White PapersThere's a reason why service orientation is among the most strategic and visible trends within the enterprise today. Few other innovations in computing have the transformative potential of service oriented architectures (SOA). The emergence and wide adoption of open standards, in conjunction with the advent of new SOA tools and infrastructure, has turned SOA from a distant hope to a promise well within reach.
In many respects, being service oriented is synonymous with being business oriented. IT systems are created as a set of reusable services that can easily be linked together to conform to changing business requirements. SOA also moves the focus away from the nuances of underlying technologies and toward process definition, visibility and governance. This requires a new approach to how IT is produced, shared and consumed.
SOA Governance: Balancing Flexibility and Control Within an SOASeptember 2006Untitled DocumentCopyright 2006 Systinet, a Mercury Division. SOA Governance: Balancing Flexibility and Control Within an SOAA Systinet White PaperCopyright 2006 Systinet, a Mercury Division. All rights reserved. The document is not intended forproduction and is furnished as is without warranty of any kind. All warranties on this document arehereby disclaimed including the warranties of merchantability and fitness for a particular purpose. TrademarksMercury, Systinet, the Systinet logo, and the Mercury logo are trademarks of Mercury InteractiveCorporation and may be registered in certain jurisdictions.All other company, product and brand names are trademarks of their respective companies.September 2006Systinet, a Mercury Division. One Van de Graaff Drive, 5th Floor Burlington, MA 01803 Phone: 1.781.362.1300www.systinet.comPage 2 of 10SOA Governance: Balancing Flexibility and Control Within an SOAUntitled DocumentContents Executive Summary ................................................4The SOA Imperative ...............................................4SOA Requires a New Way of Thinking..........4Why SOA Governance? ........................................5Who Cares About SOA Governance Anyway? ......................................... 5SOA Governance is All About Trust ..............5SOA and the Nature of Change .......................5Key Elements of SOA Governance .................5SOA Policies ...............................................................6Service Contracts .....................................................6Lifecycle Management ..........................................7Metadata .......................................................................8The Cost of an Ungoverned SOA ....................8Governance is Fundamental to SOA ............9Systinet 2 for SOA Governance and Lifecycle Management...................................9Copyright 2006 Systinet, a Mercury Division. Page 3 of 10SOA Governance: Balancing Flexibility and Control Within an SOAUntitled DocumentSOA Governance: Balancing Flexibility and Control Within an SOAExecutive SummaryFew would argue with the fact that SOA is inevitable and has become a strategic imperative fororganizations today. Those without a strategy for SOA risk being outpaced and outperformed bycompetitors who are better equipped to serve customers, seize opportunities and respond tochange. But SOA brings new challenges with respect to consistency, predictability and trust. Thiswhite paper introduces the concept of SOA governance and provides a framework for blendingthe flexibility of an SOA with the control, consistency and predictability of traditional IT architec-ture. Key areas the paper highlights include:3 The crucial elements of SOA governance, including a context for understanding and a vocabulary for discussing associated issues and requirements;3 The role SOA governance plays in corporate governance initiatives;3 The fundamental importance of quality, predictability and trust in an SOA3 The importance of a full lifecycle approach to managing SOA artifacts; and, 3 The excessive cost of inaction, and the consequences of an ungoverned SOA. This paper offers readers a solid understanding of the role of, and the requirements for, SOA gover-nance. Readers will be better prepared to ask the right questions and to define and implement anSOA governance strategy.The SOA ImperativeThere s a reason why service orientation is among the most strategic and visible trends within theenterprise today. Few other innovations in computing have the transformative potential of serviceoriented architectures (SOA). The emergence and wide adoption of open standards, in conjunctionwith the advent of new SOA tools and infrastructure, has turned SOA from a distant hope to apromise well within reach. In many respects, being service oriented is synonymous with being business oriented. IT systemsare created as a set of reusable services that can easily be linked together to conform to changingbusiness requirements. SOA also moves the focus away from the nuances of underlying technolo-gies and toward process definition, visibility and governance. This requires a new approach to howIT is produced, shared and consumed.SOA Requires a New Way of ThinkingGartner estimates that by 2007 , 80 percent of IT initiatives will be service oriented. This predicationis made largely because standards-based Web services technologies have made service orientationa practical possibility. Web services are not mandated for SOA, but they offer a practical road tomaking SOA a viable and interoperable option for broad enterprise adoption.Despite the high profile of service orientation today, many continue to think of SOA as just a bunchof Web services. But SOA is far broader in scope and ambition. SOA is a structured, plannedapproach to the design, deployment and integration