Tushar Jain
tusjain@yahoo.com
http://architecture-soa-bpm-eai.blogspot.com/
http://oracle-fusion-middlware.blogspot.com/
Tushar Jain
1
Governance
The System or Manner of Government
Governance involves a mix of the following:
Control of the work.
Co-ordination between different pieces of work.
Measurement of outcome.
Compliance with internal policy or regulation.
Justification of spending.
Accountability and transparency.
Connecting with the needs of customers, the broader organization,
and other stakeholders.
Tushar Jain
2
Why do we avoid Governing?
Governance requires resource and cost
Diseconomies of scale bring increased unit cost
As communication complexity increases, so does the efforts to complete
the task.
Governance implies rules, committees, enforcement and rework
These items slows the project in short term.
Governance can expedite the adoption rate of new SOA technologies and
tools.
Tushar Jain
3
IT Governance
The organizational capacity to control the
formulation and implementation of
Information Technology strategy and
tactics for the purpose of achieving
business vision and goals of the
enterprise.
Tushar Jain
A major governance and incentive alignment issue is business unit synergy. If IT governance is designed to encourage business unit synergy, autonomy, or some combination, the incentives of the executives must also be aligned. For example, in a large consumer products firm, the CEO wanted to increase
synergies between business units to provide a single face to the small number of important customers that did business with several business units. The CEO and CIO worked together to design IT governance to align the enterprise IT assets to support the new objective. The new IT governance encouraged
sharing of customer information, contact logging, pricing, and order patterns across business units. However, it was not until the business unit executives' incentive system was changed from being nearly 100 percent based on business unit performance to being 50 percent based on firm-wide performance that
the new IT governance gained traction.
Avoiding financial disincentives to desirable behavior is as important as offering financial incentives. DBS Bank in Singapore does not charge for architectural assistance to encourage project teams to consult with architects. Whenever incentives are based on business unit results, chargeback can be a point of
contention. Enterprises can manipulate charges to encourage desirable behavior, but chargeback pricing must be reasonable and clearly understood.
It is hard to overestimate the importance of aligning incentive and reward systems to governance arrangements. If well-designed IT governance is not as effective as expected, the first place to look is incentives.
7. Assign ownership and accountability for IT governance
Like any major organizational initiatives, IT governance must have an owner and accountabilities. Ultimately, the board is responsible for all governance, but the board will expect or delegate an individual (probably the CEO or CIO) or group to be accountable for IT governance design, implementation, and
performance—similar to the finance committee or CFO being accountable for financial asset governance. In choosing the right person or group, the board, or the CEO as their designate, should consider three issues.
First, IT governance cannot be designed in isolation from the other key assets of the firm (financial, human, and so on). Thus the person or group owning IT governance must have an enterprise-wide view that goes beyond IT, as well as credibility with all business leaders.
Second, the person or group cannot implement IT governance alone. The board or CEO must make it clear that all managers are expected to contribute to IT governance as they would contribute to governance of financial or any other key asset.
Third, IT assets are more and more important to the performance of most enterprises. A reliable, cost-effective, regulation-compliant, secure, and strategic IT portfolio is more critical today than ever before. The person or group owning IT governance must understand what the technology is and is not capable
of. It is not the technical details that are critical but a feel for the two-way symbiotic connection between strategy and IT.
The CIO owns IT governance in the majority of sizable firms today.4 Other enterprises have chosen either another individual (the COO or occasionally the CEO) or a committee (say, of senior business and IT leaders) to own IT governance. We have not observed any one approach that always works best. It
takes a very business-oriented—and well-positioned—CIO to deliver on the first consideration and a very technically interested COO or CEO to deliver on the third. Committees have the problem of meeting only periodically and dispersing the responsibility and accountability.
Our recommendation is that the board or CEO hold the CIO accountable for IT governance performance with some clear measures of success. Most CIOs will then create a group of senior business and IT managers to help design and implement IT governance. The action of the board or CEO to appoint and
announce the CIO as accountable for IT governance performance is an essential first step in raising the stakes for IT governance. Without that action, some CIOs cannot engage their senior management colleagues in IT governance. Alternatively, the board or CEO may identify a group to be accountable for
IT governance performance. This group will then often designate the CIO to design and implement IT governance.
