Hi Todd and Anne (and everyone), SOA Governance truly reflects the connection between the business side and the technology side. The subtle thing about it is of course that it involves structured and unstructured information, humans and machines and a synthesis of business and IT that hasn't really been achieved to date.
I agree with Todd that communication and documentation are certainly as key if not more so then tooling... Another key point is that the mechanisms for applying and enforcing aspects of SOA governance shift as you move along the service lifecycle, whether you are focused on design time, run time or change time. Best, Miko Matsumura VP of Technology Standards, Infravio --- In [email protected], "Biske, Todd" <[EMAIL PROTECTED]> wrote: > > Governance is one of my favorite topics. If someone asked me the thing that will influence the success of an SOA initiative the most, it would be governance. > > As someone trying to build out an SOA in a corporate IT environment, I agree with Anne's definition 100%. A very easy way to look at it is to compare it to a traditional government. A government has to legislate, provide infrastructure, maintain strategic plans, enforce laws (police force), etc. These are all activities that an IT organization must do to govern an SOA. In reality, these are all things that an IT organization should have been doing, regardless of whether SOA is being done or not. > > The same challenges that municipalities face in their strategic growth are faced by IT organizations. Urban centers grew through a very centralized approach, but have had to become more and more decentralized due to suburban sprawl. As rural communities have grown, they have had to work more and more with their neighboring communities, possibly sharing common infrastructure and services. The same is true of IT organizations. The urban center can be thought of as the mainframe or legacy systems. Due to the web, web services, etc., portions of the legacy logic needs to be decentralized to meet the demands of the future. At the same time, silo'd application development represents the rural communities. These applications have grown, and the world of business processes is requiring them to work together seamlessly, rather than through inefficient handoffs and redundant processing. > > When the first tool came out claiming to provide "SOA Governance," I almost laughed out loud, knowing that there is no tool or technology that will provide SOA Governance. There are tools and technologies that can make governance easier, but ultimately, it will come down to process and communication. If the process and communication isn't there, the governance won't be either. At the same time, we can't govern by process alone. The things being enforced (i.e. the legislation) must be documented for all to see. Herein lies the real challege with regards to SOA or, more broadly, applying governance to IT. SOA is about looking horizontally while others are looking vertically. How do you document the rules associated with making something an enterprise service versus an application-specific service? Yes, we can have rules around WS-I compliance and naming conventions, but this often comes down to semantics and a strategic vision (i.e. business service blueprint). This is akin to a business applying for a business license in a city. There will be guidelines for the application that must be followed, but there is still a judgement that must be done by a city council as to whether they want the business in their city. There may be general guidelines in the city master plan, and the opinions of the council members are exposed through the political process, but largely, things will be handled on a case by case basis by a set of people given the responsibility for making those decisions. If you have the wrong people in place, you won't be successful. > > -tb > > -----Original Message----- > From: Anne Thomas Manes [mailto:[EMAIL PROTECTED] > Sent: Sunday, November 20, 2005 7:17 AM > To: [email protected] > Subject: Re: [service-orientated-architecture] Re: SOA Governance work > > > > I'd love to see further discussion on this topic. I'd love to hear from people what governance practices they are putting into place. > > Steve -- you seem to be associating governance with autonomic computing, so I feel obliged to reiterate that governance is not limited in scope to runtime efforts. Governance applies to all stages of service lifecycle -- design, development, testing, QA, release engineering, staging, provisioning, operations, client provisioning, testing, error tracking, revisions, etc. > > Certainly you want to make runtime operations run as smoothly as possible and resolve hiccups as autonomically as possible, but I would call that SOA management rather than SOA governance. Back to Gautham's comment -- WSM products play an enforcement role in governance, because they typically enforce a bunch of policies at service provisioning time (configuring security for the service, etc), and they enforce policies at runtime (authN, authZ, auditing, etc). But SOA governance requires a lot more than just policy enforcers. Enforcement is the easy part. > > Governance is actually more about putting hurdles in place to verify compliance than it is about making things go smoothly. Governance makes sure that developers don't circumvent the ops people so that they can get their app out more quickly. Governance is about making sure that apps have been thoroughly tested before they get deployed. Governance is about making sure that an app has the proper security protections in place. Governance is about making sure that the next consumer that gets permission to use a service doesn't overwhelm the system and bring down 20 other apps. > > Some