Unified SOA Governance...Unified SOA Governance promotes the core SOA governance best practices of:...
Transcript of Unified SOA Governance...Unified SOA Governance promotes the core SOA governance best practices of:...
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 1
Table of Contents
1 Introduction ................................................................................................... 2
2 Governance Evolution ..................................................................................... 3
3 Unified SOA Governance Defined ...................................................................... 5
4 Unified SOA Governance Best Practices ............................................................. 8
5 Platform Independent Governance Automation .................................................. 10
6 Unified SOA Governance Use Cases ................................................................. 12
7 Unified SOA Governance Solutions ................................................................... 16
8 Unified SOA Governance Automation ............................................................... 17
9 SOA Infrastructure Reference Model ................................................................ 20
10 Unified SOA Governance System Elements: ...................................................... 21
11 SOA Software’s Unified SOA Governance Solution.............................................. 22
12 About SOA Software ...................................................................................... 24
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 2
1 Introduction
Many large organizations are reducing costs, improving agility and reducing risk with
enterprise SOA programs. In order for SOA initiatives to succeed they need to follow
sound Enterprise Architecture practices. Companies realizing the most success are
those that have built an Unified SOA Governance infrastructure that governs a wide
range of assets and artifacts through their entire lifecycle.
Unified SOA Governance helps enterprises:
• Ensure that services they identify, design and build are relevant and consumable
across all distributed and mainframe platforms like Microsoft, SAP and IBM.
• Make services they expose from applications running on any platform visible to
and compliant with enterprise policies defined, enforced and audited across other
platforms
• Promote, ensure and formalize consistent alignment between demand from
service consumers and the supply of services through Consumer Contract
Provisioning.
In a nutshell SOA Governance is about making sure that the enterprise builds the right
things, builds them right, and makes sure that what it has built is behaving right. This
breaks down into distinct areas; Planning Governance is about making sure that you are
building the right things, Development Governance is about making sure you’re building
them right, and Operational Governance is about ensuring that what you’ve built is
behaving right.
In the same way that individual platforms could have their own governance solutions,
these different governance areas could each have their own policy management
solutions. The right approach, however, is to provide a centralized Policy Governance
solution that defines, manages, and distributes policies spanning all areas. This ensures
consistency of policy across all lifecycle stages and distributed and mainframe platforms.
This whitepaper examines the ideas, objectives and use-cases behind Unified SOA
Governance, and the evolution of the SOA Governance marketplace.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 3
2 Governance Evolution
SOA Governance has become an overused term, with claimed governance solutions
ranging from simple registry products and Web services management products, to
comprehensive infrastructure solutions. In some cases ESB vendors are positioning
their products as governance tools.
The simple fact is that SOA Governance covers a wide range of technical and
organizational areas. An Unified SOA Governance solution needs to address all the
facets of SOA Governance while providing tools that simplify participation in the
governance process for developers, architects, business analysts, operations and
security teams.
As recently as 2006, many vendors offered standalone products for registry, repository,
management, and security. Through 2006 and 2007 the market has evolved and
customers now require Unified SOA Governance solutions that combine products into a
single infrastructure solution that provides a unified user experience model for policy-
based service governance, asset management, operational security, and operational
management.
Enterprise customers are no longer satisfied with web services management products,
SOA registry products, asset repositories, and XML security products from separate
vendors. Enterprise customers are now looking for a unified solution that combines
mature, standards-based infrastructure components into an Unified SOA Governance
platform. This approach mirrors SOA Software’s Unified SOA Governance reference
model, first published in 2005.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 4
Unified SOA Governance includes compliance policy and service lifecycle governance
functions. This ensures that service designs and documentation comply with enterprise
design policies and industry standards, and that approvals and workflow support SOA
service publishing and discovery. It includes operational governance functions such as
run-time policy management, enforcement, and compliance audit. Unified SOA
Governance capabilities deliver high value in the shared surface area between design-
time SOA lifecycle governance and run-time SOA operations governance.
