What Do You Get When You Mix Federal Policies and SOA Governance?

February 06, 2008 Data & AI

I'm not sure what you'd call it but I sure hope I never find out!

I think I'm starting at the end... where am I? Oh, yeah - SOA Governance. Right.

In 2006, when we (Actional) were first acquired (by Progress) I spent much of my time our European Region (which, oddly, included places like Istanbul, Capetown, and Moscow) meeting with customers to let them know what the acquisition meant to Progress' SOA portfolio. I met tons of customers and prospects, spoke at a gaggle of events, and ate way more airplane food than anyone believes is good for you.

One thing I noticed was that everyone was interested in SOA (or Services) Governance. Unfortunately, the second thing I noticed was that everyone meant something different by it.

Dave Linthicum seems to think it's the vendor's fault. I'd tend to agree, but... I think the blame needs to be shared by everyone angling for more budget under the auspices of grand projects critical to the absolute existence of SOA in the enterprise. Dave quotes Wikipedia's definition of SOA Governance as:

"SOA Governance is an emerging discipline which enables organizations to provide guidance and control of their service-oriented architecture (SOA) initiatives and programs."

He then goes on to define some (rather good) definitions of Run Time and Design Time governance.

It reminded me of an article that I read, apparently 125 days ago (Why can't editors put dates on the content they post?!?! This article has a 'posted 125 days ago' at the top instead.). Before reading that article, or this one published about two and a half years earlier, let me work a little magic* trick.

I'm going to take the shiny new object, SOA Governance, and turn it into a beat up old stodgy discipline. Watch carefully...

"SOA Governance is an emerging discipline which enables organizations to provide guidance and control of their service-oriented architecture (SOA) initiatives and programs."

Now, go ahead and read the two USA Today articles to see why SOA Governance is really nothing new.

SOA What? OK, I'll connect the dots.

Governance has been around for a long time... and having a governance repository/manual with rules does not ensure policy is followed. Even for something as big as building a gym, or as simple as buying an airplane ticket (simple in regards to "you are allowed coach, you are not allowed business class"), the system fails. And, it fails both due to purposeful manipulation and accidental misunderstanding.

Creating policies is not the trick, enforcing them is.

SOA Governance is no different than any other rules that organizations would like employees to follow when working on their behalf. Perhaps the reason it's come to the forefront is because, as a customer of mine said some time ago, "integration has become too easy." The only way to make sure the chaos that is SOA doesn't implode, is to make sure employees are at least playing by shared guidelines.

Here's the nugget... Compliance systems often run a compliance-check, which if passed allows deployment into production. Only production is not governed... once you pass the border checkpoint, you're free to implement as you will (purposely or accidentally). With that sort of system in place, you will always find people who work around the system, ironically, either through intelligence OR stupidity. I mean, most every messaging vendor I know has sent traffic through an open port 80 on a customer's firewall so that they wouldn't have to "bother the security guy" to complete their POC. The only way to have a useful design time solution, is to have runtime governance of the design time policies in production AND development.

And, if I had to choose, I'd look to start with a runtime solution so that I could at least know what was compliant and what wasn't, and then use that information to build the policies necessary to achieve design time nirvana. And, I might hire one of the people in these articles who had some experience at working around compliance systems to make sure I did it right.

* In case my ideas about governance are dull... I was at a lecture on how illusions trick the brain the other night. Using the word 'magic' reminded me. Awesome... click on magic, and it will take you to a picture you'd swear is moving... only it's not. It's a flat, un-animated GIF.

david bressler

Read next OpenSSL Vulnerability: What You Need to Know