8. Design governance at multiple organizational levels
In large multi-business unit enterprises it is necessary to consider IT governance at several levels. The starting point is enterprise-wide IT governance driven by a small number of enterprise-wide strategies and goals. Enterprises with separate IT functions in divisions, business units, or geographies require a
separate but connected layer of IT governance. JPMorgan Chase has IT governance at the enterprise, division, and business unit level. Usually the demand for synergies increases at the lower levels, whereas the need for autonomy between units is greatest at the top of the organization.
The lower levels of governance are influenced by mechanisms designed for higher levels. Thus, we advocate starting with the enterprise-wide IT governance, as it will have implications for the other levels of governance. However, starting enterprise-wide is sometimes not possible for political or focus reasons,
and starting at the business unit level can be practical. Assembling the governance arrangements matrixes for the multiple levels in an enterprise makes explicit the connections and pressure points.
9. Provide transparency and education
It's virtually impossible to have too much transparency or education about IT governance. Transparency and education often go together—the more education, the more transparency, and vice versa. The more transparency of the governance processes, the more confidence in the governance. Many firms like
State Street Corporation use portals or intranets to communicate IT governance. State Street's portal includes under the section "IT Boards, Committees, and Councils" a description of the Architecture Committee and all the other governance bodies. The portal includes tools and resources, such as a glossary
of IT terms and acronyms and the "Computer Contract Checklist." Often portals include lists of approved or recommended products. Templates for proposing IT investments complete with spreadsheets to calculate the IT business value are often available.
The less transparent the governance processes are, the less people follow them. The more special deals are made, the less confidence there is in the process and the more workarounds are used. The less confidence there is in the governance, the less willingness there is to play by rules designed to lead to
increased firm-wide performance. Special deals and nontransparent governance set off a downward spiral in governance effectiveness.
Communicating and supporting IT governance is the single most important IT role of senior leaders. The person or group who owns IT governance has a major responsibility for communication. Firms in our study with more effective governance also had more effective governance communication. The more
formal vehicles for communication were the most important. For example, CIOs on average assessed their enterprises' documentation of governance processes as ineffective. However, the firms with successful IT governance had highly effective documentation. Highly effective senior management
announcements and CIO offices were also important to successful governance.
When senior managers, particularly those in business units, demonstrate lack of understanding of IT governance, an important opportunity is presented. Working with managers who don't follow the rules is an opportunity to understand their objections. These discussions provide insight on whether the rules
need refinement as well as a chance to explain and reinforce the governance.
10. Implement common mechanisms across the six key assets
We began the book by describing how IT governance fits into corporate governance. We contend that enterprises using the same mechanisms to govern more than one of the six key assets have better governance. For example, executive committees that address all enterprise issues including IT, such as the
one at MPS-Scotland Yard, create synergies by considering multiple assets.
Recall the exercise (in Chapter 1) of listing all the mechanisms implementing each of the six key assets. Each asset may be expertly governed, but the opportunity for synergistic value is lost. For example, a firm implementing a single point of customer contact strategy must coordinate its assets to deliver that
uniform experience. Just having good customer loyalty (that is, relationship assets) without the products to sell (IP assets) will drain value. Not having well-trained people (human assets) to work with customers supported by good data and technology (information and IT assets) will drain value. Not having the
right buildings and shop fronts to work from or in which to make the goods (physical assets) will drain value. Finally, not coordinating the investments needed (financial assets) will drain value.
Put this way, the coordination of the six assets seems blindingly obvious. But just glance back at your six lists of mechanisms and see how well coordinated—and more importantly, how effective—they are. Many enterprises successfully coordinate their six assets within a project but not across the enterprise
via governance. In designing IT governance, review the mechanisms used to govern the other key assets and consider broadening their charter (perhaps with a subcommittee) to IT rather than creating a new, independent IT mechanism.