Over the last few years, there have been significant changes in the way customers view
SOA Governance solutions, and the way vendors deliver products. We have seen the
market evolve from one with separate vendors delivering stand-alone registry products,
repositories, SOA management solutions and compliance products to one that now
expects to see unified product suites that offer a superset of the functions from each of
the stand-alone product areas.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 5
3 Unified SOA Governance Defined
Unified SOA Governance ensures the applicability, integrity and usability of a wide range
of assets through all their lifecycle stages from asset identification through deprecation.
The full lifecycle is split into planning governance, lifecycle governance, and operational
governance.
3.1 Planning Governance – Build the Right Things
Planning governance includes the identification analysis and modeling of candidate
services, policies, profiles, processes and information. An effective planning governance
tool manages an organization’s SOA portfolio while examining existing and planned
applications and determining which capabilities should be exposed as services, and
where applications would benefit from consuming shared services.
Planning Governance is a new area for SOA. It allows companies to build to plan, and
build to priority modeling current and desired architecture and identifying and
prioritizing candidate services. Planning Governance solutions maximize the efficiency of
investment in SOA, solidifying the role of existing platforms as foundation service
providers.
I.T. has always struggled with balancing long term planning with addressing the
immediate and short term needs of the business, in most cases the short term
requirements take precedent over long range planning. When this is applied to
enterprise architecture, organizations end up with a bunch of services that deliver
minimal business value, instead of their goal of SOA.
Planning Governance allows organizations to identify potential services in a planned and
managed community including enterprise architects, business analysts and portfolio
managers. When utilizing planning governance, services can be proactively ‘built to plan’
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 6
rather than simply reacting and building single use services. This approach reduces the
risks of service deployment and facilitates Enterprise Architectural goals by avoiding
chaotic ‘service sprawl’.
Planning Governance solutions require integration with a wide range of existing
enterprise repositories, application portfolio management, and enterprise architecture
planning solutions, to harvest current and desired architectures. The output from the
Planning Governance process is a set of candidate services that feed into the
Development Governance process, and candidate policies feeding into the Policy
Governance process.
3.2 Development Governance – Build Things Right
Development governance marshals an asset through the development process that
typically spans the design, development, testing and staging phases of its software
development lifecycle. It typically includes a workflow mechanism to approve migration,
policy compliance validation, and a clear separation (logically, physically, or both)
between lifecycle stages. Development governance is the realm traditionally occupied
by registry and repository vendors, although it requires much stronger repository
capabilities and much broader integrations with development environments (IDEs and
SCMs tools), federation with other registries and much stronger service, standards and
taxonomy support than most repositories offer.
The Development Governance solution depends heavily on Policy Governance for
compliance policy definition, management, and validation. It uses policies to determine
the relevance, and suitability of services at each lifecycle stage, and to determine if
assets meet enterprise standards and guidelines before they can promoted to the next
stage of the lifecycle. For example for a service to move from design to development
the enterprise may require that there is a design document in the repository, the service
has a WSDL, the services is categorized appropriately, and perhaps even that there are
registered consumers waiting for the service.
3.3 Operational Governance – Ensure What’s Built Behaves Right
Operational Governance controls the runtime aspects of SOA. It typically includes
service monitoring, security and management with a runtime policy system. Most Web
Services Management and Web Services Security vendors now position themselves as
providing Operational Governance solutions.
The Operational Governance solution relies heavily on the Policy Governance solution for
discovery of policies for implementation and enforcement. A well architected
Operational Governance solution will fully abstract service consumers and providers from
the complexity of policy implementation and enforcement, service endpoint location,
transport, standards, message exchange pattern, and other impedances to
interoperability. It should provide agents, delegates, and a network resident
intermediary for service virtualization.
3.4 Policy Governance – Uniform Policy for All Governance Areas
Policy Governance defines and manages policies, associates them with various assets,
and validates and reports on policy compliance. It manages a wide range of different
policy types from metadata compliance policies applied in Planning and Development
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 7
Governance processes through security, reliability, and service-level policies applied
through an Operational Governance solution.