parts of governance can be automated. Other parts of governance can be guided using human workflow. Other parts of governance are definitely manual in nature. For example, no one's going to generate your corporate SOA policies for you. That takes a lot of hard work and collaboration across departments and business units. Defining the policies is the hard part. > > The governance tools I mentioned from Systinet and WebLayers are policy management systems. They help with the policy definition process by providing a database to capture and maintain the policies, and they help with policy compliance testing. Policies are reusable artifacts that have their own lifecycle. They are defined, codified, used, and revised. A policy management system provides the means to: > > > * codify and document a policy (e.g., all services must use literal encoding and here's how you test for compliance), > > > * group policies (e.g., the WS-I BP policy group comprises a couple hundred individual policies), > > > * attach policies/policy groups to various service groups/services/service artifacts > > * identify when artifacts should be tested for compliance (code check-in, build, registration, invocation, etc) > > > * test services/service artifacts for compliance > > * report on compliance violations > > * provide an approval process for compliance waivers > > > Anne > > > On 11/19/05, Steve Ross-Talbot < [EMAIL PROTECTED]> wrote: > > I agree that the workshop was not entitled governance for SOA at all. > But it was very much in that direction. As you say governance is a very > wide topic. Alas your reports are not available whereas the position > papers at the workshop are freely available. So at least it is a start > and coupled with your basic thoughts perhaps we can drive forward in > the right direction. > > I'd be interested in any open discussion on the topic as I have spend a > good deal of time talking to people about this in various roles > (vendors, users and just practitioners) and thus far it remains > something of a wish list rather than something that really exists in > product. I do know that the companies you mentioned have made strides > in this area (including Systinet - your old company, and of course > Enigmatec - my old company) but we are a long way off from achieving > the sort of governance that is needed to achieve the IBM vision of > autonomic computing. > > So any ideas thoughts would be welcome and doubly so if we can make it > an open discussion. > > Cheers > > Steve T > > On 19 Nov 2005, at 13:52, Anne Thomas Manes wrote: > > > Based on my experience working with clients, I disagree that the term > > "governance" is scoped to the subject of the W3C workshop on > > constraints and capabilities. I've written a lot about governance for > > Burton Group. Unfortunately, I can't share those reports with you > > because Burton Group reports are available only to subscribers. > > > > But I will share with you some basic thoughts: > > > > Governance refers to the processes that an enterprise puts in place to > > ensure that things are done right, where "right" means in accordance > > with best practices, architectural principles, government regulations, > > laws, and other determining factors. SOA governance refers to the > > processes used to govern adoption and implementation of SOA. > > > > SOA governance involves three steps: > > 1 Define SOA policies > > 2 Deploy an SOA infrastructure that supports adoption of these > > policies > > 3 Institute a set of formal processes and procedures that verify > > compliance with these policies > > > > SOA policies relate to issues such as: > > ⢠· Design principles > > ⢠· Preferred design patterns > > ⢠· Application-factoring rules > > ⢠· Naming conventions > > ⢠· Metadata requirements > > ⢠· Documentation > > ⢠· Preferred products > > ⢠· Product selection guidelines > > ⢠· Preferred domain standards > > ⢠· Preferred industry standards > > ⢠· Methods for dealing with regulatory requirements > > ⢠· Methods for assessing security risks > > ⢠Methods for implementing security based on risk factor > > ⢠· Methods for ensuring reliability and transaction > > integrity· > > ⢠Service testing > > ⢠New service deployment and staging > > ⢠· Service registration > > ⢠· Service classification > > ⢠· Service provisioning > > ⢠· Service configuration > > ⢠· Service monitoring > > ⢠· Client provisioning > > ⢠· Service modification > > ⢠· Service versioning > > ⢠· Impact analysis > > ⢠· Service level objectives (SLO) > > ⢠· Service level agreement (SLA) compliance tracking > > ⢠· Error tracking and resolution > > This list is long, but it barely scratches the surface. > > > > Products that help with SOA governance include registries, > > repositories, software asset management systems, workflow, testing > > tools, web services management. > > > > No one vendor covers the full SOA governance lifecycle. > > > > Leading players in the SOA governance software market include: > > ⢠Systinet and WebLayers, who provide policy management systems > > (repository-based system for managing the lifecycle of codified > > policies) as well as policy compliance testing tools and integrated > > workflow for managing approval processes. Mindreef also does some > > compliance testing, but at a much smaller scope. > > ⢠Systinet, Infravio, Flashline, and LogicLibrary, who provide > > registries, repositories, and/or software asset management systems, > > which are extremely useful for managing SOA assets and which can be > > used as a gatekeeper for institution of governance approval processes > > at various points in the service lifecycle (dev, testing, staging, > > provisioning, revisions) > > ⢠AmberPoint, Actional, Layer 7, and Reactivity, who provide support > > for governance at the service provisioning and runtime stages. > > Anne > > > > On 11/19/05, Gautham Kasinath < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: > >> > >> Thanks for the brief explanation. I am reading the workshop materials > >> from W3C on the topic, following your advice. > >> > >> Thanks again. > >> > >> Cheers > >> Gautham Kasinath > >> --- In [email protected], Steve > >> Ross-Talbot <[EMAIL PROTECTED] ...