Unified SOA Governance...Unified SOA Governance promotes the core SOA governance best practices of:...

25
Unified SOA Governance

Transcript of Unified SOA Governance...Unified SOA Governance promotes the core SOA governance best practices of:...

Unified SOA Governance

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 1

Table of Contents

1 Introduction ................................................................................................... 2

2 Governance Evolution ..................................................................................... 3

3 Unified SOA Governance Defined ...................................................................... 5

4 Unified SOA Governance Best Practices ............................................................. 8

5 Platform Independent Governance Automation .................................................. 10

6 Unified SOA Governance Use Cases ................................................................. 12

7 Unified SOA Governance Solutions ................................................................... 16

8 Unified SOA Governance Automation ............................................................... 17

9 SOA Infrastructure Reference Model ................................................................ 20

10 Unified SOA Governance System Elements: ...................................................... 21

11 SOA Software’s Unified SOA Governance Solution.............................................. 22

12 About SOA Software ...................................................................................... 24

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 2

1 Introduction

Many large organizations are reducing costs, improving agility and reducing risk with

enterprise SOA programs. In order for SOA initiatives to succeed they need to follow

sound Enterprise Architecture practices. Companies realizing the most success are

those that have built an Unified SOA Governance infrastructure that governs a wide

range of assets and artifacts through their entire lifecycle.

Unified SOA Governance helps enterprises:

• Ensure that services they identify, design and build are relevant and consumable

across all distributed and mainframe platforms like Microsoft, SAP and IBM.

• Make services they expose from applications running on any platform visible to

and compliant with enterprise policies defined, enforced and audited across other

platforms

• Promote, ensure and formalize consistent alignment between demand from

service consumers and the supply of services through Consumer Contract

Provisioning.

In a nutshell SOA Governance is about making sure that the enterprise builds the right

things, builds them right, and makes sure that what it has built is behaving right. This

breaks down into distinct areas; Planning Governance is about making sure that you are

building the right things, Development Governance is about making sure you’re building

them right, and Operational Governance is about ensuring that what you’ve built is

behaving right.

In the same way that individual platforms could have their own governance solutions,

these different governance areas could each have their own policy management

solutions. The right approach, however, is to provide a centralized Policy Governance

solution that defines, manages, and distributes policies spanning all areas. This ensures

consistency of policy across all lifecycle stages and distributed and mainframe platforms.

This whitepaper examines the ideas, objectives and use-cases behind Unified SOA

Governance, and the evolution of the SOA Governance marketplace.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 3

2 Governance Evolution

SOA Governance has become an overused term, with claimed governance solutions

ranging from simple registry products and Web services management products, to

comprehensive infrastructure solutions. In some cases ESB vendors are positioning

their products as governance tools.

The simple fact is that SOA Governance covers a wide range of technical and

organizational areas. An Unified SOA Governance solution needs to address all the

facets of SOA Governance while providing tools that simplify participation in the

governance process for developers, architects, business analysts, operations and

security teams.

As recently as 2006, many vendors offered standalone products for registry, repository,

management, and security. Through 2006 and 2007 the market has evolved and

customers now require Unified SOA Governance solutions that combine products into a

single infrastructure solution that provides a unified user experience model for policy-

based service governance, asset management, operational security, and operational

management.

Enterprise customers are no longer satisfied with web services management products,

SOA registry products, asset repositories, and XML security products from separate

vendors. Enterprise customers are now looking for a unified solution that combines

mature, standards-based infrastructure components into an Unified SOA Governance

platform. This approach mirrors SOA Software’s Unified SOA Governance reference

model, first published in 2005.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 4

Unified SOA Governance includes compliance policy and service lifecycle governance

functions. This ensures that service designs and documentation comply with enterprise

design policies and industry standards, and that approvals and workflow support SOA

service publishing and discovery. It includes operational governance functions such as

run-time policy management, enforcement, and compliance audit. Unified SOA

Governance capabilities deliver high value in the shared surface area between design-

time SOA lifecycle governance and run-time SOA operations governance.