4
What is SOA
Tushar Jain
Service
The central pillar of SOA is the service. Merriam Webster defines service as “a facility supplying some public demand”. A Service should provide a high cohesion and distinct function. Services should be coarse grained pieces of
logic. A Service should implement at least all the functionality promised by the contracts it exposes. One of the characteristics of services is service autonomy. Autonomy means the services should be self-sufficient, at least to
some extent, and manifest self healing properties.
Contract
The collection of all the messages supported by the Service is collectively known as the service's contract. The contract can be unilateral, meaning a closed set of messages the service chooses to provide. A contract might also
be multilateral or bilateral, that is, between a predefined group of parties. The contract can be considered the interface of the Service akin to interfaces of object in object oriented languages.
End Point
The Endpoint is an address, a URI, a specific place where the service can be found and consumed. A specific contract can be exposed at a specific endpoint.
Message
The unit of communication in SOA is the message. Messages can come in different forms and shapes, for instance, http GET messages (part of the REST style) ,SOAP messages, JMS messages and even SMTP messages are
all valid message forms.
The differentiator between a message and other forms of communication such as plain RPC, is that messages have both a header and a body. The header is usually more generic and can be understood by infrastructure and
framework components without understanding, and consequently coupling to, every message type.
The existence of the header allows for infrastructure components to route reply messages (e.g. correlated messages pattern) or handle security better (see Firewall pattern).
Policy
One important differentiator between Object Orientation or Component Orientation and SOA is the existence of policy. If an interface or contract in SOA lingo, separates specification from implementation. Policy separates
dynamic specification from static/semantic specification. Policy represents the conditions for the semantic specification availability for service consumers. The unique aspects of policy are that it can be updated in run-time and
that it is externalized from the business logic. The Policy specify dynamic properties like security (encryption, authentication, Id etc.) , auditing, SLA etc.
Service Consumer
A service doesn’t mean much if there isn’t someone/something in the world that uses it. So to complete the SOA picture we need Service Consumers. A service consumer is any software that interacts with a service by
exchanging messages with the service. Consumers can be either client applications or other "neighboring” services their only requirement is that they bind to an SOA contract.
5
SOA Governance impact on existing IT
organization and Processes
Tushar Jain
6
SOA Governance
SOA governance refers to the processes
used to oversee and manage the
adoption, implementation and
maintenance of service-oriented
architecture in accordance with
established IT governance structure.
Tushar Jain
7
Why SOA Governance?
SOA promises flexibility of IT systems, which leads to manifold
increase in moving parts. So Governance is must.
Tushar Jain
8
How much SOA Governance?
Not very granular (How much? Leave
breathing space)
Can’t cover every aspect (Just look at Indian
Constitution!)
Cover essentials (Just look at USA
Constitution!)
Tushar Jain
9
Scope of SOA Governance?
Compliance to Standards & Laws
Ensuring Quality of Services
Change Management
Key Activities
• Managing Portfolio of Services
• Managing Service Life Cycle
• Using policies to control services behavior
• Monitoring Performance of Services
• Managing different environments: Dev, Test &
Prod
Tushar Jain
•Compliance to standards or laws: IT systems require auditing to prove their compliance to regulations like Sarbanes-Oxley. In an SOA, service behavior is often unknown
•Change management: changing a service often has unforeseen consequences as the service consumers are unknown to the service providers. This makes an impact analysis for changing a service more difficult than usual.
•Ensuring quality of services: The flexibility of SOA to add new services requires extra attention for the quality of these services. This concerns both the quality of design and the quality of service. As services often call upon other
services, one malfunctioning service can cause damage in many applications.
Key Activities
•Managing the portfolio of services: planning development of new services and updating current services
•Managing the service lifecycle: meant to ensure that updates of services do not disturb current service consumers
•Using policies to control services behavior: rules can be created that all services need to apply to, to ensure consistency of services
•Monitoring performance of services: because of service composition, the consequences of service downtime or underperformance can be severe. By monitoring service performance and availability, action can be taken instantly
when a problem occurs.
10
SOA Governance Requirements?
Strategy & Goal: What is to be governed?
Why?