of business-oriented services including, butnot limited to, Web services within and across lines of business and other organizational bound-aries. In this context, SOA brings new challenges with respect to the assurance of service quality,consistency, performance, predictability and, perhaps most fundamentally, trust between theproviders and consumers of services. Copyright 2006 Systinet, a Mercury Division. Page 4 of 10Untitled DocumentSOA Governance: Balancing Flexibility and Control Within an SOAWhy SOA Governance?The promise of SOA is powerful. But what is apparent as organizations peel back the layers is thatSOA radically changes traditional IT architectures. While SOA promises untold opportunities, it alsointroduces new issues around IT governance. The reality is, without a governance strategy, SOA canlead to chaos.SOA introduces many independent and self-contained moving parts components which arereused widely across the enterprise and are a vital part of mission-critical business processes. What happens when a service is changed? How can you be sure the service you are consumingis of high quality? What happens if a subcomponent of a composite service is retired? How canyou be sure a new service is compliant with IT, business and regulatory policies? How can youensure a predictable uptime of a service? These questions illustrate the need for SOA gover-nance. SOA governance is about managing the quality, consistency, predictability, change andinterdependencies of services. It s about blending the flexibility of service orientation with thecontrol of traditional IT architectures. SOA Governance is All About TrustA significant challenge to widespread SOA adoption is that while the management of service qualityis paramount, simply having quality is not enough. For the first time, quality must be proven anddemonstrable to consumers to gain their trust and create an effective shared-service environment.A useful way to think about the importance of trust in SOA is to consider the example of a con-sumer marketplace such as eBay, where anonymous buyers and sellers are expected to cometogether and quickly establish some degree of trust, despite their total anonymity. According tobasic economics, a market requires information in order to function efficiently. Information is thelifeblood of any market, largely because it enables buyers and sellers to make informed decisions,and provides the basis for establishing trust. Buyers and sellers on eBay trade on the basis of infor-mation. Buyers are not willing to do business unless they understand what is being offered, theterms and conditions of the sale, and the reputation of the seller; likewise, sellers want some assur-ances of the buyer s ability and willingness to pay in a timely fashion. In this respect, SOA is no different. SOA cannot be successful without trust consumers will simplyfail to reuse services if they can t be assured of quality, predictability and transparency of termsand conditions. In the same fashion, organizations should not encourage the use of services with-out understanding and controlling access, provisioning, and understanding the overall fitness ofreusable services. SOA and the Nature of ChangeTightly-coupled systems define governance and control in the context of the application. SOA isdifferent, in the sense that the application context is varied and ever-changing. This means thatgovernance must be managed at a different level of abstraction on the services themselves.This means that policies need to be taken out of the code and externalized as metadata associ-ated with the services. Complicating matters is the fact that, in a loosely-coupled world, changeis a constant. Loosely-coupled architectures potentially involve hundreds of services, whichevolve and change based on their own unique lifecycles. With all of this change happening atonce, how can an IT organization identify and manage the potential impact and interdependen-cies of change? This is a key domain of SOA governance.Key Elements of SOA GovernanceFull SOA governance can t be delivered out of the box by a single technology vendor. Rather, itrequires a cohesive strategy involving multiple elements that collectively ensure the quality, pre-dictability and trust necessary for reuse. These elements include:Copyright 2006 Systinet, a Mercury Division. Page 5 of 10Who Cares About SOAGovernance Anyway?If you consider the priorities on a CEO sagenda, SOA governance probably doesn tmake the list at least not explicitly. But it simportant to recognize that SOA governanceis a key enabler of corporate governance ini-tiatives, which is a top concern of C-levelexecutives. Sarbanes-Oxley, for example,requires enterprises to establish internal controlguidelines and processes, auditor attestationsof such controls, and senior managementcertification of financial results. Corporategovernance, in turn, drives IT governance. Toimplement IT governance, companies turn toframeworks like ITIL, which prescribes settingIT objectives, providing direction to IT opera-tions and comparing implementation to plan. ITactivities are then introduced, and there is aprocess to measure performance.SOA governance not only offers the meansto control business services, but naturallybridges corporate and IT governance. Sinceorganizations construct business servicesexpressly to align IT with the business, theycan use standards-based metadata (policiesand descriptions) about these services todetermine which services need to conform tocorporate policies. They can then constructan SOA model that expresses how businessservices are constructed from elements of ITand enable workflow that drives the manage-ment and enforcement of corporate policy.While corporate policy may be enforcedmanually using written