Over the last few years, there have been significant changes in the way customers view

SOA Governance solutions, and the way vendors deliver products. We have seen the

market evolve from one with separate vendors delivering stand-alone registry products,

repositories, SOA management solutions and compliance products to one that now

expects to see unified product suites that offer a superset of the functions from each of

the stand-alone product areas.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 5

3 Unified SOA Governance Defined

Unified SOA Governance ensures the applicability, integrity and usability of a wide range

of assets through all their lifecycle stages from asset identification through deprecation.

The full lifecycle is split into planning governance, lifecycle governance, and operational

governance.

3.1 Planning Governance – Build the Right Things

Planning governance includes the identification analysis and modeling of candidate

services, policies, profiles, processes and information. An effective planning governance

tool manages an organization’s SOA portfolio while examining existing and planned

applications and determining which capabilities should be exposed as services, and

where applications would benefit from consuming shared services.

Planning Governance is a new area for SOA. It allows companies to build to plan, and

build to priority modeling current and desired architecture and identifying and

prioritizing candidate services. Planning Governance solutions maximize the efficiency of

investment in SOA, solidifying the role of existing platforms as foundation service

providers.

I.T. has always struggled with balancing long term planning with addressing the

immediate and short term needs of the business, in most cases the short term

requirements take precedent over long range planning. When this is applied to

enterprise architecture, organizations end up with a bunch of services that deliver

minimal business value, instead of their goal of SOA.

Planning Governance allows organizations to identify potential services in a planned and

managed community including enterprise architects, business analysts and portfolio

managers. When utilizing planning governance, services can be proactively ‘built to plan’

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 6

rather than simply reacting and building single use services. This approach reduces the

risks of service deployment and facilitates Enterprise Architectural goals by avoiding

chaotic ‘service sprawl’.

Planning Governance solutions require integration with a wide range of existing

enterprise repositories, application portfolio management, and enterprise architecture

planning solutions, to harvest current and desired architectures. The output from the

Planning Governance process is a set of candidate services that feed into the

Development Governance process, and candidate policies feeding into the Policy

Governance process.

3.2 Development Governance – Build Things Right

Development governance marshals an asset through the development process that

typically spans the design, development, testing and staging phases of its software

development lifecycle. It typically includes a workflow mechanism to approve migration,

policy compliance validation, and a clear separation (logically, physically, or both)

between lifecycle stages. Development governance is the realm traditionally occupied

by registry and repository vendors, although it requires much stronger repository

capabilities and much broader integrations with development environments (IDEs and

SCMs tools), federation with other registries and much stronger service, standards and

taxonomy support than most repositories offer.

The Development Governance solution depends heavily on Policy Governance for

compliance policy definition, management, and validation. It uses policies to determine

the relevance, and suitability of services at each lifecycle stage, and to determine if

assets meet enterprise standards and guidelines before they can promoted to the next

stage of the lifecycle. For example for a service to move from design to development

the enterprise may require that there is a design document in the repository, the service

has a WSDL, the services is categorized appropriately, and perhaps even that there are

registered consumers waiting for the service.

3.3 Operational Governance – Ensure What’s Built Behaves Right

Operational Governance controls the runtime aspects of SOA. It typically includes

service monitoring, security and management with a runtime policy system. Most Web

Services Management and Web Services Security vendors now position themselves as

providing Operational Governance solutions.

The Operational Governance solution relies heavily on the Policy Governance solution for

discovery of policies for implementation and enforcement. A well architected

Operational Governance solution will fully abstract service consumers and providers from

the complexity of policy implementation and enforcement, service endpoint location,

transport, standards, message exchange pattern, and other impedances to

interoperability. It should provide agents, delegates, and a network resident

intermediary for service virtualization.

3.4 Policy Governance – Uniform Policy for All Governance Areas

Policy Governance defines and manages policies, associates them with various assets,

and validates and reports on policy compliance. It manages a wide range of different

policy types from metadata compliance policies applied in Planning and Development

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 7

Governance processes through security, reliability, and service-level policies applied

through an Operational Governance solution.

