Planning_and_Impleme.. - didier beck weblog
Planning_and_Impleme.. - didier beck weblog
Planning_and_Impleme.. - didier beck weblog
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Technology Management <strong>and</strong> Strategy Report<br />
www.butlergroup.com<br />
Butler Group<br />
a Datamonitor Company<br />
<strong>Planning</strong> <strong>and</strong><br />
<strong>Impleme</strong>nting<br />
SOA<br />
Ensuring the Successful Deployment of<br />
a Services-based Approach<br />
December 2006<br />
Analysis without compromise
www.butlergroup.com<br />
Technology Management <strong>and</strong> Strategy Report<br />
SECTION 1:<br />
SOA Deployment<br />
Butler Group<br />
a Datamonitor Company
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
ADOPTION OF SOA BY ENTERPRISES<br />
CATALYST<br />
Service Oriented Architecture (SOA) has become one of the latest buzzwords propagated by the IT industry.<br />
Most enterprises have now heard of SOA – at least to some extent – but how are they responding to it? Adoption<br />
rates vary enormously across various studies <strong>and</strong> this Section examines the evidence so far on adoption rates.<br />
With the promise to deliver flexibility <strong>and</strong> agility to the enterprise by dramatically cutting development<br />
times <strong>and</strong> costs, SOA has become a ‘hot topic’ in enterprise IT departments. The adoption of SOA has<br />
already become reality for a number of enterprises with the following key trends emerging:<br />
SUMMARY<br />
SOA adoption rates vary significantly across enterprises.<br />
Staffing issues, security concerns, <strong>and</strong> a lack of awareness of SOA are inhibiting SOA<br />
adoption.<br />
Enterprises expect cost savings to come from SOA deployment, though these will be<br />
in the long term.<br />
ANALYSIS<br />
SOA adoption rates vary significantly across enterprises.<br />
News articles during 2006 have quoted wildly different rates of adoption for SOA, ranging from figures indicating<br />
some 80% of organisations are working on SOA projects to rather more realistic adoption rates of less than 30%.<br />
Any new paradigm is bound to take time to get a widespread underst<strong>and</strong>ing, <strong>and</strong> it will often depend on where<br />
an organisation is currently in its IT adoption as to what their level of interest is in SOA.<br />
A recent survey of 90 end users in the US <strong>and</strong> in Western Europe (UK, France <strong>and</strong> Germany) conducted by<br />
Datamonitor provides insight into enterprises’ reaction to SOA. Some 30% of the respondents said that they were<br />
beginning to embrace a SOA infrastructure. Within the survey group, size of organisation also appeared to be an<br />
important factor on adoption rates. For example, Figure 8.1.1 illustrates that adoption rates in larger<br />
organisations were significantly higher than in smaller ones.<br />
Figure 8.1.1: SOA Adoption by Size of Organisation (Source: Datamonitor)<br />
December 2006 Section 1: SOA Deployment 3
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
Large organisations tend to have a greater need for integrating applications <strong>and</strong> services across their<br />
businesses. They are also more often challenged with unforeseen <strong>and</strong> changing dynamics created by M&A<br />
activity, new partnerships, expansion, <strong>and</strong> new customer requirements. SOA promises to deliver the ability<br />
to change <strong>and</strong> modify enterprise processes to match such changes<br />
As might be expected,<br />
Technology <strong>and</strong><br />
Financial Services are<br />
the dominant verticals<br />
in terms of SOA<br />
adoption.<br />
dynamically to business processes <strong>and</strong> activity. Smaller organisations may<br />
either be less mature in their usage of technology, or may simply have fewer<br />
business drivers that are forcing a review of alternatives such as SOA.<br />
As might be expected, Technology <strong>and</strong> Financial Services are the dominant<br />
verticals in terms of SOA adoption. They are heavily dependent on IT <strong>and</strong> are<br />
sophisticated in terms of their IT adoption. Enterprises within these verticals<br />
usually run a large number of applications <strong>and</strong> their operations are often<br />
spread across various locations, meaning that the need to integrate processes<br />
across platforms is a constant priority. They also have large, knowledgeable IT-departments <strong>and</strong> are<br />
consequently less inhibited by new technologies. Other verticals, such as Healthcare, Manufacturing, <strong>and</strong><br />
the Public Sector, currently have lower SOA adoption rates, largely due to a more risk-averse approach to<br />
the adoption of the latest technologies, but also likely to be related to other business drivers taking<br />
precedence, <strong>and</strong> a lack of underst<strong>and</strong>ing.<br />
Figure 8.1.2: SOA Adoption by Vertical (Source: Datamonitor)<br />
Across different regions, the Datamonitor survey backs up discussions with various infrastructure <strong>and</strong> technology<br />
vendors that implied that there is little difference in adoption rates, at least between the US <strong>and</strong> Europe, Middle<br />
East, <strong>and</strong> Africa (EMEA) regions. Some 48% of positive respondents were based in the US <strong>and</strong> 42% in EMEA.<br />
Vendor discussions imply that adoption rates are marginally higher in the US than in Europe, but most agreed<br />
that adoption was probably lower than might be expected from the volume of hype that surrounds SOA.<br />
The Web site eBizQ (www.ebizq.net)– which covers many integration-related issues – published a survey of<br />
just over 300 of its members in October 2006. This indicated a rather more bullish uptake of SOA, with<br />
28% of respondents claiming to have some services deployed, with another 21% considering themselves<br />
to be in the pilot stages. A further 24% are currently exploring SOA. In most cases, of those organisations<br />
that had deployed some services, there were fewer than ten in production, with Web services being the<br />
most widely adopted service type; here there were a few respondents that had significantly more than ten<br />
deployed services with some 10% having more than 100 in use. Again, Financial Services, Telecoms, <strong>and</strong><br />
Technology companies were at the forefront, backing up the Datamonitor findings (some 21 different<br />
industries were represented in the response group). The main drivers for adoption were increased business<br />
agility, IT reuse, business process optimisation, <strong>and</strong> composite application development (multiple responses<br />
were permitted in the survey). This response did imply that the business was driving much of the adoption.<br />
4 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
Quocirca, a UK-based market research company, paints a rather less rosy picture. In a rather larger sample<br />
(some 1,500 respondents) that was surveyed in research sponsored by Oracle earlier in 2006, around 30%<br />
claimed that they did not underst<strong>and</strong> what SOA was. A further 25% said they had minimal knowledge of<br />
it, <strong>and</strong> only 20% stated they had a fair underst<strong>and</strong>ing or a good working knowledge of what SOA is all<br />
about. The respondents in this research were a mixture of technical <strong>and</strong><br />
business people, which may explain the low levels of underst<strong>and</strong>ing to an<br />
extent – but the lack of SOA awareness is worrying given that for SOA to be a<br />
successful strategy, it must have business sponsorship.<br />
The Quocirca research shows that less than 10% of respondents’<br />
organisations already had a SOA infrastructure, <strong>and</strong> 17% had no plans at all<br />
to look at one. Nearly 30% saw the move as being too difficult based on their<br />
existing infrastructure – indicating that where there is underst<strong>and</strong>ing, the<br />
concern is that there will be significant infrastructure requirements. This<br />
implies that the vendor-centric emphasis of SOA to date is turning people off<br />
the idea, <strong>and</strong> there is a limited underst<strong>and</strong>ing of the benefits of SOA.<br />
...research shows that<br />
less than 10% of<br />
respondents’<br />
organisations already<br />
had a SOA<br />
infrastructure, <strong>and</strong><br />
17% had no plans at<br />
all to look at one.<br />
A final survey, which has the benefit of indicating changes in responses over time, comes from Evans Data<br />
Corporation, conducted during the spring of 2006 across almost 400 managers <strong>and</strong> developers. This was<br />
focused on Web services development, <strong>and</strong> indicates that from 2005 to 2006 the percentage of functioning<br />
SOA implementations has almost doubled. The survey showed that 24% of respondents claim to currently<br />
implement SOA, an 85% increase over 2005. It also indicated that the number of Web services in use is<br />
also rising, with 30% of respondents anticipating that they will be using more than 20 services in the next<br />
year, a 58% increase from today. Performance, especially relating to reliability <strong>and</strong> availability, was seen as<br />
a serious concern here.<br />
Staffing issues, security concerns, <strong>and</strong> a lack of awareness of SOA are<br />
inhibiting SOA adoption.<br />
Given the varied adoption rates across the market, a number of common reasons emerge as to why adoption<br />
has not taken off in reality as much as some pundits are claiming.<br />
Figure 8.1.3: Obstacles to SOA Adoption (Source: Datamonitor)<br />
December 2006 Section 1: SOA Deployment 5
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
The Datamonitor survey already mentioned indicated that a lack of technical in-house expertise (27%) is<br />
the main reason for not adopting SOA. This factor was particularly significant as a barrier to deployment in<br />
the Public Sector <strong>and</strong> Manufacturing vertical markets.<br />
However, there are a number of other reasons why SOA is not seeing a wider uptake, with security concerns<br />
a significant contributor. For many end users (<strong>and</strong> rather more so, the IT department that is tasked with<br />
