DATA Inc. Presentation: Governance: Fundamental to SOA's Success. Presented at the Architecture and Design World Conference in Chicago IL, 2008.

1. Governance: Fundamental to
SOA’s Success
Ari Roy
Senior Project Manager
DATA Inc.
Montvale , NJ
arabinda@dataincusa.com
www.datainc.biz

2. Why Governance?
“Governance is much
more complex if not
thought out well in the
beginning”
2

3. SOA in the conventional enterprise
ERP HR
(SAP) (PeopleSoft)
Legacy Billing system
(IBM Mainframe) Internal Customers
ESB
Manual
External Customers
Firewall
New Business Process
CRM Sales Force Client OnBoarding
(Seibel) (Custom) Symbol steps Description
Corporate Policy 1 Sales Force
2 HR
3 CRM
4 Billing
3

4. Evolution after one year – without Governance
Custom App
ERP (v2) HR
(SAP) (PeopleSoft)
Internal Customers
Legacy Billing system
Compliance Policy (IBM Mainframe)
ESB External Customers
Manual
Firewall
New Business Process Business Partners
Sales Force(v1.2) Client OnBoarding
CRM(v2) (Custom)
(Seibel) Symbol steps Description
Corporate Policy 1 Sales Force
2 HR
PLM 3 CRM
SCM
4 Billing
5 Custom app
Compliance Policy
Development QA Deployment Operation
4

5. Evolution after one year – with Governance
Run Time Policy
Design Time Policy Management
Development QA Deployment Operation
5

6. SOA Governance Defined
The discipline of making SOA adoption within an
enterprise consistent and aligned with overall
business objectives through creation and
administration of a well organized set of top‐down
policies, procedures and controls.
6

7. Governance Roadmap ‐ 4 Long and 4 Short steps
7

8. Governance Roadmap ‐ 4 Long and 4 Short steps
8

9. Governance Roadmap ‐ 4 Long and 4 Short steps
9

10. Governance Roadmap ‐ 4 Long and 4 Short steps
10

11. Governance Roadmap ‐ 4 Long and 4 Short steps
11

12. Governance Roadmap ‐ 4 Long and 4 Short steps
12

13. Governance Roadmap ‐ 4 Long and 4 Short steps
13

14. Governance Roadmap ‐ 4 Long and 4 Short steps
14

15. Governance Model
1
SOA Governance Council
Roles Policy
2
Define Roles and Responsibilites Establish Governance Process
And Policies
Domain-B
owner
3
Domain-A
owner
Processes and Procedures
Common SOA Infrastructure
15

16. Governance Model
1
SOA Governance Council
Roles Policy
2
Define Roles and Responsibilites Establish Governance Process
And Policies
Role of the Governance Council
Domain-B
owner
3
• Framework for Decision Making
• Allocates Responsibility across organization
Domain-A
owner
Processes and Procedures
• Processes involving decision making
• Metrics for monitoring effectiveness Common SOA Infrastructure
16

17. Governance Model
1
SOA Governance Council
Roles Policy
2
Define Roles and Responsibilites Establish Governance Process
And Policies
Policy Management Recipe
Domain-B
owner
3
• Definition of Policies
• Creation of Policies
Domain-A
owner
Processes and Procedures
• Storage of Policies
• Communication of Policies Common SOA Infrastructure
• Feedback of Policies
17

18. Governance Model
What is a Domain ?
1
• A domain contains set of services that relate to same
business area/context
SOA Governance Council
2 Roles Policy
Define Roles and Responsibilites Establish Governance Process
And Policies
– Billing, Purchase, Client Services
Domain-B
owner
3
Domain-A
owner
Processes and Procedures
Common SOA Infrastructure
18

19. Governance Model
What is a Domain ?
1
• Each domain owns and manages these services
SOA Governance Council
– Service availability / Data and Message Format / Business
2 Roles Policy
Define Roles and Responsibilites Establish Governance Process
Logic Encapsulation And Policies
Domain-B
owner
3
Domain-A
owner
Processes and Procedures
Common SOA Infrastructure
19

20. How does this fit within the Enterprise ?
Corporate
Governance aligns
IT aligns
Governance
Architecture
Governance
<<extends>> <<extends>> <<extends>>
SOA Governance
20

21. How does this fit within the Enterprise ?
Corporate
Governance aligns
IT aligns
Governance
Architecture
Governance
<<extends>> <<extends>> <<extends>>
SOA Governance
21

22. How does this fit within the Enterprise ?
Corporate
Governance aligns
IT aligns
Governance
Architecture
Governance
<<extends>> <<extends>> <<extends>>
SOA Governance
22

23. How does this fit within the Enterprise ?
Corporate
Governance aligns
IT aligns
Governance
Architecture
Governance
<<extends>> <<extends>> <<extends>>
SOA Governance
23

24. How does this fit within the Enterprise ?
Corporate
Governance aligns
IT aligns
Governance
Architecture
Governance
<<extends>> <<extends>> <<extends>>
SOA Governance
24

