An Introduction to SOA Governance

The result of making the shift to SOA is a new model of business and IT interaction. Providing a new way to reflect business requirements and success measurements in how applications are written, deployed and managed. SOA governance provides the additional level of cooperation and coordination needed for SOA implementations. Essentially providing a framework that specifies how SOA applications are managed and supported. As a subset of the corporate governance framework and an overlay to the traditional IT governance model, SOA governance is based a lifecycle model which has direct impact on business execution. In this article we will focus on what constitutes SOA governance and why it is important to any enterprise SOA implementation.

What is Governance

By definition governance provides an overarching framework to prioritize and then support the enterprise businesses objectives on a strategic, functional and operational level. A governance framework defines chains of responsibility, lines of communication, measurements to gauge effectiveness, and control mechanisms to ensure compliance. It defines the rules, processes, metrics and organizational constructs needed for effective planning, decision making, steering and control to meet enterprise business needs and success targets. A well defined governance strategy even determines the points at which you access a potential risk and provides appropriate mitigation strategies. Governance also helps to determine who is responsible for making decisions, what decisions need to be made, and policies for making decisions consistently. For example, a key issue for enterprise today is code reuse. Nobody should argue that reusable assets are good, but difficult to make work in practice. In this context governance helps to define an organizational agreement on a single set of behaviors for reusable assets.

SOA isnt a completely new vision but the rationalization of industry practices and architecture techniques. Today a lot of the industry buzz is because the technical promise is finally being realized with the evolution of technology and maturity of interoperability standards. Fundamentally the promise of SOA is based on the abstraction of business processes functionality from hardware, software and integration data sources. Ultimately SOA defines an architectural framework for better integrated systems designed to meet the changing needs of business. The role of the SOA services platform is to provide a foundation for delivering essential business processes in a flexible, easily composed, and highly reusable fashion. The role of governance is to make sure this is successful. Governance is fundamentally different than management. Governance plans for what decisions will be made. Management is the process of making and implementing the decisions based on the governance framework. Governance sets policies and defines who makes the decisions while management uses these frameworks to make decisions.

There are several types of governance models within a company and each ultimately has an effect on SOA governance. Corporate governance is the highest level example and it provides the overarching structure for a company. Corporate governance is the set of processes, customs, policies and laws that affect the way a company is directed. The main goal of corporate governance is to provide a framework for the corporate direction and then ensure all employees and stakeholders are directed toward it. Corporate governance strategies are designed to include control over capital investments, ROI, and determine effective decision making and balance conflict resolution.

IT governance is the corresponding IT vision of these corporate mandates. It is the corporate governance aligned set of mandates that drives the IT organization's decisions. It consists not only of the decisions that drive IT, but also the policies and practices that IT departments use to achieve a desired behavior. The way these decisions are made within an IT department today and the metrics used to ensure the success are all part of IT governance. The requirement that end users call the help desk when their computer is unable to connect to the network is a simple example of IT governance.

IT governance also includes the decision-making rights associated with IT. This includes the mandates and policies used to measure and control the way IT decisions are made and carried out. Simply put the goal of IT governance is to provide a strategic alignment between business and IT, and increase the value from corporate governance driven business strategies and objectives. In addition, IT governance assists with risk reduction in helping to understand and mitigate risks associated with initiatives and operations. Within the IT governance framework management technologies are often used to achieve defined governance goals.

Basic IT governance concepts arent new. They have been well documented by industry groups like the Information Technology Infrastructure Library (ITIL). Typically, these types of frameworks provide a process-based methodology that delivers a set of IT service management best practices designed to align IT with business requirements, improve service quality, and lower the long-term cost of IT.

The Basics of SOA Governance

Fundamentally the core principles of SOA governance are simply the next evolution of existing IT governance practices. This evolution extends IT governance and introduces an even greater business involvement in defining, supporting and managing IT service components. In this regard one of the major benefits of implementing SOA governance is to improve overall IT governance.

A cornerstone of any SOA governance framework is to improve organizational decision making. First it defines the decision rights for the new SOA services based within IT. Second it defines the new decision rights that exist between the business and IT organizations. This gives everyone in the organization a clear understanding what decisions need to be made and who can make them and eliminates any potential confusion and uncertainty. Always keep in mind that like IT governance, SOA governance is the responsibility of people and an integral part of the corporate governance strategy.

In practice SOA governance guides the development and implementation of reusable services within the SOA lifecycle. This lifecycle supports all aspects of an Enterprise SOA program including planning, deployment, support, infrastructure and not just the development processes of services. For services the SOA governance model establishes design, development and change requirements. SOA governance doesnt manage the actual design activity, but provides structure to the overall process. This includes answering the most common questions: What services are needed? How reliable should they be? How long will they be supported? What if you want to change them? Always remember that just because you expose a service doesnt mean that you are required to support it forever.

IT governance is the application of governance to an IT organization. This includes its people, processes and information to guide the way those assets support the needs of the business. SOA governance is the specialization of IT governance that puts key IT governance decisions within the context of the SOA lifecycle. Its the effective management and refinement of this lifecycle that is the key goal of SOA governance.

Naturally, the bigger the SOA implementation the more complex the governance roles and mechanisms must be. Governance arrangements take time to design and implement and are often difficult to enforce but without them every SOA project is at risk. Many times governance is more of a political problem than a technology one. Technology is focused on matching interface and protocols. While business focuses on functionality for servicing customers. The common characteristic is that both are focused on requirements. Governance is an important part of both efforts and focused on ensuring that everyone is working together and reducing potential redundancy. Governance does not determine what the results of decisions are, provides a framework that helps decide what decisions must be made and who will make them.

