SOA ManagementPouria Ghatrenabi

Based on IBM SOA Certificate Learning Objectives

Learning Objectives• Explain the need for SOA governance. (compass ch4)• Describe SOA governance and related concepts (roles and responsibilities,

funding models, policies, enforcement, critical success factors, and metrics.)• Describe Quality of Service (QoS) issues pertinent to SOA.• Explain the need for a distributed security model (including issues like

identify provisioning and propagation.)• Identify the impact of changes to services in the SOA lifecycle (change

management, versioning, and service lifecycle.)• Identify the role of an enterprise service bus (ESB) in SOA management and

governance.

Need for SOA Governance

Need for SOA Governance• SOA governance is what enables diverse business unit and IT

stakeholders to ensure that the SOA is truly cross-enterprise.

• According to analysts, SOA governance is more critical to SOA success than is SOA technology.

• The goal of the iterative, four-phase SOA governance process is to refine and enhance governance effectiveness and optimize business value for the SOA initiative

Ref: McBride, (2007)

Core Objectives or Challenges of Governance• Establish decision rights.• Define high value business services.• Manage the life cycle of your assets.• Measure effectiveness.

Ref: Buecker et al. (2008), p 419

Central vs. Distributed GovernanceCentral Governance• Optimized for the enterprise. The governance council has

representation from each business domain. The council reviews addition or removal of services, changes, etc.

Distributed Governance• Optimized for the distributed teams. Each business unit has control over

how it provides the services within its own organization. This requires a functional service domain approach. A central committee can provide guidelines.

Ref: Bieberstein et al. (2006), p70

SOA Governance Concepts

SOA Governance Framework

Ref: McBride, (2007)

Plan• Stakeholders collaborate to establish and commit to the need for SOA

governance and its overall scope• Project scope, ownership, and funding are planned• Perhaps a center of excellence to oversee the SOA project is established• In subsequent iterations, planning will identify areas where SOA

governance can be improved or new areas where it should be implemented

Define• Business and IT stakeholders collaborate to define new governance policies

and processes• Organizations delineate additional SOA capabilities, agree on policies for

service reuse across lines of business, establish processes to guarantee service levels, etc.

Ref: McBride, (2007)

Enable• Policies defined in the previous phase are rolled out to the various

stakeholders across the enterprise• Policies are communicated to the decision-making community

Measure• Governance policies and processes (e.g., SLAs, reuse levels, or

change policies) are established• Policies are evaluated against success/effectiveness criteria

(established in the Define phase)• A new iteration of SOA governance activities is initiated on the

basis of those discussions

Ref: McBride, (2007)

Ref: Keen (2007) , p16

Ref: Keen (2007) , p17

SOA Governance vs. SOA Service Lifecycle Management

Model validate against Plan• Architects collaborate to review the current SOA governance plan and

use it as a basis for modeling the SOA implementation.

Assemble validate against Definition• Developers assemble the reusable service assets that the architects

have modeled, to create service-oriented applications that automate and integrate business processes.

Deploy validate against Enablement• Testing and Release Management functions deploy the services.

Manage validate against Measurement• Whereby Operations manages the services in production.

Ref: McBride, (2007)

Governance DefinitionsIBM defines governance as the establishment of the following

Ref: Keen (2007)

Chains of Responsibility• The establishment and assignment of decision rights. • Roles are defined, and associated with those roles are responsibilities.• Chains of responsibility signifies the assignment of accountability.

Measurement• How to measure the effectiveness of the governance that is put in place. • What key performance metrics need to be defined? • What KPIs need to contribute to the initial goal?

Governance Definitions (Continued…)

Ref: Keen (2007)

Policies• Are used to prescribe management direction• To guide to meet business objectives• To demonstrate management commitment• To clearly define responsibilities of a particular party

Control Mechanisms• Instruments to make sure that everyone is doing what they are supposed to• Ensure compliance with the policies• Operate by assuring compliance at various compliance checkpoints

Communication• The glue of governance. The parties must be informed to enable compliant behavior

Levels of Governance

Ref: Keen (2007)

SOA Governance Concerns

Service Registration Service Versioning Service Ownership Service Funding Service Monitoring

Service Auditing Service Diagnostics Service Identification Service Modeling Service Publishing

Service Discovery Service Development

Service Consumption Service Provisioning Access to Services

Deployment of Services and Composite

Applications

Security for Services

Ref: Keen (2007)

SOA Initiative Roles and Responsibilities

• Responsible for analyzing the goals and needs from a business perspective

• Work with the business and the IT Architect to ensure the proper translation of business requirements to IT solution requirements

Business Analyst/Architect

• The capabilities are comprised of three roles (next Slide)• They collectively contribute the current and future realization of

best practices, governance processes, and the operational environment

SOA Governance Architects

• Responsible for understanding capabilities in business, operations, and technology and assessing the impact of changes to the organization.