It is critical that the Policy Governance solution ensures consistent policy definition,
implementation, enforcement, validation, and audit through all stages of the lifecycle,
and across all distributed and mainframe platforms.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 8
4 Unified SOA Governance Best Practices
Unified SOA Governance promotes the core SOA governance best practices of:
4.1 Governance Automation
Governance Automation ensures scalability of enterprise processes implementing a
lifecycle management workflow to implement development approval processes,
integrated provisioning and lifecycle management, and inter-departmental contract
management and negotiation.
4.2 Uniform Policy Management
Uniform Policy Management ensures consistent policy definition, implementation,
enforcement, validation, and audit through all stages of the lifecycle, and across all
distributed and mainframe platforms. It ensures that services can be leveraged as first-
class citizens throughout an enterprise SOA by complying with enterprise policies that
are uniform across all platforms.
4.3 Metadata Federation
Metadata Federation provides seamless, heterogeneous SOA Governance and standards-
based support for governance automation (UDDIv3, WS-MEX, WS-Policy) to ensure that
governance processes are uniformly applied across all platform investments. When
metadata is federated and consistent across multiple governance platforms, the business
value of service (cost, usage, production issues) becomes visible and measurable across
the enterprise service lifecycle.
4.4 Service Virtualization
Service Virtualization provides location-transparency, service mobility, impedance
tolerance and reliable service delivery without requiring a re-platforming of existing
platforms or introducing yet another service platform to support the required solution
architecture.
4.5 Trust and Management Mediation
Trust and Management Mediation ensures interoperability across disparate partners and
platforms, trust enablement and trust mediation complementing threat prevention
systems. It provides provide last-mile security, metric collection and reporting, SLA
monitoring and management, to ensure that services are governed, managed, and
secured, and policy implementation and mediation to allow consumers to communicate
with a wide range of mission critical business services exposed from any platform.
4.6 Continuous Compliance and Validation
Continuous Compliance and Validation ensures consistent policy implementation and
enforcement across all stages of the lifecycle, preserving the fidelity of the governance
models, structures and mechanisms supporting enterprise SOA programs and ensure the
relevance, applicability and suitability of services.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 9
4.7 Change Impact Mitigation
Change Impact Mitigation provides change management and impact analysis processes
integrated with the governance workflow to ensure that changes to services or other
assets don’t cause major outages by breaking the consumption model.
4.8 Consumer Contract Provisioning
Consumer Contract Provisioning provides offer, request, negotiation and approval
workflows for service access, capacity, SLA and policy contracts. It ensures that the
service provides know which applications and users are consuming their services and
allows them to treat different consumers with different priorities and service levels.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 10
5 Platform Independent Governance Automation
Much of the benefit of SOA is derived from the promise of seamless interoperability
between platforms, with applications built using .NET and WCF consumer services
exposed from COTS, Mainframe, or Java applications. One of the core goals of SOA
Governance is to ensure that services are relevant and consumable between platforms.
As such it makes no sense to leverage governance capabilities built into the platforms
themselves, as this simple promotes silos of services within platform domains.
5.1 Platform Governance Models
Not all platforms are governable, in fact platforms fall into one of 3 categories:
• Ungoverned Platforms – the purest form of Informal Governance. This often
results in “Random SOA” or “Accidental SOA”. This includes any container that
doesn’t support policy enforcement natively or with an agent
• Self-Governed Platforms – a mixture of Formal and Informal. Some tasks and
activities are governed, some are not. SOA Governance is as weak as the
weakest link in the chain. This category includes containers that use their own
tooling without policy integration with a centralized enterprise SOA Governance
solution.
