Virtualization and SOA are a very good match. As companies ramp up their SOA deployments, a couple of things are happening. First, a lot of them are going to the outsource model, Software as a Service, the SaaS model. Companies are deploying infrastructure for that. That particular deployment model lends itself to virtualization because you can imagine the data center that is hosting all the different services as they bring more customers in and have different peak times for their services, you see how beneficial virtualization can be because you can ramp on and off and add virtual devices as required and take them down as required. So that's a model that makes sense
The other model that we're seeing is inside the organization. This is not a hosting company, but an actual SOA user. As they increase the deployment footprint, they're starting to realize that with reuse you need to virtualize these services to give the IT department a little more flexibility and a little more control over who runs what where and how it's managed, so they don't have 15 different boxes on 15 different racks running these same services. So virtualization provides more control within organizations. Does virtualization create any issues for governance that need to be addressed?
I don't think it creates any issues. Whatever issues you have without virtualization you'll still have with virtualization. Virtualization gives you a little more central control of your devices, but I don't think it raises any governance issues at all. In terms of standards for SOA governance are we pretty much there now or are there still standards you'd like to see?
There are two more areas that I would like to see developed. One is on policy languages. Now, we have WS-Policy, but I would like to expand to the languages that actually use WS-Policy. So we have WS-Security Policy already, which gives us a vocabulary for security within the WS-Policy framework. We've got WS-ReliableMessaging Policy [WS-RM Policy], which gives us a messaging vocabulary within WS-Policy. I would like to see a couple more evolve like Service Level Agreement Policy, and much more importantly, to me, I'd like to see something around access control. I would like to see XACML [eXtensible Access Control Markup Lanaguage] wrapped into WS-Policy. So we could have the WS-Policy framework and within that framework you could use XACML. That would be huge to me. That's a personal goal for me, trying to do that. In terms of this language support for WS-Policy, what will it add to the standard?
I'll give you a concrete example. Right now if you create a service, you have the service and maybe an access control policy. You have a security policy that talks about confidentiality. If you want to use the service you need to provide this kind of credential. You need WS-Security SAML tokens, and you need to sign and encrypt this part of the message. That's fine because WS-Policy exists and WS-Security exists, you can use WS-Security Policy to convey those requirements, but what if you want to add to that policy something about service level agreements? And guess what, you're only allowed to use that service between the hours of 8 a.m. and 5 p.m., just as an example. Or you're only allowed to use that service 200 times a day. And as part of access control, you need to be a member of this particular group to use that service. How do you convey those things? How do you write them into a policy using a standard mechanism? For credentialing and security, you use WS-Security Policy, but for the service level agreements, the restrictions on access control, there's no standard language to use. That's the kind of thing that I want to see developed. What is the second standards area you would like to see evolve further?
The other thing we need is federation. We need a good federation model for Web services. We've had WS-Trust, which has been good, but we need to expand it a little bit more because federation is important. Is the WS-Policy working group at W3C continuing to work on these language standards?
The W3C did WS-Policy, but WS-Security Policy is in OASIS. WS-ReliableMessaging Policy was also in OASIS. I would like to see more vocabularies that use WS-Policy developed, but I don't care where they go, OASIS, W3C. But right now, the two that have happened were in OASIS.
Who knows? There's nothing set yet. Are you talking to other vendors about where you'd like to go with vocabularies for WS-Policy? Is that where this begins?
All the time. We talk all the time about it. Is there a consensus to go in the direction you've been talking about?
There's definitely a consensus starting to form.