ensuring security), the idea of having their applications exposed as services to all comers on the Web signals<br />
increased vulnerability. There is a concern that the flexibility of SOA may come at the expense of reduced<br />
security. The Evans Data survey also found that authentication of on-line identities is the greatest security<br />
challenge to Web services, with one in four respondents saying that the inability to confirm the identities of<br />
on-line users <strong>and</strong> services is the biggest problem.<br />
Whilst there are many security initiatives under way, gaining better underst<strong>and</strong>ing of the issues <strong>and</strong> how they<br />
may be overcome (for example, by supporting encryption once messages travel outside firewalls) will help.<br />
A basic lack of awareness is also limiting adoption; the Datamonitor survey showed that 13% of the<br />
respondents had not heard about SOA, whilst another 17% could see no need for SOA, or had not looked<br />
at SOA yet. This was most prevalent in those verticals with low adoption rates, in particular the<br />
Manufacturing sector.<br />
The Evans Data survey highlighted another important issue – 25% of respondents stated that the leading<br />
problem in implementation of Web services was either a lack of industry st<strong>and</strong>ards or changes in st<strong>and</strong>ards,<br />
a 67% increase from the previous survey on this issue. Certainly, st<strong>and</strong>ards around SOA are still maturing,<br />
<strong>and</strong> it is interesting to see that this is seen as a barrier to adoption.<br />
Enterprises expect cost savings to come from SOA deployment, though<br />
these will be in the long term.<br />
In the Datamonitor survey, only 5% of the surveyed enterprises saw cost issues as a reason for not adopting<br />
SOA. The majority (67%) of the surveyed organisations that are adopting SOA do not expect their overall<br />
IT spending to increase as a result. As SOA impacts all areas of an enterprise’s IT structure (<strong>and</strong> therefore<br />
its spending), it also suggests that enterprises believe that SOA will help them to save costs.<br />
<strong>Impleme</strong>nting SOA certainly requires investment in its early stages, in areas such as planning, setting up a<br />
roadmap, assessment of business processes, <strong>and</strong> re-design of the IT structure. One of the main concerns is that<br />
<strong>Impleme</strong>nting SOA<br />
certainly requires<br />
investment in its early<br />
stages, in areas such<br />
as planning, setting<br />
up a roadmap,<br />
assessment of<br />
business processes,<br />
<strong>and</strong> re-design of the<br />
IT structure.<br />
new infrastructure <strong>and</strong> new ways of working will be needed to make SOA work.<br />
This implies that pilot <strong>and</strong> early adopter projects will have a net cost to the<br />
organisation, <strong>and</strong> will therefore require very careful justification. Converting to<br />
SOA is a fundamental change that will require the restructuring of many existing<br />
applications, in order to use the available resources in an optimal way.<br />
Potential cost savings will drive the adoption of SOA. If one can reuse services<br />
that have already been built, less time <strong>and</strong> money is required when developing<br />
new applications, driving costs down by eliminating duplicate systems.<br />
However, where many of the benefits are likely to be realised most quickly are<br />
where new projects allow access to new markets, by enabling loosely-coupled<br />
yet automated interactions to existing systems.<br />
As well as infrastructure, an area that is likely to require greater spending is<br />
IT services – in part, with technology vendors but also with services providers<br />
that have already assisted in successful SOA implementations. Learning from others’ success is a major<br />
benefit to the ‘second wave’ of adopters – as is underst<strong>and</strong>ing where projects have gone astray.<br />
A piece of valuable insight from the Quocirca survey showed that those survey respondents who had gone<br />
fully down the SOA route saw major benefits for their organisations. These organisations are more<br />
competitive, due to the flexibility of their optimised environments. Often it is new functionality that is being<br />
implemented in a service-oriented manner, although there is also an element of re-architecting existing<br />
infrastructure to be more service oriented.<br />
6 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
SOA ROADMAP<br />
CATALYST<br />
SOA is not something that will happen overnight. It is much more likely that an organisation will take a<br />
number of years to achieve a true SOA. Underst<strong>and</strong>ing this, <strong>and</strong> planning how the organisation will move<br />
towards that goal will be facilitated by the creation of an organisational-specific roadmap that helps it<br />
underst<strong>and</strong> where it is now, <strong>and</strong> where it needs to work next in order to best achieve the goal.<br />
SUMMARY<br />
<strong>Planning</strong> a strategy across several domains provides visibility.<br />
SOA may not be the appropriate architectural model for all systems.<br />
The move to SOA will take many years for the majority of organisations.<br />
Careful strategy can help to future-proof SOA developments.<br />
ANALYSIS<br />
With the level of hype around SOA, one could be forgiven for thinking that it is a concept that organisations<br />
should be able to ‘do’ rapidly <strong>and</strong> move on. However, evidence indicates that a more realistic timescale for<br />
SOA is at least five years from the start – <strong>and</strong> probably significantly longer. The challenges of SOA,<br />
compounded with the lack of genuine underst<strong>and</strong>ing, mean that this could even be quite optimistic – the<br />
changes required to the way organisations work may mean that early attempts do not deliver the expected<br />
benefits, unless carefully managed <strong>and</strong> controlled.<br />
<strong>Planning</strong> a strategy across several domains provides visibility.<br />
Successful SOA will require that all areas of an organisation need to underst<strong>and</strong> the impact of SOA, <strong>and</strong><br />
what it is likely to do for them. In order to achieve the goal, as with setting any organisational change target,<br />
underst<strong>and</strong>ing the different areas that need to be involved, <strong>and</strong> setting objectives for each area at each<br />
Successful SOA is<br />
about the process of<br />
change –<br />
underst<strong>and</strong>ing how it<br />
may affect the<br />
organisation <strong>and</strong><br />
what the organisation<br />
is aiming for.<br />
phase looking forward will be a valuable exercise. Successful SOA is about the<br />
process of change – underst<strong>and</strong>ing how it may affect the organisation <strong>and</strong><br />
what the organisation is aiming for. SOA requires highly cross-organisational<br />
focus – it is about getting the organisation to come out of its departmental<br />
‘silos’, <strong>and</strong> developing an awareness across the organisation. The rise of<br />
shared services is a business-centric start for this process – underst<strong>and</strong>ing that<br />
a particular competency can be provided as a service to other areas of the<br />
organisation. In some respects, the business is already ahead of IT here!<br />
Often viewed as a type of maturity model, the objective of defining a high-level<br />
roadmap is to ensure that progress is made in each of the main areas before<br />
moving on to the next phase. If any of the individual areas has not progressed, it<br />
is likely that any move to SOA will be less effective than anticipated. Each organisation should develop its own<br />
roadmap as part of the planning process, but may be guided by the model we provide here as Figure 8.2.1.<br />
A number of vendors have developed maturity models for SOA (including Amberpoint, BEA Systems, IBM,<br />
Sonic Software, <strong>and</strong> Systinet (now Mercury)). However, a maturity model would probably align best with<br />
an independent body like the Software Engineering Institute (SEI), which has developed the Capability<br />
Maturity Model Integration (CMMI). The Butler Group SOA Roadmap has been formed by reference to<br />
several of these models, together with discussions with early adopters <strong>and</strong> systems integrators.<br />
December 2006 Section 1: SOA Deployment 7
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
Phase 1 –<br />
Investigation <strong>and</strong><br />
Discovery<br />
Phase 2 –<br />
Development <strong>and</strong><br />
Deployment<br />
Phase 3 – SOA<br />
Transformation<br />
Phase 4 – SOA<br />
Maturity (The<br />
Service Oriented<br />
Enterprise)<br />
Business Vision<br />
Define Business<br />
Case<br />
Education<br />
Business Model<br />
Development<br />
Business metrics<br />
Optimisation<br />
Process stream<br />
analytics<br />
Business networks<br />
Architecture<br />
Develop<br />
architecture<br />
competency<br />
Business <strong>and</strong><br />
technical<br />
architecture<br />
Data <strong>and</strong><br />
application<br />
architecture<br />
Common service<br />
architecture<br />
Data<br />
Management<br />
Service to<br />
information<br />
mapping<br />
Develop<br />
information<br />
architecture<br />
competency.<br />
Master Data<br />
Management<br />
Content in<br />
processes<br />
Business Activity<br />
Monitoring<br />
Dynamic process<br />
optimisation<br />
Develop corporate<br />
data dictionary<br />
Control <strong>and</strong><br />
Governance<br />
Roles <strong>and</strong><br />
responsibilities<br />
Organisational<br />
structures<br />
Change<br />
management<br />
Dynamic<br />
governance<br />
Policies<br />
Infrastructure<br />
Messaging<br />
infrastructure<br />
ESB<br />
Services registry<br />
<strong>and</strong> repository<br />
Rules<br />
Service<br />
management<br />
infrastructure<br />
Autonomic service<br />
infrastructure<br />
Development<br />
methods<br />
Acquire serviceoriented<br />
expertise<br />
Service<br />
development <strong>and</strong><br />
re-use<br />
Composite<br />
application<br />
development<br />