It is critical that the Policy Governance solution ensures consistent policy definition,

implementation, enforcement, validation, and audit through all stages of the lifecycle,

and across all distributed and mainframe platforms.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 8

4 Unified SOA Governance Best Practices

Unified SOA Governance promotes the core SOA governance best practices of:

4.1 Governance Automation

Governance Automation ensures scalability of enterprise processes implementing a

lifecycle management workflow to implement development approval processes,

integrated provisioning and lifecycle management, and inter-departmental contract

management and negotiation.

4.2 Uniform Policy Management

Uniform Policy Management ensures consistent policy definition, implementation,

enforcement, validation, and audit through all stages of the lifecycle, and across all

distributed and mainframe platforms. It ensures that services can be leveraged as first-

class citizens throughout an enterprise SOA by complying with enterprise policies that

are uniform across all platforms.

4.3 Metadata Federation

Metadata Federation provides seamless, heterogeneous SOA Governance and standards-

based support for governance automation (UDDIv3, WS-MEX, WS-Policy) to ensure that

governance processes are uniformly applied across all platform investments. When

metadata is federated and consistent across multiple governance platforms, the business

value of service (cost, usage, production issues) becomes visible and measurable across

the enterprise service lifecycle.

4.4 Service Virtualization

Service Virtualization provides location-transparency, service mobility, impedance

tolerance and reliable service delivery without requiring a re-platforming of existing

platforms or introducing yet another service platform to support the required solution

architecture.

4.5 Trust and Management Mediation

Trust and Management Mediation ensures interoperability across disparate partners and

platforms, trust enablement and trust mediation complementing threat prevention

systems. It provides provide last-mile security, metric collection and reporting, SLA

monitoring and management, to ensure that services are governed, managed, and

secured, and policy implementation and mediation to allow consumers to communicate

with a wide range of mission critical business services exposed from any platform.

4.6 Continuous Compliance and Validation

Continuous Compliance and Validation ensures consistent policy implementation and

enforcement across all stages of the lifecycle, preserving the fidelity of the governance

models, structures and mechanisms supporting enterprise SOA programs and ensure the

relevance, applicability and suitability of services.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 9

4.7 Change Impact Mitigation

Change Impact Mitigation provides change management and impact analysis processes

integrated with the governance workflow to ensure that changes to services or other

assets don’t cause major outages by breaking the consumption model.

4.8 Consumer Contract Provisioning

Consumer Contract Provisioning provides offer, request, negotiation and approval

workflows for service access, capacity, SLA and policy contracts. It ensures that the

service provides know which applications and users are consuming their services and

allows them to treat different consumers with different priorities and service levels.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 10

5 Platform Independent Governance Automation

Much of the benefit of SOA is derived from the promise of seamless interoperability

between platforms, with applications built using .NET and WCF consumer services

exposed from COTS, Mainframe, or Java applications. One of the core goals of SOA

Governance is to ensure that services are relevant and consumable between platforms.

As such it makes no sense to leverage governance capabilities built into the platforms

themselves, as this simple promotes silos of services within platform domains.

5.1 Platform Governance Models

Not all platforms are governable, in fact platforms fall into one of 3 categories:

• Ungoverned Platforms – the purest form of Informal Governance. This often

results in “Random SOA” or “Accidental SOA”. This includes any container that

doesn’t support policy enforcement natively or with an agent

• Self-Governed Platforms – a mixture of Formal and Informal. Some tasks and

activities are governed, some are not. SOA Governance is as weak as the

weakest link in the chain. This category includes containers that use their own

tooling without policy integration with a centralized enterprise SOA Governance

solution.

