As covered in the first section, an SOA needs a robust active management framework or else it gets out of hand. SOA management is realized through the governance concept, which controls the different aspects of SOA. Security is another aspect that has to be enforced in an SOA-enabled environment because of its open nature. Details of SOA management are discussed in this section.
Without a controlling entity, an SOA is not only challenging to manage, but it invites chaos because of its open and distributed nature. Because of this, it needs a management and controlling entity: governance.
SOA governance is a framework for decision and role identification to encourage IT actions that are synchronized with the enterprise strategy and prevent those that aren't. This framework is managed by a group or committee responsible for creating policies to enforce governance and role identification, empowerment, and accountability of individuals who are given the capability of decision making and policy enforcement. In brief, the committee needs to address three main questions:
- What decisions need to be made to ensure effective management of IT assets?
- Who should be responsible for making these decisions?
- How can such decisions be enforced and monitored?
As part of the governance realization, service level agreements (SLAs) are identified and monitored for verification. Performance metrics are also collected to represent the effectiveness of the governance.
The role of governance in SOA is crucial; it needs to be enabled on all phases of the SOA life cycle, as shown in Figure 6.
Figure 6. Governance location with respect to the SOA life cycle stages
The need of SOA governance is obvious because:
- Governance involves applying the principles of an enterprise strategy to direct and control IT.
- Governance aims to encourage behaviors consistent with the organization's mission, strategy, and values toward achieving the enterprise's business goals, adding value while balancing risk and return.
- Governance assures keeping services at a defined level in terms of integrity, performance, reliability, and currency.
- Governance makes sure that business application needs are being correctly assessed and prioritized to drive creation and consumption of services, thus ensuring the best usage in alignment with business goals.
- Governance ensures that IT investments are being used in a profitable manner.
- Governance ensures that an enterprise-wide SOA-enabling architecture is the main guide for design of any service.
- Governance, as a controlling entity, leverages the best practice of IT principles.
- To protect the business assets, governance also enforces security of enterprise data and privacy of information shared across boundaries.
- Governance, managing the IT of the enterprise, enforces integrity and reliability of data and processes to leverage reuse and maximize profit.
- Governance ensures a certain level of performance and quality of service on all components in the consumer-provider chain of services.
- Standards are at the base of SOA, so governance helps to enforce high levels of interoperability, which leverages the enterprise with all the benefits of open standards.
- Governance uses metrics to audit and monitor the progress of the development of the IT infrastructure and its conformance with established policies.
In a framework with SOA governance, QoS policies are defined and enforced on the organization. This is essential in an open environment where integration and services exchange is not limited to the internal functions of an enterprise, but to other enterprises of different sizes, different scopes, and different IT sizes to maintain and guarantee a steady level of the overall processes. For example, if you consider response time to be a QoS, if QoS is not enforced on services to respond in a given time, the slowest service can create a bottleneck and waste the QoS provided by other faster services. The same goes for security: One noncompliant service may jeopardize the whole system. In some systems, the infrastructure is made to detect QoS levels and reject noncomplying services.
Such complex security systems are needed because:
- Distributed systems require distributed security.
- There's a need to manage user registries and access control across multiple applications, platforms, business partners, and entities, which can't be managed at a single point.
- You have to consistently enforce security policies across the environment.
- The security system needs to be able to evolve as the enterprise and its applications evolve.
With the decoupling principle applied, changes in services in the SOA environment are handled simply, because service consumers are decoupled from service contributors by the ESB, which sits in the middle and can mediate the messages. Changes on the provider side can be consumed by the ESB so that the consumer remains the same and stays seamless to the change.
On the other hand, I have to point out the importance of unmanaged change in an SOA environment. With the principle of reuse, each service may be an enterprise-level service, not just a local one within its department or unit. Any unmanaged change in such a service can lead to unpredictable enterprise-wide failures and halting processes. This shows the importance of governance in ensuring that a policy is managing the change. This policy should measure the impact, allow the change, and ensure a system of notification for the parties impacted (ESB or direct consumers). Changes in distributed systems require stern rules to manage them.
The ESB plays an important role in enforcing governance. Security and QoS policies can be applied to the ESB to control their levels and allow only conforming requests. In general, an ESB plays the role of a unifying platform on which required policies are mandated. The nature of an ESB as a central place where all communication occurs makes it a perfect place to activate such rules. And rest assured that everyone either complies or is isolated.