Rapid application<br />
assembly<br />
Business Vision<br />
Figure 8.2.1: SOA Roadmap<br />
During the discovery phase, it is vital to define the business case – to underst<strong>and</strong> why SOA is needed for<br />
the organisation <strong>and</strong> to establish what is trying to be achieved. Even in an organisation where business<br />
management is already pushing for change, it will still be valuable to focus on<br />
During the discovery<br />
phase, it is vital to<br />
define the business<br />
case – to underst<strong>and</strong><br />
why SOA is needed<br />
for the organisation<br />
<strong>and</strong> to establish what<br />
is trying to be<br />
achieved.<br />
the desired business objectives. Parallel to this is the need to educate,<br />
particularly at the higher levels. A large amount of material exists on SOA, <strong>and</strong><br />
distilling this into usable <strong>and</strong> inspirational value can be a challenge – some of<br />
the more business-focused publications here include Enterprise SOA (Dan<br />
Woods <strong>and</strong> Thomas Mattern, O’Reilly), <strong>and</strong> Mashup Corporations (Andy<br />
Mulholl<strong>and</strong>, Chris S. Thomas, Paul Kurchina, <strong>and</strong> Dan Woods, Evolved<br />
Technologist Press).<br />
At the development <strong>and</strong> deployment phase, the business needs to develop its<br />
business models – to underst<strong>and</strong> where it is heading. This will include an<br />
underst<strong>and</strong>ing of where it fits in a supply chain or similar extended enterprise,<br />
<strong>and</strong> what it could expect partners <strong>and</strong> customers to dem<strong>and</strong>.<br />
8 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
The SOA Transformation stage will involve establishing the business metrics (or Key Performance Indicators<br />
– KPIs) that work for the organisation. Whilst there may be some generic KPIs, it is important that the<br />
organisation underst<strong>and</strong>s what metrics are important to them, <strong>and</strong> subsequently identifies how to measure<br />
<strong>and</strong> use the information that is then generated. By this phase, alignment should be significantly improved<br />
<strong>and</strong> business <strong>and</strong> technology working together in partnership. The<br />
organisation will be implementing both internal <strong>and</strong> external processes <strong>and</strong><br />
services, <strong>and</strong> working towards optimisation of those services.<br />
By the time the organisation has evolved to SOA maturity, it will be receiving<br />
feedback from all aspects of the enterprise <strong>and</strong> can look to using this feedback<br />
on an ongoing basis in order to continually optimise business processes.<br />
Process optimisation is an ongoing concept, not an end point in itself.<br />
Architecture<br />
Butler Group has discussed the importance of enterprise architecture many<br />
times, <strong>and</strong> believes that when moving to SOA, the ‘A’ – architecture, as in the<br />
fundamental organisation of a system embodied by its components, their<br />
relationship to each other <strong>and</strong> to the environment <strong>and</strong> the principles guiding its design <strong>and</strong> evolution (IEEE<br />
P1471/D5.3) – becomes critical. This has to include the business (people) side as well as the technology<br />
aspects, <strong>and</strong> may extend outside the enterprise, particularly in collaborative environments.<br />
During the discovery phase, an organisation may need to develop an architecture competency if one does<br />
not exist – gaining an underst<strong>and</strong>ing of architecture concepts <strong>and</strong> benefits can clarify both business <strong>and</strong> IT<br />
objectives.<br />
The development <strong>and</strong> deployment phase should see this competency then being put to work to define the<br />
business <strong>and</strong> technical architecture for the organisation – <strong>and</strong> will need to work closely with the business<br />
to underst<strong>and</strong> how the business needs will drive the underlying technology structures.<br />
The SOA transformation phase will see the full fleshing-out of more formal data <strong>and</strong> application<br />
architectures, as architectural awareness grows <strong>and</strong> the organisation itself evolves.<br />
When an organisation moves into the SOA maturity phase, it will be developing a common service architecture,<br />
where reuse of existing services is a given, <strong>and</strong> new services evolve easily as needs become apparent.<br />
Data Management<br />
Data is an undervalued area in these days of distributed computing, but developing a corporate data model<br />
will be vital in making sense of how data can best be reused in SOA. When Enterprise Resource <strong>Planning</strong><br />
(ERP) systems were developed, little attention was paid to how information would be used – they were<br />
designed to be optimised for transactions but not for information <strong>and</strong><br />
In the investigation<br />
<strong>and</strong> discovery phase,<br />
the organisation<br />
should develop an<br />
information<br />
architecture<br />
competency, <strong>and</strong> start<br />
defining a service to<br />
information mapping.<br />
The SOA<br />
Transformation stage<br />
will involve<br />
establishing the<br />
business metrics (or<br />
Key Performance<br />
Indicators – KPIs) that<br />
work for the<br />
organisation.<br />
reporting. There is a risk with SOA that the data services needed to deliver<br />
adequate information <strong>and</strong> intelligence will be an afterthought as well.<br />
In the investigation <strong>and</strong> discovery phase, the organisation should develop an<br />
information architecture competency, <strong>and</strong> start defining a service to<br />
information mapping. This should help clarify what data is stored, where it is<br />
duplicated <strong>and</strong> potentially redundant, <strong>and</strong> where there may be gaps in<br />
corporate data that are filled by personal sources. At this stage, it will be<br />
valuable to develop a corporate data dictionary – complete with semantic<br />
definitions so that there is a common underst<strong>and</strong>ing across the organisation.<br />
During the development <strong>and</strong> deployment phase, master data management will<br />
become a necessity. Organisations today have multiple versions of common<br />
data items, <strong>and</strong> whilst this may be necessary in a distributed (both technically <strong>and</strong> geographically) world,<br />
it will also be a major challenge. Underst<strong>and</strong>ing where data originates, who the owner should be, <strong>and</strong><br />
developing a policy for ensuring that master data is rapidly propagated to where it needs to be used, must<br />
be addressed during this phase. At this stage, the organisation will need to develop an underst<strong>and</strong>ing of<br />
where <strong>and</strong> what content is used in its various processes.<br />
December 2006 Section 1: SOA Deployment 9
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
At SOA maturity, the<br />
organisation will start<br />
to be able to<br />
dynamically optimise<br />
processes based on<br />
the visibility of data.<br />
By the SOA transformation phase, a deeper underst<strong>and</strong>ing of data<br />
requirements will become apparent. Business Activity Monitoring (BAM)<br />
should be starting to be used in this phase so that the organisation can see,<br />
on an up-to-date basis, where there may be performance issues.<br />
At SOA maturity, the organisation will start to be able to dynamically optimise<br />
processes based on the visibility of data. New data sources <strong>and</strong> types may<br />
need to be introduced, but the architecture will have been defined to enable<br />
swift incorporation of new data services that can then be used in conjunction<br />
with existing ones.<br />
Control <strong>and</strong> Governance<br />
At the investigation phase, most organisations will want to pay scant attention to control <strong>and</strong> governance<br />
issues, but although a heavy h<strong>and</strong>ed approach is likely to be unnecessary, a degree of governance will be<br />
required early on. The right organisational structure to m<strong>and</strong>ate <strong>and</strong> govern the development of services will<br />
need to be worked out, including establishing ownership of services. Without good governance, there is a<br />
risk that services will be created to satisfy whims that are not genuine business needs.<br />
By the development <strong>and</strong> deployment phase, organisational structures including roles <strong>and</strong> responsibilities<br />
must become more clearly defined. Underst<strong>and</strong>ing what is expected of the various parts of the organisation<br />
– <strong>and</strong> this is not only the IT function – will be important to ensure adequate<br />
control is there. Policies should start to become visible by this stage,<br />
Change management, which will already have started to become an issue,<br />
needs to be resolved during the SOA transformation stage. Whilst in an ideal<br />
world services should be carefully defined up-front to avoid change, in the real<br />
world change may be needed, <strong>and</strong> will need to be managed <strong>and</strong> governed.<br />
Tools to assist will have developed in maturity by this time (there are already<br />
many available today).<br />
Once an organisation moves into the SOA maturity phase, the concept of<br />
dynamic governance will start to become real. For this to happen, it must be possible to examine what<br />
messages are being routed through the organisation, measure response times, <strong>and</strong> take corrective action<br />
dynamically if there are any issues.<br />
Infrastructure<br />
During the investigation <strong>and</strong> discovery phase, organisations will need to look at their infrastructure <strong>and</strong><br />
modernise it to put certain basic elements in place. It may be possible to reuse an existing messaging<br />
infrastructure, <strong>and</strong> layering Enterprise Service Bus (ESB) technology on top is likely to be a route that many<br />