• Governed Platforms – a real or virtual organization exists that is devoted to the

promotion of SOA programs and causes that is accepted as a fundamental part of

an SOA culture. Governed Service Platforms have:

• Clear job titles / responsibility support SOA Governance activities

• Supports clear separation between implementation activities and governance

activities

• Provides standards-based governance integration interfaces

Unified SOA Governance solutions integrate seamlessly with the platforms providing

varying degrees of configuration, policy implementation and enforcement, message

handling, and workflow support, largely depending on the level of sophistication of the

platform itself.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 11

We divide governed platforms into two categories:

5.2 Governed Service Platforms

All applications that expose and consume services at runtime are service platforms.

These include application services like IBM WebSphere, Microsoft IIS, Oracle/BEA

WebLogic, JBoss and others; ESBs from vendors including IBM, Microsoft Oracle/BEA,

JBoss, TIBCO and others; mainframe applications running in CICS and IMS; COTS

applications like CICS; and SaaS environments like Salesforce.com and Amazon.

As described above, Governed Service Platforms offer standards-based governance

integration interfaces, and support the concepts of governance by an external enterprise

governance system.

5.3 Governed Development Platforms

Most platform vendors provide an integrated development environment (IDE), source

code management and version control system, defect tracking/change request tooling,

and in many cases, a document management and/or asset management repository. An

Unified SOA Governance solution can provide asset lifecycle management and policy

compliance capabilities to ensure that developed software assets (such as services,

components and applications) are appropriate and relevant to the enterprise, and that

they comply with applicable policies.

Governed Development Platform status means that the development platform integrates

with an Unified SOA Governance solution to make and share decisions about assets and

artifacts.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 12

6 Unified SOA Governance Use Cases

This section examines some common SOA Governance use-cases ranging from simple

service publishing and discovery, through consumer contract negotiation, lifecycle

management workflow, contextual collaboration, and folksonomy creation.

6.1 Service Publishing (Approvals Workflow)

The act of publishing a service to a registry so that it can be found by a broad audience

of interested parties may seem like a simple enough task. In fact, this is one of the

most basic, and yet most important functions of an SOA Governance solution.

The essence of governance can be easily captured in the phrase “encouraging desired

behavior.” This simple concept provides a backdrop to help understand what a

governance solution should be focusing on, and the capabilities it should provide.

Essentially it is not enough to merely provide a stick with which to beat developers and

architects, we must also provide a carrot to encourage people to participate in

governance processes.

With this in mind, we need to think about what is the desired behavior for the

participants in an SOA. For many organizations, one of the most important aspects of

SOA Governance is the process of ensuring that the services that are published are

appropriate. “Appropriate” in this context is another word a little like “desired.” It can

mean many things, but the reality is that an “appropriate” service is a service that

meets a set of criteria defined by the enterprise, often including the following:

• Is not a duplicate of, or similar to an existing service

• Meets design criteria for transport, operation type, schema, etc

• Is at an appropriate level of business functionality granularity (e.g. a ‘top-down’

design rather than ‘bottoms-up’)

• Is of broad interest and therefore likely to be reused

• Complies with appropriate industry standards and recommendation (e.g. WS-I

basic profile)

Some of these criteria can be readily automated like WS-I basic profile compliance,

other will likely require manual steps. To this end, before a service can be published it

should pass through a workflow process that will verify the automatable criteria before

requiring a manual approval step. A well designed SOA Governance solution will

manage this workflow as a series of customizable, automatable defined process steps

and will allow developers and approvers to see services at appropriate phases of this

process.

6.2 Service Discovery

Service discovery is a slightly overloaded term. It can mean different things:

6.2.1 Deployed Service Discovery

The governance, security and management infrastructure should be able to identify

services that are deployed in managed containers. This will ensure that any deployed

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 13

service will at the very least be a known quantity. Ideally all services should be

identified at an early stage in the development lifecycle to avoid any deployment

“surprises.” However realistically, some services may not be identified. Therefore, it is

important to be aware of all deployed services, and if necessary, automatically register,

manage and secure these services while notifying administrators of their discovery.