guidelines, with theright infrastructure in place, SOA governancecan automate corporate policy, reducing bothrisk and cost of compliance.Untitled DocumentSOA Governance: Balancing Flexibility and Control Within an SOASOA PoliciesThe nature of SOA (highly distributed, heterogeneous and very dynamic) means that it is critical forSOA artifacts to be governed by specific business, technical and regulatory policies. An SOA policydefines configurable rules and conditions that affect services during both design time and run time.This means that policies must be used to validate services before they are published, and as a basisfor enforcing specific standards and behaviors at run time. Because an SOA is composed of lots of moving parts, it s critical that service rules are electronicallycodified as a set of standard, reusable policies that can be associated with services. Such a linkagebetween service and policy enables automated validation of services and the enforcement of specificpolicies. Organizations must make an initial investment in taking these policies out of their dusty hard-bound binders and turning them into electronic business rules. This enables organizations to automatethe process of validating and enforcing compliance in both a design-time and run-time environment. The goal is to first focus policy management at the design-time phase to ensure that quality issuesand non-conformance are detected before services are put into production. This means that problemsare headed off early, which is less costly to correct and less disruptive to operations than dealing withissues in a production setting. Many organizations will also implement run-time policy managementcapabilities for monitoring and automatically enforcing policies during the usage of services. The basic requirements for SOA policies are: 3 Policy Management. Definition of reusable policies is one of the most important parts of apolicy-driven SOA implementation. To define and maintain reusable policies, organizationsneed a system of record for policies.3 Policy Association. Policies are associated with their subjects (often, a business service) in anSOA registry. Policies are published to the registry in the same way as business services or XMLschemas. Once policies are published, they are associated with business services, rendering spe-cific capabilities, configurations or requirements that are imposed on specific services.3 Policy Enforcement. Policy enforcement is performed by specialized SOA services. Some poli-cies might be enforced by the SOA service repository (usually, design-time policies), some byWeb services management (WSM) products (for example, monitoring, logging and SLAs) andsome by SOA applications themselves.3 Policy Reporting. Information about policies and policy enforcement is summarized in reports.These reports are stored and maintained in an SOA repository.Service ContractsContracts are key architectural tools for communicating and enforcing policies, as well as otherrequirements in a heterogeneous and distributed IT environment. Just as a business contract ensuresa healthy commercial relationship, a service contract ensures a healthy provider/consumer relation-ship, and helps to establish an agreement and maintain trust between these parties. In other words, aservice contract should provide a precise and unambiguous agreement for how the provider and con-sumer interact. Contracts are typically unique to a specific provider/consumer relationship, and theyact as the container for both formal policies, as well as agreements that are unique to the parties. A useful way to understand the role of a service contract is to relate it to a common example.Virtually everyone has rented a car. In this context, the rental agency is the provider, the renter is theconsumer and the car is the service. A contract details the provider (the rental agency) and theconsumer (the renter) and specifies the service (the car), the terms and conditions (the policies),and any other provisions or agreements that are unique to the provider and consumer (for example,pre-paying for fuel). This contract is the basis for an agreement to bind the deal. A service contractis no different in complexity or purpose. Copyright 2006 Systinet, a Mercury Division. Page 6 of 10Untitled DocumentSOA Governance: Balancing Flexibility and Control Within an SOABecause they re unique to each individual provider/consumer relationship, contracts are typicallycreated at the point of service consumption. But this is not to say that they must be rewritten eachand every time. Many contracts can and should be retained and reused to form the basis of manyprovider/consumer agreements. Therefore, contracts represent another important SOA artifact thatshould be managed for reuse.Lifecycle ManagementThe business value of SOA is directly related to quality, predictability and, most fundamentally, trust.But the only way to achieve the promise of SOA is by managing services and other SOA artifacts,not in isolation, but across a complete lifecycle. In this sense, the management of the SOA lifecycleis an intrinsic part of SOA governance. In general, SOA lifecycle management is about:3 Ensuring the quality, performance and applicability of services that are published;3Providing a means for consumers to discover and reuse services and other artifacts; 3Managing versions, security and state-change of services and other artifacts; and,3Assessing and managing the impact of change across a network of consumers.Because of the loosely-coupled nature of providers and consumers within an SOA, there are actu-ally two parallel, but distinct lifecycles at work within SOA:3The lifecycle of individual services as they are designed, built and deployed (which is primarilythe concern of the service