organisations will already be investigating. An area to watch here is the growth of the open source<br />
Infrastructure<br />
requirements will<br />
evolve during the<br />
move to SOA, <strong>and</strong> by<br />
the SOA<br />
transformation phase,<br />
it will be necessary to<br />
develop a<br />
comprehensive<br />
service management<br />
infrastructure...<br />
Change management,<br />
which will already<br />
have started to<br />
become an issue,<br />
needs to be resolved<br />
during the SOA<br />
transformation stage.<br />
technology stack, which may provide a useful way of testing out options with<br />
lower investment.<br />
In the development <strong>and</strong> deployment phase, organisations should start to use<br />
the idea of a services registry <strong>and</strong>/or repository. This will help with some of<br />
the governance issues, as well as ensuring that all participants underst<strong>and</strong><br />
what services are already available. Here it will also be valuable to develop an<br />
underst<strong>and</strong>ing of the business rules that are already present, but that are<br />
embedded deep in multiple business systems. These must be separated from<br />
those core systems to enable business users to make modifications to them<br />
easily.<br />
Infrastructure requirements will evolve during the move to SOA, <strong>and</strong> by the<br />
SOA transformation phase, it will be necessary to develop a comprehensive<br />
service management infrastructure that overlaps with, <strong>and</strong> reflects the<br />
business services that are in use. By this phase, SOA infrastructure tools must<br />
be merging with the other IT service management tools <strong>and</strong> techniques that are in place today; for example,<br />
there is likely to be significant overlap between a Configuration Management DataBase (CMDB) <strong>and</strong> service<br />
registries that should be resolved during this phase.<br />
10 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
By the SOA maturity phase, the real dynamism that SOA can offer should start to become feasible, with an<br />
autonomic service infrastructure allowing services to be identified <strong>and</strong> accessed on-the-fly. Forecasting how<br />
infrastructure is likely to change so far into the future is like gazing into a crystal ball, but a policy-based<br />
solution is likely to support this model the best.<br />
Development Methods<br />
One of the key needs of the investigation <strong>and</strong> discovery phase will be to acquire service-oriented expertise. This<br />
may be easier said than done, since it requires a move from functionality <strong>and</strong> application-oriented thought <strong>and</strong><br />
design processes to a service-oriented one. It will also be vital to have a broad underst<strong>and</strong>ing of current systems<br />
<strong>and</strong> technologies; it is unlikely to be wise to buy external SOA skills at the expense of upgrading internal skillsets.<br />
This change of emphasis will need a significant human change management effort.<br />
During the development <strong>and</strong> deployment phase, we would expect organisations to be moving on from pilot<br />
projects towards a reasonable degree of service development <strong>and</strong> reuse; this is where it will be apparent<br />
that the different domains are inter-related, since without the other horizontal areas keeping up, it would<br />
be all too easy to develop runaway services that do not suit business needs. Essentially, a service serves;<br />
the questions to be resolved at this phase are how, where, why, when, to whom, <strong>and</strong> if it is needed at all?<br />
Although a few composite applications exist today (for example SAP, together with some of its partners, have<br />
created what they refer to as X-APPS, which link together several services both from within SAP’s<br />
application <strong>and</strong> external to it), Butler Group does not see a significant move to this paradigm until<br />
organisations are ready to move to the SOA transformation phase. Here, it is anticipated that composite<br />
application development will become much more commonplace, <strong>and</strong> large, single-purpose applications will<br />
gradually reduce.<br />
In the SOA maturity phase we will start to see rapid application assembly, where composite applications<br />
are the norm – in fact they are created <strong>and</strong> then overtaken by new ones from the underlying services which<br />
become available. This will need service creation to be fully understood throughout the organisation. The<br />
IT function will need to support the composition paradigm fully, with graphical composition tools in the<br />
h<strong>and</strong>s of business-facing experts.<br />
SOA may not be the appropriate architectural model for all systems.<br />
Whilst SOA holds the promise of flexibility, agility, <strong>and</strong> potential for future cost savings, it may not be the<br />
most appropriate architectural model for all systems. Where complex transactions are involved that need<br />
tightly coupled links between the various phases of the transactions, a SOA is unlikely to be a suitable<br />
model, particularly if very high volumes of transactions are involved with high performance requirements.<br />
Stateful, long-running, orchestrated business conversations are not well-suited to a SOA approach, as the<br />
management of such complexity is beyond SOA, certainly at the moment.<br />
Where an application is very self-contained <strong>and</strong> structured, <strong>and</strong> components have been designed to be<br />
tightly coupled, there is little advantage in breaking it down into services that are insulated from each other.<br />
Additionally, where an organisation has recently implemented a new enterprise application, such as an ERP<br />
system, which is in widespread use throughout the organisation <strong>and</strong> is starting to meet its transactional <strong>and</strong><br />
informational needs, there is little relevance in even considering SOA. However, the vendors of most of the<br />
major enterprise applications are certainly paying serious attention to SOA – they are facing many of the<br />
problems, such as rigid processes, that SOA can address. It is therefore likely that future versions of such<br />
applications will be service-enabled, <strong>and</strong> permit choice in how the individual services are assembled in the<br />
future.<br />
Where only one or two applications are in use in a homogeneous IT environment, <strong>and</strong> they are not likely to<br />
change, imposing a SOA would add unnecessary overhead at this stage. Organisations may want to start<br />
investigating SOA within the next year or two, to establish if it is likely to have any benefits for them – <strong>and</strong><br />
even so, there may be no apparent need to change for the foreseeable future. In cases such as this, service<br />
orientation might be an appropriate model for new functionality, particularly when external partners <strong>and</strong><br />
collaborations may be relevant. The book ‘Mashup Corporations’ has some examples illustrating this usage<br />
of SOA for new projects.<br />
December 2006 Section 1: SOA Deployment 11
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
The move to SOA will take many years for the majority of<br />
organisations.<br />
It is all very well establishing a roadmap, but a question that is often asked is how long will SOA take to<br />
be a normal business/IT paradigm? As with any other forecast of the future, this is a challenging question.<br />
Certainly, some large organisations are starting to underst<strong>and</strong> that things are unlikely to stay as they are,<br />
<strong>and</strong> the benefits of service orientation imply that it will be a good model to follow.<br />
The four phases that we discussed are likely to take a number of years for any organisation, even the most<br />
flexible <strong>and</strong> agile out there. Some organisations are already starting to work on phase one – educating<br />
themselves about SOA; in fact this has already been underway for two or three years now in early adopters.<br />
Where SOA is likely to gain limited uptake for a number of years to come is in the mid-market – here, we<br />
are still seeing a continual shift away from st<strong>and</strong>alone applications that only cover a small part of the<br />
business, enhanced by a ‘sticky tape <strong>and</strong> string’ collection of applications, spreadsheets, <strong>and</strong> e-mail,<br />
towards more integrated ERP systems. For these organisations to then be told they need to break up these<br />
applications into services seems like a backward step. Mid-market companies <strong>and</strong> other medium-sized<br />
organisations (for example, in the Public Sector) are far less likely to be even thinking about what SOA might<br />
mean for some time yet – <strong>and</strong> when they do they will not appreciate being pushed into making decisions<br />
by the vendors. Not all organisations will either want or be ready for SOA.<br />
Careful strategy can help to future-proof SOA developments.<br />
As with any new technology idea, the suspicion is that hype is rather more than the content, <strong>and</strong> it will<br />
soon be replaced by ‘the next big idea’. Butler Group believes that the terminology, SOA, might be<br />
superseded, but that the concept of a service-oriented organisation is very much the model of the future.<br />
Having said that, there are steps that organisations can take to ensure that any work they do on SOA<br />
projects will still be relevant as technologies <strong>and</strong> business challenges change in the future.<br />
Process Discovery <strong>and</strong> Modelling<br />
The way that organisations have evolved has frequently been very hit-<strong>and</strong>-miss, as management structures<br />
grew to cope with the changing business environment. Developing a thorough underst<strong>and</strong>ing of what the<br />
business processes are within an organisation will be valuable, whatever happens in the future.<br />
Adoption of Technical St<strong>and</strong>ards<br />
St<strong>and</strong>ards are often seen as an invention by vendors that can lag a number of years behind what the vendors<br />