6.2.2 Developer Service Discovery

An important facet of a governance solution is the ability to provide mechanisms for

potential users of services (developers) to search for and find services they would like to

use. It is this discovery process that led simple UDDI registry providers to classify

themselves as governance vendors.

The importance of true governance in this service discovery process is in ensuring that

only authorized users can discover services. This can apply to services in certain

taxonomies, organizations, states of lifecycle stages as well as other customized criteria.

6.3 Service Lifecycle Management

Services, like all other development assets and applications have their own lifecycle and

as such need to be managed through their lifecycle state transitions. Service lifecycle

generally models a typical SDLC with stages including design, development, test, QA,

production, and deprecation. Many organizations will add versioning into the process

between production and deprecation, although in reality each new version of a service

will have its own lifecycle.

An SOA Governance product must be able to manage the lifecycle stage of a service and

should provide a workflow-based process for migrating services between stages. Often

this process will closely mirror the original publication process described above. It will

include a set of policies that define criteria a service must meet before it can be

migrated. It will also in many cases include manual approval steps.

The lifecycle stage of a service should be used to determine who can discover the

service in the registry and who can access the service at run-time. It should also define

which policy set is used to determine the run-time capabilities and requirements for

accessing the service.

6.4 Consumer Contract Negotiation

The idea of a consumer contract for SOA closely models the idea of a business contract.

It defines the terms of a relationship between a consumer, or group of consumers, and a

service, or set of services. These terms should include:

• The policies the consumer(s) agree to comply with

• The access rights the service(s) will provide the consumer(s)

• The service levels the provider commits to delivering to the consumer(s)

• Any mediation the provider(s) and consumer(s) agree to and require

The SOA Governance solution has two important roles to play in the contract process:

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 14

1. Contract negotiation – the Governance solution should provide a workflow model

allowing potential consumers to interact with service providers to request and

negotiate access to, and specific service levels for, a service or set of services.

2. Contract enforcement – the Governance solution should enforce the contract at

run-time. It should seamlessly ensure that the provider meets agreed upon

service levels, that any required mediations are delivered, that the consumer(s)

are complying with required policies and that the access rights and times are

enforced and complied with.

6.5 Compliance policy validation

One of the important decision points in the lifecycle workflow is an asset’s compliance

with defined enterprise policies. For example, an organization might require that a

service have a design document, a description, be properly categorized, and have a

defined business case before it can be promoted from the design stage to the

development stage of the lifecycle. The SOA lifecycle governance automation system

needs to provide an easy way to define and manage compliance policies and associate

these policies with lifecycle stages, categories, and other taxonomy or folksonomy structures and types.

6.6 Change management notification

Change management notification addresses several different issues. Clearly any

complete lifecycle governance has to include a notification model so that submitters and

approvers know that action is required, or that a state change has occurred. Also, in

SOA governance, there is likely to be a varied constituency interested in the state and

stages changes of assets. A simple example is that the group of consumers using a

service in production will want to know that there is a new version of the service

available and that the current version will be deprecated within a defined timeframe.

6.7 Lifecycle stage isolation

Depending on the nature of the process and the requirements of the various lifecycle

stages there are different ways of isolating the stages. Some organizations will want to

leverage a single registry/repository instance using object-based security to ensure that

only users in authorized roles can see assets at various stages of their lifecycle. Other

organizations will want to ensure physical isolation between assets in different lifecycle

stages. The emerging best practice is a mixed-mode approach. It uses a single

registry/repository instance for early lifecycle stages where there is considerable fluidity

in lifecycle stage, with physically separate instances for later lifecycle stages to mirror

the physical environment.

6.8 Contextual Collaboration

If publishing approvals, lifecycle policy, and contract enforcement are the sticks in SOA

Governance, then contextual collaboration is one of the carrots.

As architects, developers and other SOA program constituents engage in the

communication, promotion and transformation that come with SOA, they will have many

questions about the various processes and policies in place. Contextual collaboration

capabilities within an Unified SOA Governance solution allow users to ask questions in

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 15

the context of a specific asset (service, policy, schema, contract, etc.) and engage

others in an ad-hoc collaboration model. It provides a searchable resource for users to

quickly ramp-up the requisite subject matter expertise they need to participate

effectively in the enterprise SOA program.