provider)3The lifecycle of a network of services (in which services are accessed and used by changingpopulations of service consumers, and where the lifecycle primarily concerns those consumers).The figure above illustrates a lifecycle model for service providers, and a lifecycle model for serviceconsumers. In general, the provider lifecycle is centered on:3Understanding and managing the requirements for services;3Managing the access and visibility of services;3Publishing information to support the reuse of services; and,3Managing an infrastructure to deliver on quality of service commitments.Copyright 2006 Systinet, a Mercury Division. Page 7of 10P rovider lifecycleC onsum er lifecycleC hangeD esignBuildD eployAssureBindInteractM onitorD iscoverUntitled DocumentSOA Governance: Balancing Flexibility and Control Within an SOAThe consumer lifecycle is actually quite different. It involves: 3 Exploring service availability and capabilities;3 Validating the conformance of services;3 Negotiating terms of usage with providers;3 Validating and reporting on quality of service; and,3 Discovering and responding to changes in services that are consumed.Proper SOA governance is dependent on a strategy that addresses the requirements for both theprovider and the consumer lifecycles. Such a strategy offers the structure, control and disciplinenecessary to encourage good behaviors and discourage bad behaviors. It s a common mistake totreat the requirements of providers and consumers similarly, but the reality is that their needs arequite unique.MetadataSOA governance is ultimately the combination of policy, process and metadata. Metadata, or dataabout data, is the set of policies and descriptions of business services that enables discovery andappropriate usage of those services. A rich set of information about business services must beinterrelated to support all of the governance and lifecycle processes, such as publication, validationand approvals, that is required to ensure that an SOA remains manageable.Generally speaking, there are three types of metadata: business information, technical informationand governance information. Business information includes information like service type (e.g., orderentry) and line of business focus (e.g., retail banking). Technical information includes transport type,authentication, interfaces and implementation. Finally, examples of governance information includesthe various policies and agreements discussed previously, and the relationships and dependenciesbetween SOA elements.In a tightly-coupled world, metadata is typically defined within the code of systems and applications.SOA requires this metadata to be externalized separated from the native system to enable theclassification and governance of these independent services. Thus, metadata becomes a key arti-fact that needs to be managed within an SOA.The Cost of an Ungoverned SOAAs previously mentioned, an ungoverned SOA can lead to unintended consequences, reversing thevirtuous cycle and actually causing SOA to add cost and disrupt processes. The key here isn t toforego SOA because of this risk; rather, it s to define a strategy for SOA that builds governance intoits core. Costs of an ungoverned SOA can include:3 Lack of reuse by compromising trust and causing consumers to decide against reusing services because of unpredictable quality and performance issues;3 Process disruption by publishing services that don t fully conform to service-level requirements,or by failure to assess the impact of change;3 Escalations in support cost through an onslaught of help-desk and field service calls resulting from service issues and outages; 3 Lack of interoperability creating silos of business services and perpetuating the samechallenges of a traditional, tightly-coupled architecture;3 Non-compliance with regulations, by failing to associate key policies with services that have implications for industry or governmental regulations;3 Security breaches by allowing arbitrary access to data and services; and,3 Overall SOA failure by allowing chaos to reign and perpetuating a garbage in, garbage out environment.Copyright 2006 Systinet, a Mercury Division. Page 8 of 10Untitled DocumentSOA Governance: Balancing Flexibility and Control Within an SOAGovernance is Fundamental to SOAGovernance is not the same as management. Rather, it is more accurately defined as the rules,processes and practices that affect the way in which powers are exercised. In other words, gover-nance can be best thought of as management architecture. SOA governance is really about creat-ing a management architecture that blends the flexibility of SOA with the control and predictabilityof a traditional IT architecture. It s a mistake for organizations to discount governance as something that is optional, nice to have,or a later-phase aspect of SOA. Governance must begin with the initial SOA deployment, providingthe framework, processes and practices for scaling out a healthy and efficient SOA. An organizationcan t simply back into governance down the road, once an SOA implementation has reached a newlevel of maturity. In the unique context of SOA, governance doesn t follow success; governancebegets success.SOA governance must focus on establishing a framework for assuring service quality and engen-dering trust between service providers and consumers as both individual services and the servicenetwork as a whole progress through their lifecycles. Without strategies or infrastructure for gov-ernance in place, organizations will hit roadblocks as they try to advance their SOA initiatives. Byfocusing on maximizing quality and trust within a service network, SOA governance allows organi-zations to achieve the potential system flexibility promised by SOA with a consistent and