themselves are offering – witness the number of vendors that add ‘extensions’ to st<strong>and</strong>ards in order to<br />
provide specific capabilities. What is probably as important as underst<strong>and</strong>ing the wider technical st<strong>and</strong>ards<br />
is at least picking what works for the organisation, <strong>and</strong> promoting the use of those within the organisation.<br />
De facto st<strong>and</strong>ards can be as relevant in the real world as those that are formally ratified by the various<br />
st<strong>and</strong>ards bodies, as this indicates widespread adoption. Participation on st<strong>and</strong>ards bodies may be a major<br />
commitment but will at least provide end-user perspectives directly to the st<strong>and</strong>ards process, <strong>and</strong> should<br />
be considered by organisations that can afford such commitment.<br />
Maximising the Level of Abstraction<br />
Whenever business-relevant information is buried within technology <strong>and</strong> tools, it becomes harder to change,<br />
requiring the relevant skills <strong>and</strong> knowledge to do so. Wherever possible, this needs to be abstracted to the<br />
highest level possible to make it much easier to change, <strong>and</strong> reduce the skills required to make that change.<br />
This approach is highly consistent with SOA.<br />
A Solid Architectural Framework<br />
There is a myriad of tools <strong>and</strong> technologies on the market for SOA-enablement, <strong>and</strong> organisations need to<br />
take care to underst<strong>and</strong> the underlying architectures within them to avoid lock-in wherever possible.<br />
Creating a solid architectural framework for the organisation, based on its own needs, skills, <strong>and</strong> future<br />
plans, will help to ensure that work done for SOA projects is relevant to these internal requirements.<br />
12 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
The Role of Business Rules<br />
Business rules is one of those phrases that is reasonably understood, even if not always well-defined.<br />
Separating out such business rules from the tangled web of code where they are usually buried, is a valid<br />
exercise that will repay efforts whatever architectural style is the current trend. Rules should be visible,<br />
manageable, <strong>and</strong> therefore under the control of business people rather than technologists.<br />
Creating Generic Interfaces<br />
The major problem with many older technologies is that the interfaces to applications were often hardcoded<br />
with those applications, making it necessary to amend significant amounts of code any time a change<br />
was needed. Separation of interface from application is already a feature of n-tier architectures that is still<br />
valid in a SOA approach, <strong>and</strong> will still be relevant in the future. Future-proofing SOA can be achieved by<br />
continuing to create generic interfaces to older applications.<br />
SOA MANAGEMENT AND GOVERNANCE<br />
CATALYST<br />
Once services start to be deployed, the joint issues of SOA management <strong>and</strong> governance will dem<strong>and</strong><br />
attention. It is wise to plan for this early on in a SOA project, otherwise there is a risk that SOA will not<br />
deliver its expected benefits.<br />
SUMMARY<br />
Left unmanaged, services can rapidly degenerate into a tangled mess.<br />
Run-time management <strong>and</strong> governance of SOA will converge with traditional<br />
systems management.<br />
A clear definition of SOA roles <strong>and</strong> responsibilities supports good governance.<br />
St<strong>and</strong>ards for SOA governance are beginning to emerge.<br />
ANALYSIS<br />
Governance can be regarded as the discipline of managing desired outcomes through structured<br />
relationships, policies, <strong>and</strong> procedures. Good SOA governance should make it easier for organisations to do<br />
the ‘right’ things <strong>and</strong> harder for them to do the wrong ones. Governance can be achieved by creating <strong>and</strong><br />
then enforcing machine enforceable policies across the service lifecycle, from design time through to run<br />
time, <strong>and</strong> especially when services need to be changed.<br />
Left unmanaged, services can rapidly degenerate into a tangled mess.<br />
The key difference that Butler Group has identified between successful SOA projects <strong>and</strong> ones that fail to<br />
deliver benefits is in the area of good management <strong>and</strong> governance. Without a good human management<br />
infrastructure, even the best technology solution is likely to allow services created on it to degenerate into<br />
a confused set of services that do not get well used.<br />
Thomas Erl, in his book “Service-Oriented Architecture: Concepts, Technology, <strong>and</strong> Design”, lists a number<br />
of common pitfalls in adopting SOA:<br />
<br />
Building SOA in the way that distributed architectures have been built – this can introduce problems<br />
such as a proliferation of Remote Procedure Call (RPC)-style service descriptions, the creation of services<br />
that cannot then be composed with others, <strong>and</strong> the creation of non-st<strong>and</strong>ardised services.<br />
December 2006 Section 1: SOA Deployment 13
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
<br />
<br />
Not st<strong>and</strong>ardising SOA – this is especially relevant for larger organisations, where a number of different<br />
projects running in parallel could result in very differently designed services that cannot then be<br />
integrated or composed in the future. A way to overcome this would be to have a single proof-of-concept<br />
project to establish good practices that can then be spread throughout the organisation on future<br />
projects. Similar services may be developed in different regions of the organisation because information<br />
is not being shared. This will occur for organisational <strong>and</strong> political reasons but should be minimised by<br />
good governance.<br />
Not underst<strong>and</strong>ing SOA performance requirements – SOA is likely to introduce multi-layered processing,<br />
<strong>and</strong> certainly when Web services are used, there is a deep dependence on XML data representation. This<br />
can cause performance issues unless hardware is scaled appropriately <strong>and</strong> performance is considered at<br />
design time.<br />
One of the first<br />
essentials will be to<br />
set up the<br />
organisational<br />
structures in people<br />
terms to ensure good<br />
management <strong>and</strong><br />
governance.<br />
Some of these issues can be overcome by good design, but a sound<br />
management <strong>and</strong> governance capability should be planned in from an early<br />
stage to avoid these issues.<br />
One of the first essentials will be to set up the organisational structures in<br />
people terms to ensure good management <strong>and</strong> governance. Who (as in ‘what<br />
department’, as well as ‘what role’) should be responsible for monitoring,<br />
defining, <strong>and</strong> authorising changes to existing services that will exist within an<br />
organisation? Some kind of internal governing body should be set up to take<br />
on this responsibility. However, there are alternative models – central <strong>and</strong><br />
distributed.<br />
With central governance, the body should have representation from each of<br />
the areas that are affected by services (both technical <strong>and</strong> business, including<br />
subject matter experts), <strong>and</strong> it will be wise to have an independent arbitration<br />
function as well to help resolve issues. This governing body will then review<br />
proposed new services, approve the removal of unused services, <strong>and</strong> where<br />
appropriate, changes to existing services.<br />
A distributed<br />
governance approach<br />
would involve each<br />
business unit having<br />
its own body to<br />
monitor services that<br />
are relevant to that<br />
business unit.<br />
A distributed governance approach would involve each business unit having<br />
its own body to monitor services that are relevant to that business unit. This<br />
is likely to be more appropriate for a highly distributed organisation that<br />
already has autonomous management. Whichever model is suitable (<strong>and</strong> a<br />
mixed model may be appropriate), the role of the governing body is to define good practices <strong>and</strong> st<strong>and</strong>ards<br />
for services, including the architectural <strong>and</strong> procedural guidelines for their use, <strong>and</strong> to oversee their<br />
deployment.<br />
Some of the key questions that arise around SOA management <strong>and</strong> governance include:<br />
Who has access to services?<br />
Who is allowed to create them?<br />
How do you write new versions of that same service?<br />
What happens when they are updated?<br />
What are the rules <strong>and</strong> polices around upgrades?<br />
Good metadata management is also a key part of successful SOA. Defining the st<strong>and</strong>ards to be used, for<br />
example for different data elements (such as in identifying a customer, which may have a customer ID for<br />
internal use to uniquely identify a customer, <strong>and</strong> a customer login ID which is used by the customer to<br />
access a service) is important. The data dictionary concept beloved by mainframe systems is actually a<br />
highly beneficial model – providing clear <strong>and</strong> accessible information about what data is, <strong>and</strong> how it should<br />
be used within the organisation. Where services cross organisational boundaries, it will be necessary to then<br />
use agreed st<strong>and</strong>ards (such as Electronic Data Interchange (EDI) st<strong>and</strong>ards, Interactive Financial Exchange<br />
(IFX) st<strong>and</strong>ards, <strong>and</strong> so on).<br />
14 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
The Role of the Registry<br />
One of the problems that arose with early Web services was around service identification, with frequent<br />
stories of services being ‘discovered’ through discussions around the coffee machine or in passing in the<br />