• Governed Platforms – a real or virtual organization exists that is devoted to the
promotion of SOA programs and causes that is accepted as a fundamental part of
an SOA culture. Governed Service Platforms have:
• Clear job titles / responsibility support SOA Governance activities
• Supports clear separation between implementation activities and governance
activities
• Provides standards-based governance integration interfaces
Unified SOA Governance solutions integrate seamlessly with the platforms providing
varying degrees of configuration, policy implementation and enforcement, message
handling, and workflow support, largely depending on the level of sophistication of the
platform itself.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 11
We divide governed platforms into two categories:
5.2 Governed Service Platforms
All applications that expose and consume services at runtime are service platforms.
These include application services like IBM WebSphere, Microsoft IIS, Oracle/BEA
WebLogic, JBoss and others; ESBs from vendors including IBM, Microsoft Oracle/BEA,
JBoss, TIBCO and others; mainframe applications running in CICS and IMS; COTS
applications like CICS; and SaaS environments like Salesforce.com and Amazon.
As described above, Governed Service Platforms offer standards-based governance
integration interfaces, and support the concepts of governance by an external enterprise
governance system.
5.3 Governed Development Platforms
Most platform vendors provide an integrated development environment (IDE), source
code management and version control system, defect tracking/change request tooling,
and in many cases, a document management and/or asset management repository. An
Unified SOA Governance solution can provide asset lifecycle management and policy
compliance capabilities to ensure that developed software assets (such as services,
components and applications) are appropriate and relevant to the enterprise, and that
they comply with applicable policies.
Governed Development Platform status means that the development platform integrates
with an Unified SOA Governance solution to make and share decisions about assets and
artifacts.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 12
6 Unified SOA Governance Use Cases
This section examines some common SOA Governance use-cases ranging from simple
service publishing and discovery, through consumer contract negotiation, lifecycle
management workflow, contextual collaboration, and folksonomy creation.
6.1 Service Publishing (Approvals Workflow)
The act of publishing a service to a registry so that it can be found by a broad audience
of interested parties may seem like a simple enough task. In fact, this is one of the
most basic, and yet most important functions of an SOA Governance solution.
The essence of governance can be easily captured in the phrase “encouraging desired
behavior.” This simple concept provides a backdrop to help understand what a
governance solution should be focusing on, and the capabilities it should provide.
Essentially it is not enough to merely provide a stick with which to beat developers and
architects, we must also provide a carrot to encourage people to participate in
governance processes.
With this in mind, we need to think about what is the desired behavior for the
participants in an SOA. For many organizations, one of the most important aspects of
SOA Governance is the process of ensuring that the services that are published are
appropriate. “Appropriate” in this context is another word a little like “desired.” It can
mean many things, but the reality is that an “appropriate” service is a service that
meets a set of criteria defined by the enterprise, often including the following:
• Is not a duplicate of, or similar to an existing service
• Meets design criteria for transport, operation type, schema, etc
• Is at an appropriate level of business functionality granularity (e.g. a ‘top-down’
design rather than ‘bottoms-up’)
• Is of broad interest and therefore likely to be reused
• Complies with appropriate industry standards and recommendation (e.g. WS-I
basic profile)
Some of these criteria can be readily automated like WS-I basic profile compliance,
other will likely require manual steps. To this end, before a service can be published it
should pass through a workflow process that will verify the automatable criteria before
requiring a manual approval step. A well designed SOA Governance solution will
manage this workflow as a series of customizable, automatable defined process steps
and will allow developers and approvers to see services at appropriate phases of this
process.
6.2 Service Discovery
Service discovery is a slightly overloaded term. It can mean different things:
6.2.1 Deployed Service Discovery
The governance, security and management infrastructure should be able to identify
services that are deployed in managed containers. This will ensure that any deployed
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 13
service will at the very least be a known quantity. Ideally all services should be
identified at an early stage in the development lifecycle to avoid any deployment
“surprises.” However realistically, some services may not be identified. Therefore, it is
important to be aware of all deployed services, and if necessary, automatically register,
manage and secure these services while notifying administrators of their discovery.