25. Typical Governance Framework
25

26. Typical Governance Framework
26

27. Typical Governance Framework
27

28. Authorized User
Publishes
Governance Process Workflow
A new Web service
Service
(appears in registry)
Delivery is
monitored and
recorded
ESB
Potential 1. Consumer Requests Use of
Consumer Service
discovers the 2. Consumer agrees on Terms of
Web service delivery
3. Consumer is Authorized
4. Service is provisioned
28

29. Governance Requirements scenario analysis
General Ledger Application Customer Portal
(J2EE) (.Net )
Online Online
Ordering Payable
Financial
Reporting Payable/ Online
Service Receivable Order
Status
What is a internal
control requirements? SOA Infrastructure
Ref :404 of Sarbanes
Oxley Act (SOX)
Warehouse Application
(Mainframe –COBOL/CICS)
Inventory Shipping/
Check Receiving
29

30. Governance Requirements scenario analysis
General Ledger Application Customer Portal
(J2EE) (.Net )
Online Online
Ordering Payable
Financial
Reporting Payable/ Online
Service Receivable Order
Status
What is a internal
control requirements? SOA Infrastructure
Ref :404 of Sarbanes
Oxley Act (SOX) Control Objective Risk Control Practice
Accurate Recording Missing Documents Invoice amounts are
Warehouse Application of invoices for all or incorrect properly recorded to
(Mainframe –COBOL/CICS) authorized shipments information account, amount,
period
Inventory Shipping/
Check Receiving
30

31. Governance Requirements scenario analysis
General Ledger Application Customer Portal
(J2EE) (.Net )
Online Online
Ordering Payable
Financial
Reporting Payable/ Online
Service Receivable Order
Status
Many Ways to
What is a internal implement…
control requirements? SOA Infrastructure Schema Validation,
Ref :404 of Sarbanes Cross Referencing
Oxley Act (SOX) Control Objective Risk Control Practice
Accurate Recording Missing Documents Invoice amounts are
Warehouse Application of invoices for all or incorrect properly recorded to
(Mainframe –COBOL/CICS) authorized shipments information account, amount,
period
Inventory Shipping/
Check Receiving
31

32. Key components of Governance
32

33. SOA Governance‐Service Lifecycle
Run Time
Design Time
Registry /
Repository
Upgrade Time
33

34. Design Time Governance (some or all)
Entitlement
Identity(?)
Management
Design Notification/
Time Approvals
Audit Trail
Content
Validation
34

35. Identity Management
Purpose:
To Establish Rights and
Responsibilities in the
registry/repository
Measuring the Service
usage/Logging
Enforcing Approval Requirements
Enforcing Role/Individual based
Governance
Features:
LDAP based, SSO
Digital Identity
35

36. Entitlements
Purpose:
To grant fine grained access to registry/repository assets
Features:
Ability to secure assets
Ability to Classify assets and provide access
Ability to classify Policies and Assign Roles
36

37. Notification and Approval
Purpose:
To Trigger events in response
to Create, Update, Read and
Delete activities
Features:
Must be applied before and/or
after interaction
Support for different Notification models
(Message based, Email)
37

38. Content Validation
Purpose:
To scan and validate contents
in Registry/Repository as per
type and pre-configured
compliance checks
Features:
WSDL validation
Schema Validation
Validation related to Interoperability
38

39. Audit Trail
Purpose:
To establish accountability
To track interaction among
participants and registry/
repository
Establish Usage pattern
Features:
Format /Verbosity Requirements
Archival Policy
39

40. Run Time Governance (some or all)
Service
Virtualization ESB
End Point
Management Message
Transport
Runtime
Custom Policy
Management Provisioning
Version
Management
40

41. Service Virtualization
Purpose:
To compose task-specific
“virtual” services from existing
services.
Features:
Ability to Consolidate one or more operations from
different services into one
Create Skeleton services from WSDL
Auto generation of WSDL for new virtual service
41

42. Message Brokering
Purpose:
To deliver service based on
business or compliance
criteria
Features:
Routing rules based on
Content/Context
Transform Inbound request / Outbound response
Logging ,Monitoring, Alerting
SLA Management
Mediate across different transport protocols (HTTP-to-
JMS, JMS-to-HTTP or custom)
42

43. Policy provisioning
Purpose:
Provisioning of Operational,
Compliance policy
Features:
Auto Enforcement of policies
on new Services
Auto adaptation of Client to
new Policy Requirements
Auto Provisioning of policy
based upon Change in
service profile
43

44. Version Management
Purpose:
To allow smooth evolution of production systems
Features:
Publication of multiple versions of the same service
simultaneously
Transparent Rolling upgrades to published service
Back-ward compatibility
Version based routing
44

45. Custom Management
Purpose:
Template based approach to Policy Management
Features:
Custom policy libraries for specific management needs
Content, context or custom instrumentation based
approach to any domain- or application-specific policy
Reuse of custom policies across multiple applications or
SOA projects
45

46. End Point Management
Purpose:
Fine grain control of the service deployed in each of the
container
Features:
Managed endpoints for each service
Special purpose end points based on type of usage
secured/unsecured)
Load Balancing/Fail Over for Highly available End points
46