It is important to remember that IT governance is much broader than SOA governance. IT governance covers all aspect of IT including the issues that affect SOA like data models and security, as well as issues beyond SOA like data storage and desktop support. SOA governance is constrained to the SOA lifecycle. These include planning, publishing, discovery, versioning management and security. SOA governance views the enterprise as a set of standardized modular business components and processes. Then prioritizes these components based on business value. Ultimately, the SOA governance model is a combination of organizational structure, joint processes and relationships based on accepted ground rules called governance principles and the strategic direction of the business.

In SOA, service consumers and service providers are often very different entities but success is dependent on their agreement and ability to work together. Often services are developed by different departments or companies and most times require lots of coordination to work together successfully. For SOA to be successful, multiple application need to share a common set of services which means they need to coordinate on making those services common and reusable. This understanding between the service provider and consumer is captured in a Service Level Agreement (SLA). The SLA is responsible for articulating what the provider must do and what the consumer can expect. This includes a set of measurable goals that a service provider agrees to meet and that a service consumer agrees to live with. This agreement is a contract between the two parties and when dealing with external organization may actually be a legal contract. SLAs are incredibly important governance issues, and much more complex than in the days of the monolithic application systems or even in the days of simple reusable code and components.

Getting Started

For most organization SOA governance is enacted through a corporate mandated SOA Center of Excellence (COE). The COE is a mixture of knowledgeable SOA practitioners and key business stake holders. Once established this governing body assumes steering and management responsibility of the SOA initiative. This includes all phases of the SOA lifecycle from strategic planning to SOA infrastructure and operations requirements. Once the basic SOA governance policies are defined COE members then put them into practice, mentoring and assisting teams with developing services and composite applications.

The main responsibility of the COE is to determine the SOA governance policies. Only when this is completed can technology decisions be made. Its an important distinction to keep in mind as technology doesnt define an SLA but it can be used to enforce and measure compliance. For example, technology can measure a services availability and response time. Technology cant decide when to deprecate a service. Unfortunately this means governance can catch the blame for a challenging SOA implementation. Like application performance, governance may become an overwhelming concern and an excuse for every problem and justification for a questionable solution. A challenge for any SOA initiative and the COE is to use governance judiciously and not let concerns about the governance framework overwhelm everyone else.

Additional Considerations

I dont think it can be said enough that the ultimate SOA vision is tied directly to organizational goals. Governance is simply policy creation and enforcement within this structure. To make this more manageable the SOA vision is typically broken into a set of governable processes: project portfolio planning, service design, service utilization, and service operation. However before you can define the required governance in each phase, you have to define the goals of each phase. Once the goals are established governance helps to standardizes processes.

Any organization looking to start a SOA initiative is faced with what seems like an overwhelming amount of issues. The easiest place to start is to lay out the enterprise vision, objectives and business case to consider why you want to introduce SOA into an organization. This should always include a funding model that addresses initial and ongoing SOA funding, what types of ROI should be expected and how this ROI is defined. Then clarify the roles and responsibilities with each of these areas. Laying these out together combined with the enterprise objectives helps to create a supportive, knowledgeable and transparent organizational culture needed for SOA success. An important part of this is to fully document the business and technical aspects of the SOA infrastructure for both the service consumer and provider. Also always making sure to create business process in a service oriented way. This means analyzing their functional and nonfunctional requirements and enabling fundamental building block services like transformation, encryption, compression, authentication and authorization.

Finally it is important to define individual project success as a set of verifiable measurements. These measurements are based on a set of technical and non-technical considerations. Non-technical considerations include vision, objectives, business case and funding models. While technical aspects like infrastructure, tools and repositories are absolutely necessary, they are useless without the basic understanding of why and when to use them.

Governance Benefits

Always keep in mind everything needed to design and keep the SOA platform operational needs to be governed. It is important that governance begins as early as requirements management and spans over architecture, implementation, test and quality assurance. While there are many reasons for this the most important is to promote reuse and prevent the all too common not invented here syndrome. For governance the SOA platform is usually broken into design time and execution environments. While separate process they do have a lot of common aspects. Metadata is the most common example.

Design time governance is the part of the SOA lifecycle that ensures any analyst can find every piece of information about things that already exists and available. A well defined design time governance strategy helps to cut down on the time needed for the next project. Design time governance ensures that any existing artifacts, documents, models, or even service contracts are readily available and discoverable. Control over asset like documents, model, presentations, bug reports does initially have a productivity and dollar cost. An organization has to think and act for the long term SOA outlook and corporate vision. This means providing the proper tools to minimize the impact of this control and address the proper behaviors.

When the design time process is done and the service is completed and the proper SLAs have been negotiated the process is ready for deployment. Now the second phase of SOA governance begins. Runtime governance covers everything about the SOA platform execution and operation. For example, you need to recognize which services are called and by whom. Typically, runtime governance is technology driven. The runtime environment should detect potential performance bottlenecks before they occur, evaluate agreed service levels on both the service and consumer side, observe log files and log exceptions. In short it should constantly monitor every aspect of service execution. In contrast to design time governance, these tasks can easily be carried out without human involvement.

Summary

SOA governance is the next generation of IT governance based on corporate governance and helps to provide the much needed alignment between IT and business. It is an essential ingredient of modern business and something that will ensure the success of any SOA implementation. Fundamentally, SOA governance is a framework that is implemented in a set of steps that helps to manage the entire SOA lifecycle and infrastructure.