6.2.2 Developer Service Discovery
An important facet of a governance solution is the ability to provide mechanisms for
potential users of services (developers) to search for and find services they would like to
use. It is this discovery process that led simple UDDI registry providers to classify
themselves as governance vendors.
The importance of true governance in this service discovery process is in ensuring that
only authorized users can discover services. This can apply to services in certain
taxonomies, organizations, states of lifecycle stages as well as other customized criteria.
6.3 Service Lifecycle Management
Services, like all other development assets and applications have their own lifecycle and
as such need to be managed through their lifecycle state transitions. Service lifecycle
generally models a typical SDLC with stages including design, development, test, QA,
production, and deprecation. Many organizations will add versioning into the process
between production and deprecation, although in reality each new version of a service
will have its own lifecycle.
An SOA Governance product must be able to manage the lifecycle stage of a service and
should provide a workflow-based process for migrating services between stages. Often
this process will closely mirror the original publication process described above. It will
include a set of policies that define criteria a service must meet before it can be
migrated. It will also in many cases include manual approval steps.
The lifecycle stage of a service should be used to determine who can discover the
service in the registry and who can access the service at run-time. It should also define
which policy set is used to determine the run-time capabilities and requirements for
accessing the service.
6.4 Consumer Contract Negotiation
The idea of a consumer contract for SOA closely models the idea of a business contract.
It defines the terms of a relationship between a consumer, or group of consumers, and a
service, or set of services. These terms should include:
• The policies the consumer(s) agree to comply with
• The access rights the service(s) will provide the consumer(s)
• The service levels the provider commits to delivering to the consumer(s)
• Any mediation the provider(s) and consumer(s) agree to and require
The SOA Governance solution has two important roles to play in the contract process:
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 14
1. Contract negotiation – the Governance solution should provide a workflow model
allowing potential consumers to interact with service providers to request and
negotiate access to, and specific service levels for, a service or set of services.
2. Contract enforcement – the Governance solution should enforce the contract at
run-time. It should seamlessly ensure that the provider meets agreed upon
service levels, that any required mediations are delivered, that the consumer(s)
are complying with required policies and that the access rights and times are
enforced and complied with.
6.5 Compliance policy validation
One of the important decision points in the lifecycle workflow is an asset’s compliance
with defined enterprise policies. For example, an organization might require that a
service have a design document, a description, be properly categorized, and have a
defined business case before it can be promoted from the design stage to the
development stage of the lifecycle. The SOA lifecycle governance automation system
needs to provide an easy way to define and manage compliance policies and associate
these policies with lifecycle stages, categories, and other taxonomy or folksonomy structures and types.
6.6 Change management notification
Change management notification addresses several different issues. Clearly any
complete lifecycle governance has to include a notification model so that submitters and
approvers know that action is required, or that a state change has occurred. Also, in
SOA governance, there is likely to be a varied constituency interested in the state and
stages changes of assets. A simple example is that the group of consumers using a
service in production will want to know that there is a new version of the service
available and that the current version will be deprecated within a defined timeframe.
6.7 Lifecycle stage isolation
Depending on the nature of the process and the requirements of the various lifecycle
stages there are different ways of isolating the stages. Some organizations will want to
leverage a single registry/repository instance using object-based security to ensure that
only users in authorized roles can see assets at various stages of their lifecycle. Other
organizations will want to ensure physical isolation between assets in different lifecycle
stages. The emerging best practice is a mixed-mode approach. It uses a single
registry/repository instance for early lifecycle stages where there is considerable fluidity
in lifecycle stage, with physically separate instances for later lifecycle stages to mirror
the physical environment.
6.8 Contextual Collaboration
If publishing approvals, lifecycle policy, and contract enforcement are the sticks in SOA
Governance, then contextual collaboration is one of the carrots.
As architects, developers and other SOA program constituents engage in the
communication, promotion and transformation that come with SOA, they will have many
questions about the various processes and policies in place. Contextual collaboration
capabilities within an Unified SOA Governance solution allow users to ask questions in
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 15
the context of a specific asset (service, policy, schema, contract, etc.) and engage
others in an ad-hoc collaboration model. It provides a searchable resource for users to
quickly ramp-up the requisite subject matter expertise they need to participate
effectively in the enterprise SOA program.