Organization: Structure & processes for SOA
oversight
Processes & Procedures: Roles, responsibilities
and procedures for managing SOA activities
Policies: Enforcement issues including
standards, securities, release, re-use
Metrics: Business outcomes with specific
metrics for success
Behavior: Behavioral model, incentives,
penalties and rewards for appropriate “SOA
Behavior”.
Tushar Jain
11
SOA Governance - Challenges
Business Technical
Brittle implementation Security breaches which
of SOA can't be easily traced
New Field Services are not
Organizational, Cultural available/designed to be
and Behavioral aspects
reusable
Governance = tools
Unpredictable
Levels of Governance
performance and
availability.
Tushar Jain
12
SOA Governance – Stakeholders Concerns
Ownership boundaries
Dispute resolution capability
Ongoing management of environment
Dealing with issues that go bump in the night
Providing guidance on the "right" way of doing things
Who makes the decisions?
Guidelines vs. Best Practices vs. Laws
How do you handle exceptions to polices/guidelines?
What is the feedback loop via which current exceptions may
end up becoming future policy/guideline?
Who tests to make sure that policies are being conformed
to?
Distinguishing between manual vs. automated processes
How are the contracts between providers and consumers
managed?
Etc…
Tushar Jain
13
SOA Governance – Influencing Factors
Corporate culture
Technological changes
Major decision-making processes
Budgeting processes
Incentives and penalty structures
Compensation linkages to corporate goals and mantras
Portfolio management processes
Architecture process (definition, acquisition,
implementation)
Architecture practice (solutions development)
Corporate performance metrics, such as return on invested
capital (ROIC), revenue and market share growth, cost
controls, etc.
Promotion and advancement criteria
Tushar Jain
14
Who should Make SOA Decisions
Business line:
Business executives
Business units stakeholders
Business services analysts
Domain owners
IT:
IT executives
SOA architect/enterprise architect
Data/information architect
System analyst
Security manager
Services architects
Process flow designer
Services assemblers
Services developers
Interoperability tester
Deployment manager
Services registrar (Registry and tools administrator)
Tushar Jain
15
SOA Governance – Major Activities
Establish Governance Strategy, organization &
processes
Define SOA policies and enforcement model
Governance implementation
Processes & Procedures
• Design, pub/discovery, runtime
• Dev, test and prod environments
Enabling technology & integration
Automated policy enforcement
Tushar Jain
16
SOA Governance – Essential Processes
Process for business control: To ensure alignment with
strategic goals, business policies, regulatory requirements
Process for improving organization’s SOA maturity level
Process for ensuring consistent implementation of SOA
Process for acceptance and approval of architecture
Process for resolving conflicts, handling escalations
Process for access control to SOA artifacts
Process for service policy management and compliance
assessment (through review, audit, monitoring): To ensure
compliance against service level policies / SLAs, to enforce
standards compliance
Process to sanction deviations from compliance
Process for SOA skills development and information
dissemination.
Tushar Jain
17
SOA Governance – Essential Processes
Process for SOA technology change management: E.g.,
keeping track of WS* specifications developments and
changes to implementation technologies and tools based on
them, planning incorporation of them based on estimated
time for their maturity/stability
Process for evaluating and selecting tools/products for the
technology stacks
Process for promoting reusable services, components, for
managing service catalogues and reusable components
repository: a. For extracting reusable components from
existing asset base. b. For obtaining off-the-shelf
components c. For developing and managing reusable
processes, components, services d. For creation and
maintenance of repository of reference artifacts such as
standards, guidelines, best practices, patterns to be used
enterprise-wide
Tushar Jain
18
SOA Governance – Point of View
Levels of Governance
Architecture
Service Lifecycle
Phases
Design & Development
Runtime
Change Time
Tushar Jain
19
SOA Governance – Architecture
SOA Governance at Architecture level is necessary
to ensure that SOA is by choice not by accident.
SOA Governance practices can be adopted from
existing Enterprise Architecture processes. These
are:
Establishing Corporate technology standards
Defining high level SOA architecture and topology, as well
as infrastructure capabilities that SOA should incorporate.