managedapproach that helps ensure long-term success. The basic equation for thinking about the value of SOA governance is: SOA + governance = flexibility + consistency + trustSystinet 2 for SOA Governance and Lifecycle ManagementSystinet provides the foundation for SOA governance and lifecycle management, making IT simpler,faster and standards-based. With its suite of award-winning and proven products, Systinet enablesorganizations to leverage and reuse their existing applications and data assets rapidly, provide inter-operability among heterogeneous systems, and better align business processes with IT.Systinet brings visibility, trust and control to service orientation with an SOA system of record anda rich set of governance and lifecycle management applications. This allows organizations to capi-talize on the flexibility of SOA together with the control and predictability of traditional IT systems.The Systinet 2 product set (formerly codenamed Blizzard ) prepares organizations to realize thefull potential of an SOA, providing the foundation for business agility and service reuse withoutsacrificing IT control or predictability. Specifically, Systinet 2 enables organizations to achieve:3 Reuse through trust. Many SOA initiatives fail because reuse is hampered by a lack of trustin the quality and integrity of shared services. Systinet 2 provides the structure, control andprocesses to engender consumer/provider trust and to ensure reuse.3 A platform for SOA adoption. A methodology for designing, deploying and governing services iscritical to a successful transformation to SOA. Systinet 2 provides an open and flexible platformfor creating the structure, process and best practices for SOA success.3 A foundation for scale. An SOA simply cannot scale without governance at its core. Systinet 2provides the foundation for a healthy SOA that is able to rapidly show momentum and provide thebasis for large-scale implementations and broad reuse.3 Complete SOA visibility. Complete up-to-date information is key to ensuring a predictable andtrustworthy SOA. Systinet 2 provides an enterprise system of record for access to all of the meta-data in an SOA, from policy and contracts to run-time metrics.3 Flexibility and control. Traditionally seen as mutually exclusive concepts, Systinet 2 allowsorganizations to finally take advantage of the flexibility and business agility of an SOA withoutsacrificing IT quality, control or predictability.Copyright 2006 Systinet, a Mercury Division. Page 9 of 10Untitled DocumentSOA Governance: Balancing Flexibility and Control Within an SOAAn enterprise-class foundation, Systinet 2 delivers SOA governance and lifecycle capabilities,including the ability to:3 Standardize an approach for SOA adoption3 Publish and discover business services3 Validate conformance of services to specific policies3 Create and manage consumer/provider contracts3 Manage full lifecycle of services and other SOA artifacts3 Report on usage and understanding the impact of change3 Ensure interoperability with the broader infrastructureSystinet 2 includes an SOA repository for storing metadata and managing relationships, and a suiteof SOA governance and lifecycle management applications that can be deployed independently ortogether as an integrated suite. Specific capabilities include:3 Standards-based Registry Systinet Registry has the widest adoption of any business serviceregistry on the market today. It provides a simple and standards-based way to discover and publish reusable business service. It also integrates with the Systinet 2 repository to provideacomplete system of record for all SOA information.3 SOA Repository The SOA repository is the foundation for the rich governance applicationsSystinet 2 delivers. The repository provides a way to capture, catalog and discover all of the metadata, artifacts and relationships at the heart of an enterprise SOA. It also provides capabilitiesfor rich reporting, impact analysis and synchronization with other repositories.3 Service Catalog this capability simplifies process of publishing and discovering services with a straightforward and intuitive application for providers to publish and consumers to discoverbusiness services. 3 Policy Management This capability transforms design-time validation of services from a manualeffort to the click of a button. This takes the time and complexity out of service validation andimproves the quality and conformance of reusable services.3 Contract/Consumer Management Promotes consumer/provider trust by facilitating service-level agreements and other terms and conditions that bind the service providers and the consumers who reuse services.3 Lifecycle Management provides control over versioning and state-change of business servicesfrom initial introduction to final retirement. 3 Governance Interoperability Framework (GIF) As the most widely adopted specification forSOA governance interoperability, GIF allows run time applications and other SOA infrastructure tocontribute to and reference Systinet 2 as the system of record for SOA information.Systinet products are based on industry standards such as XML, SOAP, WSDL and UDDI. A pioneerin SOA technology, Systinet led the development of important standards at the World Wide WebConsortium (W3C), OASIS and elsewhere, while remaining consistently first-to-market with advancedand innovative products based on these standards. More than 170 Global 2000 companies rely onSystinet technology, including Amazon.com, BMC Software, Interwoven, JPMorgan, Motorola,Defense Information Systems Agency, and Soci t G n rale.To find out how Systinet can help your business, visit www.systinet.com, or call 1.781.362.1300.E-mail us at sales@systinet.com.Copyright 2006 Systinet, a Mercury Division. Page 10 of 10
