear. The question in both cases is, "Who's responsible for the reliability, security, and performance of the services being delivered?"

But that question takes on a meaning that is slightly different in the cloud than with SOA governance. In the cloud, it is not uncommon for services to be called from a chain of applications rather than the end-user directly. While the existence of these application chains generate much of the value associated with cloud computing from the end-user's perspective, they also present myriad security and reliability concerns from a DevOp standpoint. Each one of those applications will likely be managed by a completely independent team, likely from separate organizations, with little or no visibility into how or why the other teams are managing their cloud applications. Still, the chain of applications is only as strong as its weakest link. If one application fails or suffers a major security breach, the incident is likely to have a strong negative impact on all the other applications in the chain.

Cloud governance and SOA governance have a lot in common, though. Strong governance keeps cloud applications strong, relevant and reusable in the same way that strong SOA governance has kept Web services strong and reusable. With proper governance in place, new cloud applications can be built to add functionality to the existing applications rather than doing the same thing in a slightly different way. On the other hand, if governance is weak and lacks a way to manage the lifecycle of cloud services (so that new projects can examine and leverage existing services reliably), a cloud architecture may find itself supporting a vast array of redundant services.

But governing the SOA lifecycle alone may not be enough either. It is important for cloud services to receive runtime governance as well. According to Cloud Expert David Linthicum, "When you move into cloud the same patterns exist [as in SOA], however, it is on a much more runtime environment. Governance becomes much more important because we are mixing and matching services from a variety of different places to form our solutions."

Other SOA governance concerns

There are plenty of down to earth challenges to overcome for enterprise architects whose systems are mainly, or even completely, on-premise. One concern for many SOA governance professionals is enforcement. How does one enforce the rules of SOA governance without becoming the bad guy? According to SOA governance expert Todd Biske, the answer is to take the focus off of enforcement. According to Biske, governance is divided into 4 steps:

1. Policy definition
2. Education
3. Enforcement
4. Measurement and Feedback

That third step, enforcement, is no fun for anybody. But by maximizing your efficient use of the other three will minimize your need to be The Enforcer. Policy definition is how you set up expectations for how development projects will be reviewed. It's important to define policies that are specific enough to ensure compatibility, but not arbitrarily strict. Biske's example is that requiring RESTful best practices can keep the whole team on the same page, but demanding that they use a specific REST framework might aggravate some and cause resentment.

Once you have developed successful SOA governance policies, it's important to educate your developers on why the policies exist and how the policies help everybody out in their daily development lives.

Enterprise mashups can provide fast, effective solutions for end-users. But, if they're not properly governed, these solutions can cause unexpected service spikes that have the potential to wreak as much havoc on your enterprise architecture as a purposeful denial of service (DoS) attack. Not to vilify mashup developers, but in most cases these developers are talented outsiders doing the best with what they have to make viable solutions. Unfortunately, a lack of SOA governance can make enterprise mashups volatile.

On top of proper policies, it's also important to provide people with improved processes. Here's where governance tools can help. According to Biske, "Tools provide the most benefit when the things being governed are systems, such as the run-time behavior between a service consumer and a service provider." SOA governance tools are all about automated processes for measuring and reviewing policy compliance. The better you set up your policies and the better you educate your development teams on the rules, the easier it is to integrate automated tools that speed and improve governance compliance processes.

Finally, data transfer can be a problem for large organizations, especially those in industries such as banking and finance where high volumes of data transactions are common. For these organizations, bringing FTP under the umbrella of SOA governance is a prime concern. While it makes less sense for smaller organizations that can satisfy their data needs mainly with daily batch updates, larger organizations with several trading partners and a mix of real-time and batch processing can see real benefit from a centralized SOA that governs data movement.

More resources for learning about SOA governance

The following resources are must reads for SOA architects looking to improve the way they govern their Web services as part of service-oriented architecture management plans.

Important SOA governance terms