Determining SOA platform strategy and making decision
about particular vendor products and platforms.
Specifying the management, operational and QoS –
security, reliability, availability, performance, etc.
Establishing criteria for SOA project design reviews.
SOA implementation roadmap.
Tushar Jain
20
SOA Governance – Service Lifecycle
Service is atomic unit of SOA, so must be
governed.
Service Lifecycle governance can be adapted from
Component level governance processes. These
are:
Determination of granularity of service
Who will be owner of service
Who can access a service
Version management of service
Non function aspects of service – availability, security,
performance, scalability, etc
Tushar Jain
21
SOA Governance – Design & Development
It is primarily IT development function. It is
applicable at Project and service wise. Some of the
aspects covered in this point of view are:
Conformance to standards – e.g. WS-I
Registry based approval process
Determination that service fits into enterprise class asset
Prioritization of service
Exposure level of service
Tushar Jain
22
SOA Governance – Run time
It is primarily concerned about non function
aspects of service.
Service validation against corporate standards
• Security aspects
• Performance
• Availability
• Scalability
• Interface standards
Tushar Jain
23
SOA Governance –Change Time
Architecture and so Service changes over its lifetime.
Governance is essential.
The governance aspects should cover:
• Customization
• Composition
• Configuration
• Deployment
• Inter service dependencies
• Versioning
• Changes in policies and SLAs.
• Retirement
• Refactoring
• Business Logic
• Deployment aspects
• Tool set change/migration
Tushar Jain
24
SOA Governance – Dev., Run & Operation/Change
time
Tushar Jain
25
SOA Governance Decisions
Evaluate the following to create a SOA Governance
model that is right for your organization:
Formal vs. Informal …
Centralized vs. Decentralized …
Visibility vs. Control …
Incentives vs. Punishment …
Manual vs. Automated …
Tushar Jain
26
Formal vs. Informal
SOA Governance Decisions
No Governance
Often results in “Random SOA” or “SOA Gone Wild”
• Q: What are the SOA policies, processes and practices that need to
be governed?
Self Governance
Mixture of Formal and Informal; Some tasks and activities
governed; some not.
• Q: Do I need to inform anyone when I make a SOA policy or process
change?
Formal Governance
A virtual/real organization exists that is devoted to promotion of
SOA program and causes that is accepted as fundamental part of
SOA culture.
• Q: How do I get involved in giving my input on SOA policy, practice
and process issues?
Tushar Jain
27
Centralized vs. Decentralized
SOA Governance Decisions
Tushar Jain
28
Visibility vs. Control
SOA Governance Decisions
Tushar Jain
29
Incentive vs. Punishment
SOA Governance Decisions
Tushar Jain
30
Manual vs. Automated
SOA Governance Decisions
Don’t start with the technology, start with your goals and
objectives.
Start with Manual Governance.
Define policies, processes, structure, roles and responsibilities first.
Then, measure compliance and understanding.
Understand that not all governance tasks can or should be automated.
QTAY: Where can my job functions provide governance?
In time, Automate simple, manual governance tasks.
Automation of governance tasks will occur over time.
Resources (headcount) will be required to manually govern some tasks.
Measure Automation costs & benefits to support future activities.
Q: Are there systems or tools that can automate some governance
functions?
Tushar Jain
31
Governing Targets
Not everything needs to be governed.
Focus on conflicting interests between parties.
Tushar Jain
32
Governance Lifecycle & Roles
Tushar Jain
33
Levels of Governance
Tushar Jain
Level 0: No Governance
Level 0 governance does not need much explaining. Lines of business operate independently and often competitively for resources to achieve individual goals. Organizations operating at this level are likely to require
considerable effort from a cultural perspective before recognizing the value of sharing resources and organizational goals.
Level 1: Individual Bargaining
So how can apparel and footwear come to a mutually acceptable solution? If the parties involved are relatively few, they may be able to bargain and come to a decision. This approach, often called the Coase Theorem by
economists, may be considered a level 1 governance model. Apparel may negotiate with footwear to allow the sharing of the order placement service in exchange for something else of tangible value to footwear. Examples may
include sharing of resources for maintaining the code, hardware to support the increased usage, and annuity costs or anything else of value that footwear may use for compensation.