47. Upgrade Time Considerations
¬ Understand Inter-Service
relationship and dependencies
¬ Analyze the Impact of changing
a Web Service in a runtime
environment
¬ Complexity in Roll outing Service
in Runtime Environment
¬ Service Custody Transfer
¬ Changes to existing SLA and Policies 47

48. Automating Governance
Design Time
Code analysis
Content Validation
Run Time
WS-I compliance
Usage of Predefined schema
Usages of Specific Transport
Automated policy Discovery
/provisioning
Change Time
Monitoring and Measurement of SLA metrics
(response time, availability, or throughput of service)
48

49. Technologies Behind Governance
49

50. Role of ESB in Governance
¬ Security
- Ensure Privacy, Authenticity, Authorization and
Auditing of all Message exchanged
¬ Mediation
- Policy based mediation (protocol/invocation)
¬ Management
- Holistic view of Transactions that passes through
- Intercept Service call
50

51. Role of Service Registry/Repository
Where all Services are published
Implements process to publish service that matches
Governance model
Contains Policies applicable to each service
51

52. Service Registry
SOA Registry
Universal Description Discovery and Integration
UDDI API sets UDDI Schema
(Web service Access) (Meta Data Standard)
SOA MetaData
Business Policy
Policies
Taxonomy Association
Dependencies Configurations Subscription
Service Provider
Information Information
52

53. Service Repository
SOA Repository
Common Features
Design Time Policy
WSDL Libraries
Libraries
Message Logs
Run Time Policy
Performance Info
Libraries
Extensions
Run Time Event
Reports Dashboards
Notification
Blogs Wikis
53

54. Integrated Registry/Repository‐ Key Benefits
¬ Consistent view of service definition
¬ No duplication of Data
¬ No need for data synchronization
¬ Discover both Service info and dependencies
54

55. Implementing SOA Governance
55

56. SOA Governance Checklist ‐1
¬ Registry/Repository:
Service Meta‐Data setup
and Validation
Service Relationship and
Dependency Management
¬ Access to Service:
Workflow based Request
Process
User Configurable
Policies
56

57. SOA Governance Checklist ‐2
¬ Publishing Service
Workflow based Notification
WSDL validation and
Conformance Reporting
Wizards for Publication
¬ Delivery of Service
Provider/Consumer
Binding
SLA enforcement,
Versioning, Deployment
Centralized monitoring
57

58. SOA Governance Checklist ‐3
¬ Delivery of Service (cont.)
Routing Management
Failover /Load Balancing
Logging and Audit Trailing
¬ Service Change
Management
Service subscription
management
Service Metadata
subscription
58

59. SOA Governance Checklist ‐4
¬ Replication strategy
Selective synchronization
/promo.
Master/Slave based
¬ Enforcement of
Security
Role based
ACL
Fixed and Configurable Roles
Support for LDAP
¬ Interoperability
Handling any URI data types
Java Rule Engine API
59

60. Analysts Comments:
• “The governance of objects and components is relatively
straightforward: We create the gadget
and put into a repository and fix it when we
need to.”
Carl Lentz ‐ Panelist ‐ The Role of Objects in a Services‐obsessed
World ‐ ACM, 10/2007
• "Enterprise governance models, early adopters are implementing
organizations whose focus is to advance
SOA adoption."
Rajeev Mahajan ‐ Practice Manager ‐ The Service Integration Maturity Model: Achieving
Flexibility in the Transformation to
SOA ‐ IEEE, 9/2006
60

61. Benefits of SOA Governance
¬ Greater alignment with business objectives
¬ Greater control over creation, deployment
and consumption of services
¬ Centralized management of policies and regulations
¬ Can embed compliance with government and industry
regulations
¬ Sarbanes‐Oxley, MiFID, HIPAA, GLBA
61

62. Challenges of SOA Governance
¬ Multiple organizations:
‐ How to create governance for service providers, infrastructure
providers, and application developers? What if policies
conflict?
¬ Managing exceptions:
‐ How to record and maintain sometimes necessary exceptions?
62

63. Challenges of SOA Governance
¬ Enforcing compliance:
‐ How to make sure that policies and procedures are being
followed at design time as well as runtime?
‐ What are the incentives for compliance?
¬ Seems counterintuitive:
‐ If SOA foundation lies in loose coupling and flexibility, why
do we need centralized control?
63

64. Case Study
Operational Risk management in
Derivative Trade Processing
64

65. Life Cycle of a Derivative Trade
Confirmation
Settlement
Termination/
Novation
Portfolio
Reconciliation
65

66. Process Flow
Dealer 1 Clients
4
2
5
SOA Trade Trade
Trade 3 Capture
Capture
Execution 8 System
System 6 Platform
7
9
DTCC
66

67. Implement Governance to avoid blind spots in the SOA
highway
67

68. Resources
BEA :
http://www.bea.com/framework.jsp?CNT=index.jsp&FP=/content/solutio
ns/soa_governance
IBM :
http://www‐
306.ibm.com/software/solutions/soa/entrypoints/advancing_soa_govern
ance.html
INFOQ:
http://www.infoq.com/governance/
68

69. Q & A
69