corridor. Services could rapidly become far more popular than anticipated <strong>and</strong> performance may become an<br />
issue. Equally, services could have been created that served no business need,<br />
<strong>and</strong> were therefore not used. It is vital to define a common central store for<br />
information about services – often called a registry. A registry can be used for<br />
much more than simply keeping basic information about services – it can be<br />
used both at design time <strong>and</strong> run-time so that policy-based information can<br />
be dynamically accessed at run-time for detailed control.<br />
The service registry<br />
can support<br />
sophisticated<br />
dependency <strong>and</strong><br />
impact analysis.<br />
The service registry can support sophisticated dependency <strong>and</strong> impact<br />
analysis. Even though a service should be self-contained, it may still impact<br />
another when used in a composite application. In addition, it will be valuable to identify which services<br />
interact with one another when the need to modify a service arises – if too many services might depend on<br />
it, this could be an occasion when it is appropriate to create a new service that has some similar<br />
functionality, rather than create a new version.<br />
An area that will be interesting to watch over the coming months will be what happens in the area of<br />
CMDBs. Today, these are used in the IT service management arena to maintain <strong>and</strong> manage information<br />
about various IT-related assets – <strong>and</strong> services can equally be regarded as assets, just as applications <strong>and</strong><br />
systems are at the moment.<br />
The Service Contract<br />
When two parties agree to do business with one another, it is very wise to set up a contractual agreement<br />
that covers what the provider will deliver, <strong>and</strong> what the consumer expects. The same applies within a SOA;<br />
it is sound practice to define the contract <strong>and</strong> obligations between consumers <strong>and</strong> providers, <strong>and</strong> these will<br />
be interdependent. Often the service definition (as given in the Web Services Definition Language (WSDL)<br />
for a Web service) is regarded as sufficient, but in practice rather more will be necessary. There are a<br />
number of other things that need to be documented about a service’s agreement with its consumers, such<br />
as run-time performance expectations, who to call if the service breaks, charging models (if any), etc.<br />
SOA Lifecycle Management<br />
Within the applications area, we are seeing the emergence of the concept of Application Lifecycle<br />
Management (ALM), which covers the lifecycle of applications from origination through to deployment <strong>and</strong><br />
on to retirement. Services will need a similar degree of control throughout their lifecycle; something will<br />
trigger the creation of a service, <strong>and</strong> eventually it may need to be removed from service as it is no longer<br />
needed. Within ALM, change management is a particularly complex area.<br />
In SOA, version control is a highly contentious issue. Delegates at a recent Butler Group Masterclass on SOA<br />
had some robust discussions on whether a service should be able to have multiple versions or not. The<br />
conclusion of the debate was not unequivocal – most services are likely to change over time, <strong>and</strong> the change<br />
should be reflected by the creation of a new version. However, a service that could be used in a very longrunning<br />
business process might need to be kept stable. The important thing is that the service interface<br />
should not change unless the version changes – minor details of how the service operates could, in theory,<br />
be accommodated without a version change.<br />
Lifecycle management issues cover service development, testing, staging, <strong>and</strong> production. Moving from one<br />
phase to another can be a complicated challenge, <strong>and</strong> the move for mainstream application management<br />
vendors to acquire the more specialist SOA management vendors is likely to prove beneficial here.<br />
Design-time Management <strong>and</strong> Governance<br />
A building relies on having good foundations – no matter how good a quality the bricks, doors, windows,<br />
<strong>and</strong> the construction itself, if the foundation is not sound then there is a risk that the building will collapse<br />
if the strain becomes too great (for example, if there is an earth tremor). The same metaphor can be applied<br />
to services – if a really ‘cool’ service is developed <strong>and</strong> proves highly popular, overuse of that service could<br />
cause the whole infrastructure to grind to a halt. Some of this will be down to the platform but the majority<br />
comes down to good governance <strong>and</strong> management.<br />
December 2006 Section 1: SOA Deployment 15
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
Governance can be split into design-time governance <strong>and</strong> run-time. Design-time governance covers service<br />
assets within a registry <strong>and</strong>/or repository. Such assets can include the service description (WSDL),<br />
documentation, schemas, namespaces, taxonomies, Business Process<br />
Execution Language (BPEL), <strong>and</strong> so on.<br />
One of the key<br />
aspects of designtime<br />
governance is<br />
the need to control<br />
what is developed,<br />
which should always<br />
be driven by the<br />
business need.<br />
One of the key aspects of design-time governance is the need to control what<br />
is developed, which should always be driven by the business need. One<br />
organisation found that when it identified a particular business-relevant<br />
service, <strong>and</strong> then investigated what existed that could be mapped to that<br />
service, it found that there were already some 20-odd versions of that service<br />
in existence – requiring significant re-design to consolidate. However, good<br />
governance must not st<strong>and</strong> in the way of innovation; it should seek to de-risk<br />
it. This will be one of the greatest challenges to the IT function – how to<br />
manage SOA carefully without restricting the organisation.<br />
Run-time management <strong>and</strong> governance will converge with traditional<br />
systems management.<br />
St<strong>and</strong>ard IT systems management usually covers applications that operate on one platform, although of<br />
course there are already technologies that enable common management across several platforms. However,<br />
as an organisation starts to deploy SOA-based applications, management of an operational SOA will require<br />
additional thought <strong>and</strong> preparation.<br />
The major challenge for management of SOA is that the services may not all be within the same domain.<br />
Service management consoles are used to monitor <strong>and</strong> manage performance issues within an organisation’s<br />
infrastructure, but when a service could be running externally to the<br />
organisation, it is necessary to then establish performance metrics about that<br />
service in a st<strong>and</strong>ards-based manner.<br />
Run-time governance usually concerns the messages flowing across the<br />
message transport system, <strong>and</strong> usually relates to SOA policy <strong>and</strong> security<br />
management. However, run-time governance can also control elements such<br />
as routing <strong>and</strong> transformation – capabilities that can be performed by an ESB<br />
but could also be carried out by policy management.<br />
Run-time governance<br />
usually concerns the<br />
messages flowing<br />
across the message<br />
transport system, <strong>and</strong><br />
usually relates to SOA<br />
policy <strong>and</strong> security<br />
management.<br />
The run-time management aspects cover logging (auditing), performance<br />
management, monitoring, <strong>and</strong> alerts. Such run-time management may be<br />
particularly relevant if a service fails to run as expected, allowing a request to<br />
be routed to a back-up or alternative service that is available, but which may have a different cost. An<br />
example of this might be a credit-check service. Usually the organisation might use a low-cost service, but<br />
if this is not available for some reason then it may be appropriate to access a more expensive alternative,<br />
or it may be preferable to wait until the cheaper one is available. Policies may need to be accessed here to<br />
help make the decision.<br />
Routing of messages may be used to perform load-balancing functionality in order to improve performance.<br />
For example, if some services had a very high service level defined, then it may be necessary for the SOA<br />
management infrastructure to hold back services with a lower Service Level Agreement (SLA) to enable<br />
critical services to be performed first in order to meet the required SLA, <strong>and</strong> also to send alerts if the critical<br />
SLA is breached. Many organisations will require the ability to define quality of service requirements for<br />
individual services, creating a graded service structure.<br />
SOA governance tools usually include the ability to define <strong>and</strong> maintain policies for service management.<br />
Some products on the market allow different qualities of service to be made available; for example, IONA’s<br />
Artix Enterprise Service Bus can be extended to provide quality of service capability, but is also available<br />
without this if service level monitoring is not required.<br />
One issue that is particularly likely to arise where a service is used by many third parties is the potential<br />
for it to become over-used, <strong>and</strong> here the SOA management offering will need to have the ability to ‘throttle’<br />
services to restrict them in order to prevent it impacting others adversely.<br />
16 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
Management of SOA will need a console-style capability that crosses all the platforms that the services are<br />
operating on. Managing external services has to be included in this, <strong>and</strong> this is where st<strong>and</strong>ards for<br />