Individual bargaining may solve many Level 1 governance issues, but the situation becomes much more complicated when the number of parties involved increases or bargaining includes use of community property such as IT
infrastructure or network bandwidth. Consider the issue of global warming as a real-life example of individual bargaining not being possible due to the large number of parties and competing interests involved. To manage such
situations, an external party must be involved to broker an acceptable solution. Enter the centralized governance board.
Level 2: Advisory Centralized
As competing interests and high costs of individual bargaining increase, many organizations establish some form of governance board to act as a centralized authority. With SOA this governance board may determine enterprise
services and strategies for promoting reuse across lines of business. This Level 2 governance model acts more in an advisory capacity. Organizations may have some funding to create and maintain enterprise services and may
also establish blueprints for lines of business to follow going forward. Lines of business are encouraged to comply, but there is no real authority of the governance board to enforce compliance. Experience has shown that most
organizations undertaking SOA initiatives fall under this category.
Advisory Centralized governance models are especially prone to lines of business determining the most cost-effective way of achieving profit (remember that factor identified at the start of this article?) and acting on it. In the long
run governance boards may be considered a level of bureaucracy that impedes business activities and increases costs. The funds being apportioned to the governance board may be reallocated back to lines of business to build
more non-reusable assets. If these reallocated funds increase business profit and reduce operating costs, then any centralized SOA initiative is doomed to failure.
Level 3: Empowered Centralized
To address the shortcomings of Level 2 governance, organizations with strong IT leadership may lobby for some form of governance board that has the authority to demand and enforce compliance. As indicated, an empowered
centralized governance board, considered here to be a Level 3 governance model, must have senior, C-level executive buy-in to ensure that mandates are enforced.
Organizations employing an Empowered Centralized governance model may address the need to control spillover benefits (and therefore increase incentives for compliance) through a number of mechanisms, most notably:
Direct controls
Direct controls attempt to enforce compliance by limiting certain activities. Any parties who fail to comply are punished in some manner. Punishment for non-compliance may include fines, restricted quality of service, and lower or
weak Service Level Agreements. The unfortunate side effect of direct controls may result in high costs of production or development. Sarbanes-Oxley is an example of direct controls placed on organizations by the government.
Many companies must increase production costs or expend additional development funds to avoid being fined.
Undoubtedly, some organizations calculate the cost of being non-compliant (the amount that the company will be fined as a result of non-compliance). If this cost is less than the costs to develop compliant systems, then the
incentives are not strong enough for an organization to allocate the resources and effort to the task. Keep in mind that costs do not always refer to monetary amounts when referring to direct controls and compliance. For example
if non-compliance may result in prison time for executives, then this is a very strong incentive. Just ask the former WorldCom executives!
Specific taxes
Another approach that may be utilized by the governance board is to levy taxes or charges on systems or activities not approved by the board. Business units are then given the option of adhering to compliance policies or risk
being taxed for non-compliance. Such a model allows business units to undertake cost-based analysis and decide which activities make sense to be compliant with and which activities do not.
Going back to Runner's Inc., assume the CTO has provided support to the formation of a Level 3 governance board that has promoted footwear's order service to an enterprise service; it is now considered the only compliant
order process within the company. Apparel's business analysts undertake some analysis and decide that changing all of their 10 systems to be compliant may cost $100,000 whereas the cost for non-compliance is a tax of $2,000
per system per year—a total of $20,000 ($2,000x10) for each year of non-compliance. Apparel may decide they will pay the $20,000 per year rather than invest $100,000 of development capital upfront to become compliant. In
addition, apparel may decide that the opportunity cost of the remaining $80,000 ($100,000-$20,000) is better leveraged for other system development, which will produce a higher rate of return annually than the cost of
compliance. The important aspect to recognize here is that the line of business has the ability to decide what makes more business sense, or more specifically, what makes more profit for the business, unfortunately, sometimes
at the detriment to the governance initiative within the organization.