6.9 Folksonomy Management

A folksonomy is a socially-created tagging model, like del.ico.us, or YouTube. In the

SOA context this means providing a model that allows users to tag services and assets

with their own keywords and then pivot the search model around these tags, i.e. follow

a tag to see which other services and assets are similarly tagged.

This idea may seem very “web 2.0”, and it is. It offers enormous value, essentially

allowing the SOA community within the enterprise to add value to the governance

framework creating a social network for SOA.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 16

7 Unified SOA Governance Solutions

The discussion above provides a high-level, abstract definition of Unified SOA

Governance. Here we take a more practical look at what constitutes actual deployed

SOA Governance solutions, and perhaps more importantly the solutions that categorize

themselves as SOA Governance and fall short.

7.1 Registry/Repository < SOA Governance

In the early days of SOA Governance, the UDDI registry vendors classified themselves

as SOA Governance solutions. Often they added weak, email-based migration

capabilities to their products to claim approvals workflow to partially deliver one of the

use-cases described above.

Over time the registry vendors have added repository capabilities to their products and

have begun to offer more governance features.

The main challenge facing the registry players is that they have minimal run-time

enforcement capabilities. (See the closed-loop governance discussion below.)

7.2 SOA Management ≠ SOA Governance

As SOA Governance has gained popularity and enterprise customers identify SOA

Governance projects and budgets, the SOA Management vendors have begun to try to

compete in this space. Many of these vendors have attempted to position their run-time

monitoring solutions as SOA Governance solutions. Most of these offerings do not begin

to qualify as SOA Governance solutions. They do not offer complete standards-based

registry and repository capabilities, unified management of policy, or any advanced

governance use-cases such as those described above.

7.3 ESB ≠ SOA Governance

Following the same market dynamic as the SOA Management vendors, the ESB vendors

are also jumping on the SOA Governance bandwagon. In addition to the lack of design-

time governance capabilities they share with the SOA Management vendors, the ESB

vendors drive their customers to re-platform their SOA onto the ESB and their

associated application server environment. Consequently, they have the problem of

being proprietary, closed environments with no ability to monitor, secure, or manage a

complex, heterogeneous, enterprise SOA.

7.4 Closed-loop SOA Governance System = Unified SOA Governance

Automation

Integrated solutions bring together registry, repository, security, management and

mediation capabilities to deliver true enterprise SOA governance.

The following section of this document expands on the ideas of Unified SOA Governance

Automation.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 17

8 Unified SOA Governance Automation

The diagram below shows the relationships between SOA registry/repository, security

and management, demonstrating how SOA Policy Management forms a closed-loop of

policy, metrics, and audit.

The alternative to a closed-loop solution is a set of stand-alone applications for

governance, management and security. These solutions may offer loose integration, but

we have yet to identify a single organization that has successfully integrated stand-alone

solutions in a production environment.

A standalone SOA Governance product can define and enforce policies for design-time

compliance, ensuring that services meet policies describing static attributes (typically

directly associated with the WSDL or the registry taxonomies). It can also define run-

time policies but it has no way of knowing if these policies are being enforced by a run-

time platform, or even if these policies are visible to any run-time platform. This is a

“define and hope” model of governance, where an administrator defines a policy in a

governance product and then hopes that this policy is enforced.

Similarly, a standalone SOA run-time security and management solution will enforce

policies at run-time, but these policies will be locally defined and will not be subject to

centralized governance. This is the “ready, fire, aim” model of policy enforcement,

where the enterprise has no understanding of the policies that are being enforced.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 18

In the rare instances where a standalone SOA Governance solution is integrated with a

standalone SOA run-time security and management solution, the run-time system may

be able to discover policies from a policy governance solution. However, it will not have

any mechanism to report the actual enforcement of these policies to the governance

system. In this case, the policy governance system still has no knowledge of whether its

policies are being enforced, and no information about how the services themselves are

actually behaving.