6.9 Folksonomy Management
A folksonomy is a socially-created tagging model, like del.ico.us, or YouTube. In the
SOA context this means providing a model that allows users to tag services and assets
with their own keywords and then pivot the search model around these tags, i.e. follow
a tag to see which other services and assets are similarly tagged.
This idea may seem very “web 2.0”, and it is. It offers enormous value, essentially
allowing the SOA community within the enterprise to add value to the governance
framework creating a social network for SOA.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 16
7 Unified SOA Governance Solutions
The discussion above provides a high-level, abstract definition of Unified SOA
Governance. Here we take a more practical look at what constitutes actual deployed
SOA Governance solutions, and perhaps more importantly the solutions that categorize
themselves as SOA Governance and fall short.
7.1 Registry/Repository < SOA Governance
In the early days of SOA Governance, the UDDI registry vendors classified themselves
as SOA Governance solutions. Often they added weak, email-based migration
capabilities to their products to claim approvals workflow to partially deliver one of the
use-cases described above.
Over time the registry vendors have added repository capabilities to their products and
have begun to offer more governance features.
The main challenge facing the registry players is that they have minimal run-time
enforcement capabilities. (See the closed-loop governance discussion below.)
7.2 SOA Management ≠ SOA Governance
As SOA Governance has gained popularity and enterprise customers identify SOA
Governance projects and budgets, the SOA Management vendors have begun to try to
compete in this space. Many of these vendors have attempted to position their run-time
monitoring solutions as SOA Governance solutions. Most of these offerings do not begin
to qualify as SOA Governance solutions. They do not offer complete standards-based
registry and repository capabilities, unified management of policy, or any advanced
governance use-cases such as those described above.
7.3 ESB ≠ SOA Governance
Following the same market dynamic as the SOA Management vendors, the ESB vendors
are also jumping on the SOA Governance bandwagon. In addition to the lack of design-
time governance capabilities they share with the SOA Management vendors, the ESB
vendors drive their customers to re-platform their SOA onto the ESB and their
associated application server environment. Consequently, they have the problem of
being proprietary, closed environments with no ability to monitor, secure, or manage a
complex, heterogeneous, enterprise SOA.
7.4 Closed-loop SOA Governance System = Unified SOA Governance
Automation
Integrated solutions bring together registry, repository, security, management and
mediation capabilities to deliver true enterprise SOA governance.
The following section of this document expands on the ideas of Unified SOA Governance
Automation.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 17
8 Unified SOA Governance Automation
The diagram below shows the relationships between SOA registry/repository, security
and management, demonstrating how SOA Policy Management forms a closed-loop of
policy, metrics, and audit.
The alternative to a closed-loop solution is a set of stand-alone applications for
governance, management and security. These solutions may offer loose integration, but
we have yet to identify a single organization that has successfully integrated stand-alone
solutions in a production environment.
A standalone SOA Governance product can define and enforce policies for design-time
compliance, ensuring that services meet policies describing static attributes (typically
directly associated with the WSDL or the registry taxonomies). It can also define run-
time policies but it has no way of knowing if these policies are being enforced by a run-
time platform, or even if these policies are visible to any run-time platform. This is a
“define and hope” model of governance, where an administrator defines a policy in a
governance product and then hopes that this policy is enforced.
Similarly, a standalone SOA run-time security and management solution will enforce
policies at run-time, but these policies will be locally defined and will not be subject to
centralized governance. This is the “ready, fire, aim” model of policy enforcement,
where the enterprise has no understanding of the policies that are being enforced.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 18
In the rare instances where a standalone SOA Governance solution is integrated with a
standalone SOA run-time security and management solution, the run-time system may
be able to discover policies from a policy governance solution. However, it will not have
any mechanism to report the actual enforcement of these policies to the governance
system. In this case, the policy governance system still has no knowledge of whether its
policies are being enforced, and no information about how the services themselves are
actually behaving.