Subsidies
Similar to the specific taxes approach to enforcing compliance is the idea of subsidies. The governance board may decide to subsidize certain line-of-business activities to make it more attractive (reduce the cost and therefore
increase the profit) to obtain compliance. This approach may include subsidies on software purchases to promote an ESB strategy, provide access to shared or common resources such as additional network bandwidth, subsidize
training on specific technologies, or simply inject funds into key projects. Quite often Level 3 governance organizations combine specific taxes and subsidies together to make the incentive to be compliant very difficult to refuse.
The Tragedy of the Commons
So where does this leave us with regard to SOA governance? Even more mature organizations that adopt Level 3 may face issues ensuring commitment by line-of-business representatives. The natural evolution is for the
governance board to seek additional sponsorship and funding and begin to build common resources that are mandated upon lines of business. These mandates are often hard to deny as they come without a price tag and with
high visibility (the CTO may be funding many of the initiatives).
Consider the often precarious position that IT infrastructure teams are faced with. These teams often are formed as a way of providing common assets to be leveraged in a consistent manner by all business units in an effort to
drive down costs. This situation sounds strikingly similar to what SOA governance proposes, doesn't it? What begins as a noble idea soon becomes polluted by misuse and typically overuse. Lines of business will ensure their
business functions and IT operations are maintained because they see value in doing so; they receive a profit from it. Common infrastructure assets, on the other hand, are often abused as each individual or business unit sees
their individual contribution to misuse or overuse as small and of little or no overall consequence. But as any infrastructure support engineer knows, these actions when multiplied over time result in a degradation of overall
effectiveness of the resources. This degradation is often termed The Tragedy of the Commons. The overall effect is greatly reduced incentive to opt in at any cost to the governance initiatives due to direct costs and the fact that
these costs may be able to be transferred to another business unit such as the Infrastructure team.
Although Levels 1 to 3 of our governance models can provide some effectiveness, the question still remains whether there is a more substantial governance model that organizations may adopt to assist in their SOA initiatives.
The answer, I believe is yes, but we need to start thinking differently!
Level 4: Market-based Centralized
Enter the market-based centralized or Level 4 governance model—a model, I believe, that has been sorely overlooked in relation to SOA governance. The basic tenet is that the governance board can create a market for those
spillover benefits and costs identified early in the article. In a market-based approach, the governance board would determine the amount of compliance while maintaining an acceptable level of profit for the business. Runner's
Inc. has established a governance board that has determined the demand for reusable services is in the range of five services per year. Both footwear and apparel are awarded five credits for subsidies for compliance in year 1.
How does such an approach differ from the direct controls of a Level 3 governance model? Suppose it costs footwear $1,000 per service to make it compliant and reusable, while it costs apparel $5,000 per service. However,
apparel is losing sales to a new competitor and, as a result, has an increased incentive to update its aging systems. Without a market for compliant services, apparel would have to spend $5,000 developing a service, but with a
market-based system, apparel could negotiate with footwear to buy a service from $2,000 (perhaps the order processing service mentioned previously). Apparel reduces its non-compliant systems by 1 at a cheaper rate than
building its own ($5,000-$2,000 = $3,000), and footwear makes a profit ($2,000-$1,000=$1,000). The net result is the reduction in non-compliant systems, and profit is achieved by all parties. Our inhibiting factors of cost and
profit are both obtained!