8.1 Unified SOA Governance Value Add

Stand-alone run-time solutions don't deliver higher value design-time, or governance

capabilities. They require their own policy management, don’t offer developer or

architect services, and have no understanding of the relationship between a provider

and a consumer.

On the other hand, governance solutions can only deliver value when they are built on a

run-time foundation. They require a run-time solution to enforce policies; they need the

run-time to provide statistics and metrics for demand, capacity, and value monitoring;

and they also need the run-time to provide an audit trail to ensure that messages

comply with defined policies.

Unified means:

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 19

• Defining and managing actionable policies in a policy governance solution

throughout the lifecycle

• Enforcing these policies via deep integration with an operational governance

solution at run-time

• Auditing that these policies are being enforced

• Using industry standards (WS-Policy, WS-MEX) where appropriate for information

exchange

Unified Closed-loop SOA Governance solutions enable demand and value management.

Because the governance system has real-world information about how services are

actually being used it allows organizations to:

• Use live, audited information to drive value-based decisions about the

effectiveness of different services and organizations

• Provide developers with up to the minute information about a service in run-time

to inform their decisions about which services to use

• Manage supply and demand to ensure maximum efficiency and benefit from SOA

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 20

9 SOA Infrastructure Reference Model

SOA Infrastructure is the set of tools and technologies that an organization deploys to

secure and manage services and service-oriented business applications. It provides the

delivery mechanism for a comprehensive governance solution including Registry,

Repository, Management, and Security services, and intermediaries to ensure the

application and use of these services.

The SOA Infrastructure reference model shown above is published by SOA Software, the

leading provider of SOA Infrastructure software products. It provides a product and

vendor agnostic view of the concepts, components and standards that make up a

successful SOA Infrastructure. For more information see SOA Software’s whitepaper –

“The SOA Infrastructure Reference Model,” published in May 2006.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 21

10 Unified SOA Governance System Elements:

The core elements of the Unified SOA Governance system are the Planning and

Development Repository and Registry, Policy Management System, Virtualization

System, Management and Security System, and their associated intermediaries. Also, as

described above, governance products and systems not having deep integration between

these elements would offer minimal value to an SOA implementation.

10.1 SOA Repositories

The SOA Repositories provides solutions for the governance of planning and

development assets and artifacts. Governance in this context includes registration,

lifecycle management, planning, design-time, and run-time policy invocation, and

business value visibility. The repository implements registry standards for metadata

exchange. It is the main source of SOA information for end users and applications.

10.2 SOA Policy Management System

The SOA Policy Management System provides a framework for defining and managing

policies that are enforced throughout the planning, lifecycle, and operational governance

processes. It ensures that policies are applied uniformly across all governed and

governable platforms.

10.3 SOA Registry

The SOA Registry supports the categorization, classification, tagging, and publication of

services. It provides browse and search interfaces for service discovery, a publication

interface for service registration, and a subscription interface for synchronization with

other registries and repositories.

10.4 SOA Management System

An SOA Management solution monitors and manages the reliability, availability and

performance of services.

10.5 SOA Security System

An SOA Security solution provides service and message security capabilities including

authentication (identity assertion and token exchange), authorization, privacy, non-

repudiation and audit.

10.6 SOA Intermediaries

SOA intermediaries exist in a number of forms, the most important of which are stand-

alone (proxy/router), and agent (embedded in container). Intermediaries enforce and

implement policy for Management and Security solutions. The primary role of the agent

intermediary is to ensure last-mile policy enforcement, while the primary role of the

stand-alone intermediary is to provide service virtualization to isolate consumers from

service location, policy, implementation, and change.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 22

11 SOA Software’s Unified SOA Governance Solution

SOA Software builds its Integrated SOA Governance solution around its Policy

Manager™, Repository Manager™, and Service Manager™ products for SOA Policy Governance, Development Governance, and Operational Governance.

