Steve -- you seem to be associating governance with autonomic computing, so I feel obliged to reiterate that governance is not limited in scope to runtime efforts. Governance applies to all stages of service lifecycle -- design, development, testing, QA, release engineering, staging, provisioning, operations, client provisioning, testing, error tracking, revisions, etc.
Certainly you want to make runtime operations run as smoothly as possible and resolve hiccups as autonomically as possible, but I would call that SOA management rather than SOA governance. Back to Gautham's comment -- WSM products play an enforcement role in governance, because they typically enforce a bunch of policies at service provisioning time (configuring security for the service, etc), and they enforce policies at runtime (authN, authZ, auditing, etc). But SOA governance requires a lot more than just policy enforcers. Enforcement is the easy part.
Governance is actually more about putting hurdles in place to verify compliance than it is about making things go smoothly. Governance makes sure that developers don't circumvent the ops people so that they can get their app out more quickly. Governance is about making sure that apps have been thoroughly tested before they get deployed. Governance is about making sure that an app has the proper security protections in place. Governance is about making sure that the next consumer that gets permission to use a service doesn't overwhelm the system and bring down 20 other apps.
Some parts of governance can be automated. Other parts of governance can be guided using human workflow. Other parts of governance are definitely manual in nature. For example, no one's going to generate your corporate SOA policies for you. That takes a lot of hard work and collaboration across departments and business units. Defining the policies is the hard part.
The governance tools I mentioned from Systinet and WebLayers are policy management systems. They help with the policy definition process by providing a database to capture and maintain the policies, and they help with policy compliance testing. Policies are reusable artifacts that have their own lifecycle. They are defined, codified, used, and revised. A policy management system provides the means to:
- codify and document a policy (e.g., all services must use literal encoding and here's how you test for compliance),
- group policies (e.g., the WS-I BP policy group comprises a couple hundred individual policies),
- attach policies/policy groups to various service groups/services/service artifacts
- identify when artifacts should be tested for compliance (code check-in, build, registration, invocation, etc)
- test services/service artifacts for compliance
- report on compliance violations
- provide an approval process for compliance waivers
On 11/19/05, Steve Ross-Talbot <[EMAIL PROTECTED]> wrote:
I agree that the workshop was not entitled governance for SOA at all.
But it was very much in that direction. As you say governance is a very
wide topic. Alas your reports are not available whereas the position
papers at the workshop are freely available. So at least it is a start
and coupled with your basic thoughts perhaps we can drive forward in
the right direction.
I'd be interested in any open discussion on the topic as I have spend a
good deal of time talking to people about this in various roles
(vendors, users and just practitioners) and thus far it remains
something of a wish list rather than something that really exists in
product. I do know that the companies you mentioned have made strides
in this area (including Systinet - your old company, and of course
Enigmatec - my old company) but we are a long way off from achieving
the sort of governance that is needed to achieve the IBM vision of
autonomic computing.
So any ideas thoughts would be welcome and doubly so if we can make it
an open discussion.
Cheers
Steve T
On 19 Nov 2005, at 13:52, Anne Thomas Manes wrote:
> Based on my experience working with clients, I disagree that the term
> "governance" is scoped to the subject of the W3C workshop on
> constraints and capabilities. I've written a lot about governance for
> Burton Group. Unfortunately, I can't share those reports with you
> because Burton Group reports are available only to subscribers.
>
> But I will share with you some basic thoughts:
>
> Governance refers to the processes that an enterprise puts in place to
> ensure that things are done right, where "right" means in accordance
> with best practices, architectural principles, government regulations,
> laws, and other determining factors. SOA governance refers to the
> processes used to govern adoption and implementation of SOA.
>
> SOA governance involves three steps:
> 1 Define SOA policies
> 2 Deploy an SOA infrastructure that supports adoption of these
> policies
> 3 Institute a set of formal processes and procedures that verify
> compliance with these policies
>
> SOA policies relate to issues such as:
> • · Design principles
> • · Preferred design patterns
> • · Application-factoring rules
> • · Naming conventions
> • · Metadata requirements
> • · Documentation
> • · Preferred products
> • · Product selection guidelines
> • · Preferred domain standards
> • · Preferred industry standards
> • · Methods for dealing with regulatory requirements
> • · Methods for assessing security risks
> • Methods for implementing security based on risk factor
> • · Methods for ensuring reliability and transaction
> integrity·
> • Service testing
> • New service deployment and staging
> • · Service registration
> • · Service classification
> • · Service provisioning
> • · Service configuration
> • · Service monitoring
> • · Client provisioning
> • · Service modification
> • · Service versioning
> • · Impact analysis
> • · Service level objectives (SLO)
> • · Service level agreement (SLA) compliance tracking
> • · Error tracking and resolution
> This list is long, but it barely scratches the surface.
>
> Products that help with SOA governance include registries,
> repositories, software asset management systems, workflow, testing
> tools, web services management.
>
> No one vendor covers the full SOA governance lifecycle.
>
> Leading players in the SOA governance software market include:
> • Systinet and WebLayers, who provide policy management systems
> (repository-based system for managing the lifecycle of codified
> policies) as well as policy compliance testing tools and integrated
> workflow for managing approval processes. Mindreef also does some
> compliance testing, but at a much smaller scope.
> • Systinet, Infravio, Flashline, and LogicLibrary, who provide
> registries, repositories, and/or software asset management systems,
> which are extremely useful for managing SOA assets and which can be
> used as a gatekeeper for institution of governance approval processes
> at various points in the service lifecycle (dev, testing, staging,
> provisioning, revisions)
> • AmberPoint, Actional, Layer 7, and Reactivity, who provide support
> for governance at the service provisioning and runtime stages.