management will become necessary. We foresee that run-time service management <strong>and</strong> monitoring will<br />
become part of the whole IT Service Management area, but one that must be directly related to the<br />
business.<br />
Accountability within SOA must be driven by the presence of a sound audit trail indicating all interactions<br />
with a service. Service management tools need to be able to produce metrics which can then be analysed<br />
to provide feedback into the service lifecycle. This area is still in the early stages of development, but to<br />
enable a fully mature, service-oriented enterprise, the feedback loop provided by such analysis will illustrate<br />
where services can be improved <strong>and</strong> optimised.<br />
A clear definition of SOA roles <strong>and</strong> responsibilities supports good<br />
governance.<br />
Various roles will be needed within a successful SOA project. The governing body has already been<br />
discussed, but at a more detailed level, there will be a range of different roles that may be necessary, such<br />
as system administrator, operations, security officer, <strong>and</strong> business analyst.<br />
At a recent Webinar organised by the EbizQ Web site, participants were asked what formal governance roles<br />
were in use within their organisations. The results indicate that, whilst a number of organisations have not<br />
yet defined formal roles, many see that this is an increasingly important point.<br />
Role<br />
Percentage of respondents<br />
(multiple responses allowed)<br />
None 39.94%<br />
SOA Governance Officer 17.89%<br />
IT Governance Officer 31.31%<br />
Compliance Risk Officer 24.92%<br />
Security Policy Expert 40.58%<br />
Figure 8.3.1: SOA Governance Roles (Source: EbizQ)<br />
Security is currently seen as the most important formal role, with almost a third having an IT Governance<br />
Officer as well. The same survey then asked who was responsible for defining governance policies, with<br />
more conventional job titles as the selected options.<br />
Role<br />
Percentage of respondents<br />
(multiple responses allowed)<br />
Other 13.42%<br />
Policy Experts 52.08%<br />
Architects 63.90%<br />
Developers 14.38%<br />
Figure 8.3.2: Who Defines Governance Policies (Source: EbizQ)<br />
The role of the architect is clearly seen as an important one, with the majority of respondents seeing<br />
architects as having a significant role in the establishment of governance policies, with policy experts<br />
coming a significant second.<br />
December 2006 Section 1: SOA Deployment 17
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
It is clear that different organisations will have different needs, but Butler Group would recommend that<br />
governance roles are considered during the planning process for SOA projects, identifying what is the most<br />
relevant for the organisation, <strong>and</strong> then empowering (<strong>and</strong> skilling up) the relevant people.<br />
St<strong>and</strong>ards for SOA governance are beginning to emerge.<br />
One of the key areas that will support management <strong>and</strong> governance is the emergence of st<strong>and</strong>ards that will allow<br />
interoperability across heterogeneous platforms.<br />
Web Services Distributed Management (WSDM) is the main st<strong>and</strong>ard for management information for Web<br />
services. It is an Organisation for the Advancement of Structured Information St<strong>and</strong>ards (OASIS) st<strong>and</strong>ard, with<br />
version 1.0 approved in March 2005, <strong>and</strong> a revised version 1.1 delivered in August 2006. It incorporates two<br />
elements; Management Using Web Services (MUWS) – which covers the use of Web services as a means to<br />
manage distributed infrastructures, <strong>and</strong> Management Of Web Services (MOWS). As such, the st<strong>and</strong>ard is highly<br />
focused around Web services issues, <strong>and</strong> may well need to evolve with the growth of SOA embracing rather<br />
more than just Web services – although the use of Web services to provide interoperability is of value.<br />
Java Management Extensions (JMX) technology is a Sun-sponsored Application Program Interface (API) that<br />
provides the tools for building distributed, Web-based, modular solutions for managing <strong>and</strong> monitoring devices,<br />
applications, <strong>and</strong> service-driven networks. It is suitable for adapting legacy systems, as well as implementing<br />
new management <strong>and</strong> monitoring solutions, <strong>and</strong> has been designed to support future management issues as far<br />
as possible.<br />
The various registry st<strong>and</strong>ards to date include Universal Description, Discovery, <strong>and</strong> Integration (UDDI), ebXML<br />
Registry Repository interfaces for Repository (an OASIS st<strong>and</strong>ard again), <strong>and</strong> Java API for XML Registries (JAXR),<br />
which provides an API for reconciling UDDI <strong>and</strong> other XML registries. The latter can be used to allow registry<br />
client programs to be portable across different registry types.<br />
SOA Link (www.soalink.com) is a body working on end-to-end SOA governance, to ensure interoperability of<br />
different offerings on the market. Its members agree to use st<strong>and</strong>ards wherever possible (for example those from<br />
the World Wide Web Consortium (W3C), OASIS, International Organization for St<strong>and</strong>ardization (ISO), Internet<br />
Engineering Task Force (IETF), <strong>and</strong> ECMA), <strong>and</strong> by joining, the various technology vendors indicate a willingness<br />
to interoperate with one another. SOA Link members include AmberPoint, Composite Software, Forum Systems,<br />
HP, Infravio, Intalio, IONA, iTKO, JBoss, Layer 7 Technologies, LogicBlaze, Mindreef, NetIQ, Parasoft, Reactivity,<br />
SOA Software, Solstice Software, SymphonySoft, <strong>and</strong> webMethods. Butler Group<br />
Service Component<br />
Architecture aims to<br />
provide a model for<br />
the creation of service<br />
components in a wide<br />
range of languages,<br />
<strong>and</strong> a model for<br />
assembling service<br />
components into a<br />
business solution...<br />
applauds the setting up of such a body, but wonders whether the competitive<br />
nature of the industry (<strong>and</strong> ongoing consolidation) will allow it to remain active,<br />
especially since the initiator, Infravio, has since been acquired by webMethods.<br />
OpenSOA (www.osoa.org) is an informal alliance including vendors <strong>and</strong> end-user<br />
organisations. It does not regard itself as a st<strong>and</strong>ards body, but is looking to define<br />
a language-neutral programming model that meets the needs of developers of<br />
SOA-style software. It is working on two main projects, Service Component<br />
Architecture (SCA) <strong>and</strong> Service Data Objects (SDO).<br />
Service Component Architecture aims to provide a model for the creation of<br />
service components in a wide range of languages, <strong>and</strong> a model for assembling<br />
service components into a business solution – activities which are at the heart of<br />
building applications using a SOA.<br />
SDO aims to provide consistent means of h<strong>and</strong>ling data within applications, whatever its source or format may<br />
be. SDO provides a way of unifying data h<strong>and</strong>ling for databases <strong>and</strong> for services. SDO also has mechanisms for<br />
the h<strong>and</strong>ling of data while detached from its source.<br />
SCA <strong>and</strong> SDO can each be used on their own – there is no requirement to use both of them in the same<br />
application. SCA <strong>and</strong> SDO used together provide a powerful <strong>and</strong> flexible way of building applications around a<br />
SOA.<br />
As with many of these vendor groupings, it appears that the world is still divided into two camps – the Java<br />
world <strong>and</strong> Microsoft. Although Microsoft is actively involved in many of the interoperability issues, it still appears<br />
to have the objective of providing the most flexibility by using the .NET framework as the overarching governing<br />
infrastructure for its customers.<br />
18 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
POLICY AND SECURITY IN A SOA ENVIRONMENT<br />
CATALYST<br />
As the concept of services becomes more widely accepted, it will become increasingly important to<br />
consider some of the security requirements surrounding them – especially to gain wider acceptance of<br />
SOA. Simply restricting access to authorised personnel via st<strong>and</strong>ard access control mechanisms becomes<br />
impossible in a service-oriented environment, <strong>and</strong> new st<strong>and</strong>ards are starting to evolve here.<br />
SUMMARY<br />
The use of policies allows abstraction of concepts to a higher level, simplifying<br />
creation <strong>and</strong> maintenance.<br />
Security issues for SOA are more complex than in older architectures.<br />
St<strong>and</strong>ards for SOA security <strong>and</strong> policy are starting to mature, <strong>and</strong> interoperability is<br />
improving.<br />
ANALYSIS<br />
In static architectures <strong>and</strong> application development, one of the key aspects is that it is possible to hard-wire<br />
the security. In creating a SOA with loosely-coupled components, it will be necessary to look at how security<br />
needs to be defined <strong>and</strong> managed for that type of architecture. The same applies for other policies – in the<br />
older architectural styles, there is the ability to implement policy at the design level. That ability is not there<br />
within a SOA. Here it will be necessary to ensure that the message flows that pass through those<br />
architectures actually access <strong>and</strong> interact with the declared policies at the right points within the<br />
architecture. This is a far more complex management infrastructure, but one that is balanced by a far more<br />
usable <strong>and</strong> far more relevant application infrastructure.<br />
The use of policies allows abstraction of concepts such as security to a<br />
higher level, simplifying creation <strong>and</strong> maintenance.<br />