SOA Software’s Portfolio Manager™, Repository Manager™, Policy Manager™, and

Service Manager™ combine to form a comprehensive Integrated SOA Governance

Automation solution.

Portfolio Manager™ is an innovative Planning Governance product that helps ensure the

alignment of SOA Programs with strategic IT investment and business objectives and

makes sure that enterprises build the right services at the right time. It helps

customers identify candidate services and build an SOA roadmap through SOA Modeling,

Asset Identification, and a Portfolio Management process. To achieve these goals

Portfolio Manager functions as part of a unified SOA Governance automation suite with

seamless integration with Repository Manager™ and Policy Manager™.

Repository Manager™ provides an advanced software development asset (SDA)

repository, lifecycle management, and metadata federation solution. It governs leading

development platforms, ensuring consistent definition and management of services and

other assets across all development environments. Repository Manager supports

advanced SDA repository and governance capabilities including the ability to define and

manage custom asset and artifact types, asset relationship management, integrated

development environment (IDE) integration, and comprehensive asset federation. It

integrates seamlessly with Policy Manager where policy decisions are required in the

Development Governance process, as well as provisions service consumption

agreements made by developers to Policy Manager for further governance. Repository

Manager supports application development and architecture teams, providing a

comprehensive Development Governance solution.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 23

Service Manager™ automatically implements and enforces policies from Policy Manager.

It generates usage, performance and policy compliance metrics that it reports to Policy

Manager so that it can audit that policies are being enforced in a closed-loop process.

Service Manager support SOA and enterprise operational management functions,

ensuring that services are security, reliable, and meet the performance goals for each

consumer.

Policy Manager™ provides an SOA Registry/Repository and comprehensive SOA Policy

Governance solution, with powerful governance automation capabilities. Governance

automation minimizes the overhead associated with governance processes, and turns

governance from a painful workload, into a productivity tool. Policy Manager includes a

built-in policy and service metadata repository supporting its policy governance

processes. Policy Manager supports enterprise and SOA architecture functions, ensuring

consistent application of policies throughout an enterprise SOA program. Using this

solution architects, developers, security administrators, and operations managers can

define and govern policies that are applied to services throughout the appropriate stages

of their lifecycle.

Using this solution architects, developers, security administrators, and operations

managers can define and govern policies that are applied to services throughout the

appropriate stages of their lifecycle.

www.soa.com Copyright © by SOA Software, Inc. 2009. All rights reserved. 24

12 About SOA Software

SOA Software is a leading provider of unified governance automation products that

enable organizations to successfully plan, build, and run enterprise services. The world’s

largest companies including Bank of America, Verizon, and Pfizer use SOA Software

solutions to transform their business. For more information, please visit

http://www.soa.com.

SOA Software, Policy Manager, Portfolio Manager, Repository Manager, Service Manager,

and SOLA are trademarks of SOA Software, Inc. All other product and company names

herein may be trademarks and/or registered trademarks of their registered owners.

SOA Software, Inc.

12100 Wilshire Blvd, Suite 1800

Los Angeles, CA 90025

866-SOA-9876

www.soa.com

[email protected]

Copyright © 2009 by SOA Software, Inc.

Disclaimer: The information provided in this document is provided "AS IS" WITHOUT ANY WARRANTIES OF ANY KIND INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF INTELLECTUAL PROPERTY. SOA Software may make changes to this document at any time without notice. All comparisons, functionalities and measures as related to similar products and services offered by other vendors are based on SOA Software's internal assessment and/or publicly available information of SOA Software and other vendor product features, unless otherwise specifically stated. Reliance by you on these assessments / comparative assessments are to be made solely on your own discretion and at your own risk. The content of this document may be out of date, and SOA Software makes no commitment to update this content. This document may refer to products, programs or services that are not available in your country. Consult your local SOA Software business contact for information regarding the products, programs and services that may be available to you. Applicable law may not allow the exclusion of implied warranties, so the above exclusion may not apply to you.