Organizational Change Manager

Ref: Keen (2007), Ch2

Services, Connectivity Through ESB and BSRR

Ref: Carter (2007), Ch 5

SOA Governance Architects Roles• Responsible for identifying services• Define reference architectures & create component models• Responsible for performance, availability, and scalability of the applications• maintains the functional interface to the application infrastructure• Perform evaluation & selection of the packages, software, & hardware

components of the architecture

SOA Initiative Architect

• Responsible for the integrity of all process and procedure definitions and documentationProcess Architect

• Responsible for the design of the physical (or operational) aspect of a total system, line of business, or technology domain

• Concerned with designing the architecture to reach desired system qualities, including performance, scalability, availability, security, and maintainability

Infrastructure Architect

Ref: Keen (2007), Ch2

Empowerment and Funding• Underfunding can lead to small-scale implementation Web services rather

than a move toward the benefits of a true SOA.

• Successful SOA project needs strong support of senior executives, identified funding, and proper empowerment of governance body.

• Organization should avoid a weak governance body that has a more consultative role and cannot enforce its recommendations.

• The governance body needs to have proper practical control of project funding

Ref: Bieberstein et al. (2006), p70

Quality of Service (QoS) Issues

Quality of Service (QoS) Issues• Common services has the benefits of flexibility, reuse, cost savings, etc.,

but also has increased dependency and must be monitored and managed accordingly.

• To achieve the quality of service (QoS) defined by the business, each service endpoint should be managed as a resource.

• Resource view of services includes the invocation of services (service consumer) and the application functionality exposed as a service (service provider).

Ref: Keen (2007), Ch2

Quality of Service (QoS) Issues (Continued…)

• Services are typically implemented as Web Services.

• Managed services must have real-time availability and performance metrics and a defined SLA.

• Like other resources, services are deployed, configured, versioned, monitored, managed, secured, and audited

Ref: Keen (2007), Ch2

Perspectives for the End-to-End View

Horizontal View• The view of the transaction

Vertical View• The view of the service

invocation through the architectural abstraction layers

Ref: Keen (2007), Ch2

SOA Distributed Security Model

Ref: Buecker et al. (2008), p9

Web service security specifications

Ref: Buecker et al. (2008), p 445

WS-Security

Ref: Buecker et al. (2008), pp 445-446

• WS-Security provides message-level security which is used when building secure Web services. Message content protection (integrity, confidentiality, and authentication) and security token propagation are features of this specification.

• The advantage of using WS-Security instead of SSL is that it can provide end-to-end message level security. This means that the messages are protected even if the message goes through multiple services or intermediaries.

Identity Challenges in SOA

Ref: Buecker et al. (2008), p11

User and Service Identities and Their PropagationIdentities exist for both users and services, and both must be subject to the same controls.

The identities might need to be propagated throughout the SOA environment.

Identity Services are required in the infrastructure to deal with identity mediation, so that services can interconnect without worrying about mapping and propagating user identity.

This approach can greatly improve the speed and ease of developing new services.

Ref: Buecker et al. (2008), p10

Securing Inter-organization Interactions• Regardless of the interaction form, it is imperative that security,

identity, and access policies are defined and enforced for all transactions.

• Policies need to be enforced for both incoming and outgoing requests.

• Boundary security services are an obvious starting point to provide coarsely grained verification that requests are coming from or going to trusted parties.

Ref: Buecker et al. (2008), p12

Securing Inter-organization Interactions (Continued…)

• Establishing the trust relationship between the organizations is a key step in allowing inter-organization cooperation.

• Trust relationship includes establishing rules around interaction (e.g. defining identity information that must be propagated between organizations), cryptographic keys.

Ref: Buecker et al. (2008), p12

Swivel Chair Management• Policy enforcement points will be located both at the service

connectivity level, and within the implementations of the services

• Management of a policy across various heterogeneous enforcement points requires an administrator to use a diverse set of resource centric management interfaces, associated security policy terminology, and semantics. (sometimes called Swivel Chair Management)

Ref: Buecker et al. (2008), p13

Service-oriented Life Cycle From a Security Perspective

Ref: Buecker et al. (2008), p14

Role of ESB in SOA Management and Governance• Because the ESB acts as a mediation hub, various aspects of security

need to be enforced at the ESB to ensure valid and secure access to systems and data.

Ref: Buecker et al., (2008), Ch1

References of Section Four • Bieberstein, N., Bose, S., Fiammante, M., Jones, K., & Shah, R. (2006). Service-Oriented

Architecture (SOA) Compass-Business Value. Planning, and Enterprise Roadmap, IBM developerWorks.

• Buecker, A., Ashley, P., Borrett, M., Lu, M., Muppidi, S., Readshaw, N., & others. (2008). Understanding SOA Security Design and Implementation. IBM Redbooks.

• Keen, M. (2007). Implementing Technology to Support SOA Governance and Management. IBM, International Technical Support Organization.

• McBride, G. (2007, March 15). The Role of SOA Quality Management in SOA Service Lifecycle Management. Retrieved from http://www.ibm.com/developerworks/rational/library/mar07/mcbride/