8.1 Unified SOA Governance Value Add
Stand-alone run-time solutions don't deliver higher value design-time, or governance
capabilities. They require their own policy management, don’t offer developer or
architect services, and have no understanding of the relationship between a provider
and a consumer.
On the other hand, governance solutions can only deliver value when they are built on a
run-time foundation. They require a run-time solution to enforce policies; they need the
run-time to provide statistics and metrics for demand, capacity, and value monitoring;
and they also need the run-time to provide an audit trail to ensure that messages
comply with defined policies.
Unified means:
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 19
• Defining and managing actionable policies in a policy governance solution
throughout the lifecycle
• Enforcing these policies via deep integration with an operational governance
solution at run-time
• Auditing that these policies are being enforced
• Using industry standards (WS-Policy, WS-MEX) where appropriate for information
exchange
Unified Closed-loop SOA Governance solutions enable demand and value management.
Because the governance system has real-world information about how services are
actually being used it allows organizations to:
• Use live, audited information to drive value-based decisions about the
effectiveness of different services and organizations
• Provide developers with up to the minute information about a service in run-time
to inform their decisions about which services to use
• Manage supply and demand to ensure maximum efficiency and benefit from SOA
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 20
9 SOA Infrastructure Reference Model
SOA Infrastructure is the set of tools and technologies that an organization deploys to
secure and manage services and service-oriented business applications. It provides the
delivery mechanism for a comprehensive governance solution including Registry,
Repository, Management, and Security services, and intermediaries to ensure the
application and use of these services.
The SOA Infrastructure reference model shown above is published by SOA Software, the
leading provider of SOA Infrastructure software products. It provides a product and
vendor agnostic view of the concepts, components and standards that make up a
successful SOA Infrastructure. For more information see SOA Software’s whitepaper –
“The SOA Infrastructure Reference Model,” published in May 2006.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 21
10 Unified SOA Governance System Elements:
The core elements of the Unified SOA Governance system are the Planning and
Development Repository and Registry, Policy Management System, Virtualization
System, Management and Security System, and their associated intermediaries. Also, as
described above, governance products and systems not having deep integration between
these elements would offer minimal value to an SOA implementation.
10.1 SOA Repositories
The SOA Repositories provides solutions for the governance of planning and
development assets and artifacts. Governance in this context includes registration,
lifecycle management, planning, design-time, and run-time policy invocation, and
business value visibility. The repository implements registry standards for metadata
exchange. It is the main source of SOA information for end users and applications.
10.2 SOA Policy Management System
The SOA Policy Management System provides a framework for defining and managing
policies that are enforced throughout the planning, lifecycle, and operational governance
processes. It ensures that policies are applied uniformly across all governed and
governable platforms.
10.3 SOA Registry
The SOA Registry supports the categorization, classification, tagging, and publication of
services. It provides browse and search interfaces for service discovery, a publication
interface for service registration, and a subscription interface for synchronization with
other registries and repositories.
10.4 SOA Management System
An SOA Management solution monitors and manages the reliability, availability and
performance of services.
10.5 SOA Security System
An SOA Security solution provides service and message security capabilities including
authentication (identity assertion and token exchange), authorization, privacy, non-
repudiation and audit.
10.6 SOA Intermediaries
SOA intermediaries exist in a number of forms, the most important of which are stand-
alone (proxy/router), and agent (embedded in container). Intermediaries enforce and
implement policy for Management and Security solutions. The primary role of the agent
intermediary is to ensure last-mile policy enforcement, while the primary role of the
stand-alone intermediary is to provide service virtualization to isolate consumers from
service location, policy, implementation, and change.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 22
11 SOA Software’s Unified SOA Governance Solution
SOA Software builds its Integrated SOA Governance solution around its Policy
Manager™, Repository Manager™, and Service Manager™ products for SOA Policy Governance, Development Governance, and Operational Governance.