> Anne
>
> On 11/19/05, Gautham Kasinath <[EMAIL PROTECTED] > wrote:
>>
>> Thanks for the brief explanation. I am reading the workshop materials
>> from W3C on the topic, following your advice.
>>
>> Thanks again.
>>
>> Cheers
>> Gautham Kasinath
>> --- In [email protected], Steve
>> Ross-Talbot <[EMAIL PROTECTED] ...> wrote:
>> >
>> > Gautham,
>> >
>> > Normally the term governance as applied to SOA is based on the
>> notion
>> > of static governance.
>> > This is the sort of thing that WS-Policy (which is not a standard)
>> is
>> > all about. A recent workshop
>> > run by W3C looked at wider notions of governance including the more
>> > interesting form which is
>> > dynamic governance.
>> >
>> > It probably makes sense to take a peek at the W3C workshop papers to
>> > get a better understanding
>> > of what governance is all about.
>> >
>> > Cheers
>> >
>> > Steve T
>> >
>> > W3C Workshop on Constraints and Capabilities for Web Services
>> > http://www.w3.org/2004/09/ws-cc-program.html#papers
>> >
>> >
>> >
>> > On 19 Nov 2005, at 00:33, Gautham Kasinath wrote:
>> >
>> > > Hello,
>> > >
>> > >What exactly is SOA governance? Is it goverining an SOA
>> framework,
>> > >like in monitoring request-response, SLA etc?
>> > >
>> > >Cheers
>> > >Gautham Kasinath
>> > >
>> > >--- In [email protected], John
>> Crupi
>> > ><[EMAIL PROTECTED]> wrote:
>> > >>
>> > >> Would you like to start with the use-cases/scenarios first to
>> helpÂ
>> > >> narrow the problem?
>> > >>
>> > >> jc
>> > >> -----------------------------------------
>> > >> John Crupi
>> > >> CTO, Enterprise Web Services Practice
>> > >> Sun Distinguished Engineer
>> > >> AIM: JohnCrupi
>> > >> Blog: blogs.sun.com/crupi
>> > >> Cell: 301.526.7890
>> > >>
>> > >>
>> > >> On Nov 18, 2005, at 12:22 AM, Tilak Mitra wrote:
>> > >>
>> > >> > I am looking for some real world implementation of SOA
>> > >> > Governance, starting right from a project inception
>> > >> > i.e. Strategy and Visioning , through Design,
>> > >> > Implementation and right through operational and
>> > >> > runtime.
>> > >> > Any white paper / research work or material in any
>> > >> > other form would be helpful.
>> > >> > Thanks
>> > >> > Regards
>> > >> > Tilak
>> > >> >
>> > >> >
>> > >> >
>> > >> > __________________________________
>> > >> > Yahoo! FareChase: Search multiple travel sites in one click.
>> > >> > http://farechase.yahoo.com
>> > >> >
>> > >> >
>> > >> >
>> > >> > YAHOO! GROUPS LINKS
>> > >> >
>> > >> >ÂVisit your group "service-orientated-architecture" on the
>> web.
>> > >> >
>> > >> >ÂTo unsubscribe from this group, send an email to:
>> > >> >Âservice-[EMAIL PROTECTED]
>> > >> >
>> > >> >ÂYour use of Yahoo! Groups is subject to the Yahoo! Terms of
>> > > Service.
>> > >> >
>> > >> >
>> > >>
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > SPONSORED LINKS
>> > > Service-oriented architecture
>> > > Computer monitoring software
>> > > Computer and internet software
>> > > Free computer monitoring software
>> > >
>> > > YAHOO! GROUPS LINKS
>> > >
>> > > â–ª Â Visit your group "service-orientated-architecture"
>> on the web.
>> > > Â
>> > > â–ª Â To unsubscribe from this group, send an email to:
>> > > Â [EMAIL PROTECTED]
>> > > Â
>> > > â–ª Â Your use of Yahoo! Groups is subject to the Yahoo!
>> Terms of
>> > > Service.
>> > >
>> > >
>> >
>>
>>
>>
>>
>>
>>
>>
>>
>> ------------------------ Yahoo! Groups Sponsor
>> --------------------~-->
>> Get fast access to your favorite Yahoo! Groups. Make Yahoo! your home
>> page
>> http://us.click.yahoo.com/dpRU5A/wUILAA/yQLSAA/NhFolB/TM
>> --------------------------------------------------------------------
>> ~->
>>
>>
>> Yahoo! Groups Links
>>
>>
>>
>>
>>
>>
>
>
>
> SPONSORED LINKS
> Service-oriented architecture
> Computer monitoring software
> Computer and internet software
> Free computer monitoring software
>
> YAHOO! GROUPS LINKS
>
> ▪ Visit your group "service-orientated-architecture" on the web.
>
> ▪ To unsubscribe from this group, send an email to:
> [EMAIL PROTECTED]
>
> ▪ Your use of Yahoo! Groups is subject to the Yahoo! Terms of
> Service.
>
>
------------------------ Yahoo! Groups Sponsor --------------------~-->
Get fast access to your favorite Yahoo! Groups. Make Yahoo! your home page
http://us.click.yahoo.com/dpRU5A/wUILAA/yQLSAA/NhFolB/TM
--------------------------------------------------------------------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/service-orientated-architecture/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
YAHOO! GROUPS LINKS
- Visit your group "service-orientated-architecture" on the web.
- To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
- Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