> wrote: > >> > > >> > Gautham, > >> > > >> > Normally the term governance as applied to SOA is based on the > >> notion > >> > of static governance. > >> > This is the sort of thing that WS-Policy (which is not a standard) > >> is > >> > all about. A recent workshop > >> > run by W3C looked at wider notions of governance including the more > >> > interesting form which is > >> > dynamic governance. > >> > > >> > It probably makes sense to take a peek at the W3C workshop papers to > >> > get a better understanding > >> > of what governance is all about. > >> > > >> > Cheers > >> > > >> > Steve T > >> > > >> > W3C Workshop on Constraints and Capabilities for Web Services > >> > http://www.w3.org/2004/09/ws-cc-program.html#papers <http://www.w3.org/2004/09/ws-cc-program.html#papers> > >> > > >> > > >> > > >> > On 19 Nov 2005, at 00:33, Gautham Kasinath wrote: > >> > > >> > > Hello, > >> > > > >> > >What exactly is SOA governance? Is it goverining an SOA > >> framework, > >> > >like in monitoring request-response, SLA etc? > >> > > > >> > >Cheers > >> > >Gautham Kasinath > >> > > > >> > >--- In [email protected], John > >> Crupi > >> > ><[EMAIL PROTECTED]> wrote: > >> > >> > >> > >> Would you like to start with the use-cases/scenarios first to > >> helpà > >> > >> narrow the problem? > >> > >> > >> > >> jc > >> > >> ----------------------------------------- > >> > >> John Crupi > >> > >> CTO, Enterprise Web Services Practice > >> > >> Sun Distinguished Engineer > >> > >> AIM: JohnCrupi > >> > >> Blog: blogs.sun.com/crupi > >> > >> Cell: 301.526.7890 > >> > >> > >> > >> > >> > >> On Nov 18, 2005, at 12:22 AM, Tilak Mitra wrote: > >> > >> > >> > >> > I am looking for some real world implementation of SOA > >> > >> > Governance, starting right from a project inception > >> > >> > i.e. Strategy and Visioning , through Design, > >> > >> > Implementation and right through operational and > >> > >> > runtime. > >> > >> > Any white paper / research work or material in any > >> > >> > other form would be helpful. > >> > >> > Thanks > >> > >> > Regards > >> > >> > Tilak > >> > >> > > >> > >> > > >> > >> > > >> > >> > __________________________________ > >> > >> > Yahoo! FareChase: Search multiple travel sites in one click. > >> > >> > http://farechase.yahoo.com > >> > >> > > >> > >> > > >> > >> > > >> > >> > YAHOO! GROUPS LINKS > >> > >> > > >> > >> >ÃVisit your group "service-orientated-architecture" on the > >> web. > >> > >> > > >> > >> >ÃTo unsubscribe from this group, send an email to: > >> > >> >Ãservice- [EMAIL PROTECTED] > >> > >> > > >> > >> >ÃYour use of Yahoo! Groups is subject to the Yahoo! Terms of > >> > > Service. > >> > >> > > >> > >> > > >> > >> > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > SPONSORED LINKS > >> > > Service-oriented architecture > >> > > Computer monitoring software > >> > > Computer and internet software > >> > > Free computer monitoring software > >> > > > >> > > YAHOO! GROUPS LINKS > >> > > > >> > > ââ"ª à Visit your group "service-orientated-architecture" > >> on the web. > >> > > à > >> > > ââ"ª à To unsubscribe from this group, send an email to: > >> > > à [EMAIL PROTECTED] > >> > > à > >> > > ââ"ª à Your use of Yahoo! Groups is subject to the Yahoo! > >> Terms of > >> > > Service. > >> > > > >> > > > >> > > >> > >> > >> > >> > >> > >> > >> > >> > >> ------------------------ Yahoo! Groups Sponsor > >> --------------------~--> > >> Get fast access to your favorite Yahoo! Groups. Make Yahoo! your home > >> page > >> http://us.click.yahoo.com/dpRU5A/wUILAA/yQLSAA/NhFolB/TM <http://us.click.yahoo.com/dpRU5A/wUILAA/yQLSAA/NhFolB/TM> > >> -------------------------------------------------------------------- > >> ~-> > >> > >> > >> Yahoo! Groups Links > >> > >> > >> > >> > >> > >> > > > > > > > > SPONSORED LINKS > > Service-oriented architecture > > Computer monitoring software > > Computer and internet software > > Free computer monitoring software > > > > YAHOO! GROUPS LINKS > > > > ⪠Visit your group "service-orientated-architecture" on the web. > > > > ⪠To unsubscribe from this group, send an email to: > > [EMAIL PROTECTED] > > > > ⪠Your use of Yahoo! Groups is subject to the Yahoo! Terms of > > Service. > > > > > > > > > > > > Yahoo! Groups Links > > > > > > > > > > > _____ > > YAHOO! GROUPS LINKS > > > > * Visit your group " service-orientated-architecture <http://groups.yahoo.com/group/service-orientated-architecture> " on the web. > > > * To unsubscribe from this group, send an email to: > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > * Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> . > > > _____ > > > > > ------------------------------------------------------------------------------------- > A.G. Edwards & Sons' outgoing and incoming e-mails are electronically > archived and subject to review and/or disclosure to someone other > than the recipient. > > ------------------------------------------------------------------------------------- > ------------------------ Yahoo! Groups Sponsor --------------------~--> Fair play? Video games influencing politics. Click and talk back! http://us.click.yahoo.com/u8TY5A/tzNLAA/yQLSAA/NhFolB/TM --------------------------------------------------------------------~-> Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/service-orientated-architecture/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
