IDG Whitepapers: SOA - 10 Steps to SOA (Page 30)

all of our customers from the infrastructure standpoint to put a premium on openness, because otherwise you’ll have the worst case of vendor lock-in you’ll ever see.” — Oliver Rist

Steps to SOA No. 6:

Start tackling governance

Registries are more than just containers in which services can be described by metadata and discovered by clients and other services. They are also centers of SOA governance, where IT can list human service owners, manage versioning, ensure compliance with enterprise requirements, and more. The sooner you start thinking about how governance will work, the better.

Governance is best defined as a combination of workflow rules — who is responsible for what services, what happens when quality assurance uncovers problems, and so on — plus management of service interface definitions. Those definitions become an analogue of an IT org chart gradually transformed by the disruptive effect of SOA. “The strongest way to look at your service interfaces is that they are the design of your business,” says Randy Heffner, vice president at Forrester Research. “They deserve attention and governance as much as the design of your business does.”

SOA is fundamentally a new paradigm of IT, according to a technology exec at a major financial conglomerate who asked not to be named. “When you increase dependency and complexity, it presents a whole new set of problems,” the tech exec says. “The more SOA is successful, the more management becomes a problem.” This exec believes that governance should be distributed rather than centralized, in a manner similar to the relationships among federal, state, and local government in a democracy. And he means that literally: He is currently studying The Federalist Papers for insight.

In 2004, The Hartford formed an enterprise architecture group to put a “governance process around projects,” according to Moreland. In the beginning, he says, the governance process was all about communication. “We had architects talking together for the first time that were really solving the same problems, but in different lines of business. Now we’re to the point where we will actually stop a

project if it does not conform to the reference architecture or the line-of-business blueprint. And we have the authority from upper management to be able to do that.”

Moreland provides a specific example of the types of problems good governance can avoid. Recently, one business unit of The Hartford published a useful service in the proper SOAP format. A different area of the business applied to use that service but also requested that the service return two additional data values within the XML. “The owner of that first service … said, ‘I don’t have the funding or the budget or the resources to do that. I’m tied up with other stuff,’ “ Moreland recalls. In such a case, he says, good governance stipulates that the service in question should be owned by a group with a dedicated team that can maintain and modify it for the entire enterprise.

— Oliver Rist

Steps to SOA No. 7:

Lay your security plans

Years ago, when the industry began promoting Web services, the first objection raised was: What about security? That’s because, back then, the emphasis was on XML integration across enterprise boundaries. By contrast, SOA tends to focus on the architecture of a single enterprise — or closely related enterprises — where the underlying assumption is that everything occurs within one, big trusted zone.

“Many people have this sense of, ‘When I’m doing this kind of stuff inside the firewall, based on restricted network segments or whatever else, I’m OK without a deeper sort of use of security in my services environment’,” Forrester’s Heffner says. “But the time when everybody says, ‘I have to do something with security,’ is an external connection.”

Although SOA shifts the emphasis toward internal architecture, B-to-B integration with partners is a natural extension — and in many cases a core benefit. Across firewalls, the solution can be as simple as a two-way SSL connection. But before you jump to any technology conclusions, Heffner advises that you first decide whether your enterprise is a “hub” or a “spoke.”

Hubs, says Heffner, can simply lay down the law. “If you’re a Wal-Mart, then as a hub, you just say what the architecture is going to be … because everybody’s got to