SOA Software’s Portfolio Manager™, Repository Manager™, Policy Manager™, and
Service Manager™ combine to form a comprehensive Integrated SOA Governance
Automation solution.
Portfolio Manager™ is an innovative Planning Governance product that helps ensure the
alignment of SOA Programs with strategic IT investment and business objectives and
makes sure that enterprises build the right services at the right time. It helps
customers identify candidate services and build an SOA roadmap through SOA Modeling,
Asset Identification, and a Portfolio Management process. To achieve these goals
Portfolio Manager functions as part of a unified SOA Governance automation suite with
seamless integration with Repository Manager™ and Policy Manager™.
Repository Manager™ provides an advanced software development asset (SDA)
repository, lifecycle management, and metadata federation solution. It governs leading
development platforms, ensuring consistent definition and management of services and
other assets across all development environments. Repository Manager supports
advanced SDA repository and governance capabilities including the ability to define and
manage custom asset and artifact types, asset relationship management, integrated
development environment (IDE) integration, and comprehensive asset federation. It
integrates seamlessly with Policy Manager where policy decisions are required in the
Development Governance process, as well as provisions service consumption
agreements made by developers to Policy Manager for further governance. Repository
Manager supports application development and architecture teams, providing a
comprehensive Development Governance solution.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 23
Service Manager™ automatically implements and enforces policies from Policy Manager.
It generates usage, performance and policy compliance metrics that it reports to Policy
Manager so that it can audit that policies are being enforced in a closed-loop process.
Service Manager support SOA and enterprise operational management functions,
ensuring that services are security, reliable, and meet the performance goals for each
consumer.
Policy Manager™ provides an SOA Registry/Repository and comprehensive SOA Policy
Governance solution, with powerful governance automation capabilities. Governance
automation minimizes the overhead associated with governance processes, and turns
governance from a painful workload, into a productivity tool. Policy Manager includes a
built-in policy and service metadata repository supporting its policy governance
processes. Policy Manager supports enterprise and SOA architecture functions, ensuring
consistent application of policies throughout an enterprise SOA program. Using this
solution architects, developers, security administrators, and operations managers can
define and govern policies that are applied to services throughout the appropriate stages
of their lifecycle.
Using this solution architects, developers, security administrators, and operations
managers can define and govern policies that are applied to services throughout the
appropriate stages of their lifecycle.
www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 24
12 About SOA Software
SOA Software is a leading provider of unified governance automation products that
enable organizations to successfully plan, build, and run enterprise services. The world’s
largest companies including Bank of America, Verizon, and Pfizer use SOA Software
solutions to transform their business. For more information, please visit
http://www.soa.com.
SOA Software, Policy Manager, Portfolio Manager, Repository Manager, Service Manager,
and SOLA are trademarks of SOA Software, Inc. All other product and company names
herein may be trademarks and/or registered trademarks of their registered owners.
SOA Software, Inc.
12100 Wilshire Blvd, Suite 1800
Los Angeles, CA 90025
866-SOA-9876
www.soa.com
Copyright © 2009 by SOA Software, Inc.
Disclaimer: The information provided in this document is provided "AS IS" WITHOUT ANY WARRANTIES OF ANY KIND INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF INTELLECTUAL PROPERTY. SOA Software may make changes to this document at any time without notice. All comparisons, functionalities and measures as related to similar products and services offered by other vendors are based on SOA Software's internal assessment and/or publicly available information of SOA Software and other vendor product features, unless otherwise specifically stated. Reliance by you on these assessments / comparative assessments are to be made solely on your own discretion and at your own risk. The content of this document may be out of date, and SOA Software makes no commitment to update this content. This document may refer to products, programs or services that are not available in your country. Consult your local SOA Software business contact for information regarding the products, programs and services that may be available to you. Applicable law may not allow the exclusion of implied warranties, so the above exclusion may not apply to you.