34
SOA Governance Model
AgilePath
BEA
IBM
Oracle
Tushar Jain
35
SOA Governance Model: AgilePath
Tushar Jain
36
SOA Governance & Behavior Reference
Model: AgilePath
Tushar Jain
37
Closed Loop Governance Model: AgilePath
Tushar Jain
38
SOA Governance Model: BEA
Tushar Jain
39
SOA Investment Criteria: BEA
Tushar Jain
40
SOA Governance & Management
Method: IBM
Tushar Jain
41
SOA Governance Model: Oracle
42
SOA Governance Model: Oracle
43
Critical success factors in SOA Governance
Senior management commitment & Vision
Communication & Change management
Focus, execute and enforce
Define a benefit management system and set achievable
targets/expectations
Evolution, as opposed to revolution
Don’t over engineer
Tushar Jain
44
Technologies Behind SOA Governance
Tushar Jain
At a basic level, an SOA governance system should facilitate service-level governance across the lifecycle from design-time to run-time to change-time. It should allow polices to be defined and created, and provide mechanisms
for these policies to be enforced at each phase of the service lifecycle. The main components of this system include:
A registry, which acts as a central catalog of business services
A repository, for storing policies and other metadata related to the governance of the services
Policy enforcement points, which are the agents that enact the actual policy enforcement and control at design-time, run-time, and change-time
A rules engine for managing the declaration of policies and rules and automating their enforcement
An environment for configuring and defining policies and for managing governance workflows across the service lifecycle
-----------------------
Among other things, a governance repository should support the following capabilities:
An information model or taxonomy for representing and storing organizational and regulatory policies that can be translated into rules that are enforced by the SOA governance system. It should be possible for policies and
rules to be interpreted by people or machines (and sometimes both) as appropriate.
Audit capabilities for tracking the trail of changes and authorizations applied to assets within the repository context.
Identity management capabilities and role-based access controls to ensure that only appropriate parties have access to policies.
A notification system and content validation capabilities to provide additional assurances that policies are well-formed, consistent, and properly applied.
---------------------
The following features are desirable in the design-time policy enforcement point:
Identity management — In order to establish rights and responsibility in the registry/repository it is first necessary to identify users (for example, via an LDAP based identity system or other directory), service consumers, and
other participants. Identity is also important for metering usage, logging for audit purposes, and applying approval requirements and other governance processes on an individual or role basis.
Access control — Coupled with identity management, the system should offer fine-grained access configurations over all aspects of registry/repository assets. This includes the ability to secure assets as well as policies,
governance processes, and asset classifications.
Automated notifications and approvals — The ability to trigger events in response to Create, Read, Update, or Delete activities in the registry/repository allows alerts, approval processes, content validation scans, and other
actions to be automated. These triggers might be applied either before or after the interaction in question. For example, a policy might be established that a design review approval is needed before an object is created in the
registry/repository.
Content validation — Content (in the form of assets that checked into the registry/repository) should be scanned and validated according to their type and preconfigured compliance checks. Common validations include WSDL
validation, XML schema validation, testing for namespace violations, schema validation, and other interoperability-related scans. For example, service consumers expect interfaces to be well-formed and interoperable, so the
registry/repository should automate the process of scanning and assuring that WSDL documents are wellformed and conformable with WS-I interoperability profiles.
Audit trails — A fundamental capability for establishing accountability is the ability to track interactions between participants and the registry/repository, along with the sequence and details of those activities. This record can be
used for governance enforcement “after the fact” and to establish usage patterns for guiding process improvements.
45
SOA Governance and Democracy
An “executive branch” (IT) oversees
operational aspects, as well as development
and design;
A “legislative branch” (executive
management and board of directors)
establishes the goals and directions of SOA
efforts; and
A “judicial branch” (enterprise architectural
boards) deals with conflict resolution and
compliance audits.
46
SOA Governance - Best Practices
Create Board of Governors: Policies should be developed &
maintained by committee rather than decree.
People on ground must be involved.
Develop interoperability framework: Standards are basis of
SOA. Keeps standards enterprise wide but should not be
shackles.
Don’t get too granular: Overly detailed policies are difficult to
maintain and restricts creativity and innovation. Create levels
of threats and give enough leg room..
Communicate Early & Often: People don’t like surprises.
Every body has different level of intellect, so pass information
through multiple channels.
Establish CoE: Place for practitioners, who have theoretical
inclination.
Create policies with teeth: Without enforcement, policies
meant nothing.
Governance is gradual
Tushar Jain
47
Questions
Tushar Jain
48
Thai
Hindi
Russian
Traditional Chinese
Gracias Spanish
Obrigado
Arabic
Thank You Brazilian Portuguese
Grazie Danke
Italian
German
Merci French
Simplified Chinese
Tamil
Korean
Japanese
Tushar Jain
49