You can't just buy SOA management in a box.
The SOA management market is much too complex for that, said Randy Heffner, vice president at Forrester Research Inc. and author of "The Forrester Wave Standalone SOA and Web Services Management Solutions, Q4 2007" published this week.
While his report offers enterprise architects evaluations of SOA and Web services management products currently available in the marketplace, he recommends first looking at the management technology they may already have. First, take notice of SOA management tools that may be embedded in software products in the existing infrastructure, he said.
The SOA management products from AmberPoint Inc. and the Actional products from Progress Software Corp. rate tops in Heffner's report because the two, "by virtue of their singular focus on the space, have the richest and cleanest solutions." But if an architect already has adequate management tools embedded in the current SOA infrastructure, he suggests that buying additional software might not be the best choice.
"Say you have Tibco, as one example, there's a fair bit of monitoring capability built into that infrastructure," Heffner said. "You wouldn't go buy Tibco to get SOA management, but if you already had Tibco, you might compare what you could accomplish with Tibco's management and monitoring capabilities to what you could get with an AmberPoint or Progress/Actional, compared to what you really need right now. Maybe you would say Tibco gives me what I need for now, and maybe even for longer term."
Heffner advocates looking for a "solution" to your current SOA management and monitoring requirements, rather looking for one product to meet all your needs. While "solution" is often used as a marketing buzzword, he sees it as the best approach to solving the problem of SOA management. Making use of management and monitoring technology embedded in products you already have is one such solution.
"When you look at it from a solutions perspective," he said, "there's multiple ways to get the functionality that you might need. Even if it's not as directly focused on Web services and SOA, you can still get monitoring of Web services and SOA in other ways. Tibco is just one example. Most any application integration platform has some monitoring capabilities."
Heffner said the issues surrounding SOA management are too complex and variable to favor buying it out of the box.
"You have to understand what your real requirements are and what you may currently have," he said. "If in the end you say you need very strong management and monitoring at the Web services/SOAP interface level then you probably will lean toward one of the standalone solutions versus the embedded solution."
If the choices between embedded monitoring capabilities and the products offered by pure play vendors are complex, additional complexity arises because SOA management technology and standards are not yet fully mature. In his report, Heffner rates the maturity level as medium.
"Let's just pick policy management for example," he said. "The real bottom line of maturity is when it settles into a long-term structure."
The problem is that the market has not yet settled on a long-term structure for SOA management and different vendors are looking at different approaches, Heffner said.
"The scenario that seems to be evolving now is that policy management will be a separate product domain from core monitoring and management," he said, as an example of the problem.
He noted that SOA governance vendor WebLayers Inc. is pursuing pure policy management. Another pure play vendor, Vordel Ltd, "is talking about a policy management engine for its SOA security environment that is packaged separately."
"So one possible endpoint is you have a policy management engine for SOA that handles security policy, management policy, reliable messaging policy and transactional policy," Heffner said.
A mature policy management engine could crossover from IT to manage business policy related to the services in an SOA application. Heffner offers an if/then example. "If the dollar amount is more than $50 send it to service A versus service B because we're going to process in two different ways depending on the dollar amount," he said. "So you can imagine that sort of thing being a separate domain, and you could choose a policy management engine separate from the policy enforcement mechanisms. That would be a potential mature endpoint for the policy management domain."
Another maturity issue surrounding SOA management is that a number of the WS-* specifications have not yet made it through the standards process. Among the specs listed in the Forrester report as yet to achieve standards status are WS-MetadataExchange, WS-Policy, WS-PolicyAttachment, WS-ResourceTransfer, WS-Transfer and WS-EventNotification.
The standards are not do-or-die for the larger issue of SOA management, but they would provide more mature choices for architects.
"Right now the functionality that you get from the solutions that are out there is probably largely as mature as you would get from the functionality you would have once the standards listed in the report are developed," Heffner said. "But you get a broader and more flexible ecosystem when you have the standards."
Even when all the standards are ratified, architects will still have to make choices.
"When you have the standards there still may be things you need to do that go beyond the standards," he said, "but it will be a more mature endpoint to have these management standards solidified so we have some base cases that we can use standards for."
Then there is the issue of the blurring of SOA governance and management, so that it is not always clear where governance ends and management begins.
"The maturity that is most needed is more clarity of the line between the two," Heffner said. As the market stands now, some companies treat SOA governance and SOA management as one product, he said. Meanwhile, others separate SOA governance and SOA management in their product offerings.
The current blurry lines between governance and management will have to be worked out in the marketplace rather than by some definition developed in one of the standards bodies.
"In the end, the picture is that SOA management is a part of the broader picture of SOA governance," Heffner said "Things that are done throughout the SOA governance lifecycle eventually get enforced, monitored, measured via SOA management solutions, but exactly where the boundaries are has yet to be clarified."
In Heffner's view, WS-* standards will be finalized in the standards bodies, the blurring of product categories will be thrashed out in the marketplace, but when it comes to SOA management for specific implementations, architects have to decide.
"In the final analysis it gets resolved in the SOA platform that each individual enterprise builds as it decides which functions it is going to use from which existing SOA infrastructure products," he said.