Policies help to ensure compliance with organisational objectives; at the highest level these are likely to be<br />
highly business-related, <strong>and</strong> tend to cover people-related issues such as “projects must comply with internal<br />
design <strong>and</strong> architecture guidelines”, or generically, that all IT projects are subject to reviews for security <strong>and</strong><br />
regulatory compliance.<br />
Today, policies are already there in most computing infrastructures, it is just<br />
that, where relevant, they tend to be hard coded <strong>and</strong> explicitly defined. An<br />
example of a security-related policy is ‘passwords must be eight characters<br />
long’ – this implies that there must be code embedded in each application to<br />
check that this is the case. This is not practical in SOA – policies must be<br />
specified <strong>and</strong> managed at the infrastructure level. Policies can relate to other<br />
areas including management <strong>and</strong> monitoring.<br />
Policies could represent more specific regulatory compliance issues; for<br />
example, in the healthcare industry patient’s personal identifiable information<br />
must be communicated <strong>and</strong> stored securely (in order to comply with the US<br />
Health Insurance Portability <strong>and</strong> Accountability Act (HIPAA) legislation). In the<br />
business sector, all financial transactions must provide traceability <strong>and</strong><br />
tamper-proof mechanisms for m<strong>and</strong>atory audit records (to meet with<br />
Sarbanes-Oxley <strong>and</strong> Basel II regulations).<br />
Policies could<br />
represent more<br />
specific regulatory<br />
compliance issues; for<br />
example, in the<br />
healthcare industry<br />
patient’s personal<br />
identifiable<br />
information must be<br />
communicated <strong>and</strong><br />
stored securely...<br />
December 2006 Section 1: SOA Deployment 19
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
Policies must be able to change, based on their usage over time. An example of this might be that a policy<br />
has been defined stating that e-mails to ‘Gold’ customers must always be checked by a manager, to ensure<br />
that they are polite, <strong>and</strong> follow guidelines for customer interactions. But how many times does the manager<br />
actually change the e-mail when it is checked? Can a customer service representative (or automated<br />
process) be regarded as sufficiently trusted to cut out this checking step altogether? The policy could be<br />
applied to untrusted or new people or services, but not once trust has been established.<br />
Policy is thus not always static. Some elements of policy are likely to be immutable (due to compliance<br />
requirements); others are more flexible, as illustrated by the e-mail checking example above. It will be<br />
necessary to report on policy usage <strong>and</strong> provide audit trails over time in order to provide the feedback into<br />
an iterative improvement process. The end result is that policy specification must be separable from policy<br />
implementation. SOA policy is an area that has seen a number of providers coming to market with products,<br />
<strong>and</strong> then establishing relationships with, or even being acquired by the bigger infrastructure players.<br />
When reviewing requirements for policy management <strong>and</strong> implementation, the following points should be<br />
considered:<br />
<br />
<br />
<br />
Policies should not be hard coded.<br />
Policies need to be enforced in a distributed manner.<br />
Actions <strong>and</strong> tasks should be checked against policies at run-time.<br />
St<strong>and</strong>ards in this area are still developing, but again there is a likely c<strong>and</strong>idate – the WS-Policy framework,<br />
which describes the rules, capabilities, <strong>and</strong> constraints of a Web service. The framework covers three<br />
A policy description<br />
can be made up of<br />
one or more policy<br />
assertions; examples<br />
include service<br />
requirements,<br />
preferences,<br />
characteristics,<br />
capabilities, <strong>and</strong> rules.<br />
specifications; WS-Policy, WS-Policy Assertions (which covers the service<br />
properties expressed by a policy description), <strong>and</strong> WS-Policy Attachments. It<br />
is a part of the WS-Security framework. A policy description can be made up<br />
of one or more policy assertions; examples include service requirements,<br />
preferences, characteristics, capabilities, <strong>and</strong> rules. Each assertion may be<br />
required or optional – for example, a preference is likely to be optional,<br />
whereas a rule will be compulsory. It is possible that a different policy should<br />
apply to a service depending on where <strong>and</strong> when that service is deployed –<br />
an example of this might be in the Financial Services sector, particularly in<br />
securities trading, where depending on where the trade request is placed,<br />
different legislation may apply to commissions <strong>and</strong> payment terms etc.<br />
When assembling services into a composite application, it is necessary to<br />
protect the whole extended ‘application’ via a policy managed solution, without altering the existing<br />
services. Policy <strong>and</strong> security therefore need to be separately managed outside the ‘application’ layer.<br />
Security issues for SOA are more complex than in older architectures.<br />
When developing any application, the issue of security is one that must be carefully considered. In an<br />
application-centric world, developers must consider security carefully, <strong>and</strong> may well need to spend a<br />
significant part of development time within each application on this. Security within a SOA world is different<br />
from the tightly coupled world in that security information needs to be shared, passed around, <strong>and</strong><br />
understood across multiple services.<br />
A service provider does not know who or what will be accessing the service – this is the essence of decoupling.<br />
Securing the perimeter of an organisation with firewalls, Virtual Private Networks (VPNs), or<br />
security appliances will not work in a service-oriented environment that needs to set up new external<br />
relationships quickly <strong>and</strong> flexibly. Even internally, a service-oriented approach still needs security issues to<br />
be extrapolated out of the service <strong>and</strong> into the infrastructure. For this to then work across a heterogeneous<br />
architecture, st<strong>and</strong>ards will be vital.<br />
Secure access to business applications <strong>and</strong> to support integration between different applications is vital.<br />
There are five common security requirements – identification, authentication, authorisation, confidentiality,<br />
<strong>and</strong> integrity. On top of this there must always be an audit trail to prove conformance.<br />
20 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
Identification<br />
Identification covers the means by which a service requester proves its origin, <strong>and</strong> this is referred to as<br />
making a claim or assertion. Such information in the Web services world is represented in the identification<br />
information stored within the service’s SOAP header. The WS-Security specification (which will be covered<br />
in more depth later) provides a st<strong>and</strong>ard header block, or token, which stores this information. There are a<br />
range of different tokens available.<br />
Authentication<br />
Authentication means that the user of an application or service is recognised <strong>and</strong> can prove that the service<br />
request message has, in fact, come from the sender that it claims to have.<br />
Authorisation<br />
Once an authenticated message has been received, the recipient service might need to establish what the<br />
requester is allowed to do, referred to as authorisation.<br />
Confidentiality<br />
Confidentiality, or privacy, covers the need for information being passed from one service to another to be<br />
inaccessible to unauthorised parties. This can apply to all or part of a message, <strong>and</strong> will be especially<br />
relevant if messages are likely to be transmitted outside the firewall, but even internally it may be important<br />
to ensure that personal information is kept private.<br />
Integrity<br />
The final aspect of security is integrity. This means ensuring that a message has not been modified in any<br />
way in transit. Security issues that can arise from a lack of integrity include SQL injection (where malicious<br />
code could access data that it is not authorised to) <strong>and</strong> buffer overflows.<br />
As soon as we move outside the organisation, issues of identity, authentication, <strong>and</strong> authorisation become<br />
significantly more complex because it will be necessary to share information between parties (whilst<br />
maintaining privacy <strong>and</strong> confidentiality) – <strong>and</strong> the element of trust comes in. The core requirement here is<br />
that trust needs to be built dynamically, with the security context being transported so that authentication<br />
<strong>and</strong> authorisation can be distributed <strong>and</strong>/or federated.<br />
Federated authorisation is a process by which multiple parties agree that a specified set of users can be<br />
authenticated by a given set of criteria. This approach sets up a Federated Identity Management System,<br />
or a pool of authenticated users. The SOA security solution can verify a user by checking with the Federated<br />
Identity Management System. A federated system is basically Single Sign-On (SSO) between different<br />
security domains, <strong>and</strong> currently is likely to require specialist third-party infrastructure, as support for this<br />
concept within application servers is currently limited.<br />
Validation of identity is usually covered by authorisation <strong>and</strong> access<br />
mechanisms, which can already be deployed across a wide range of<br />
architectural styles. At the entry point, most organisations moving to SOA will<br />
have at least two alternatives – Internet browser <strong>and</strong> portal-based for people,<br />
<strong>and</strong> Web services. The same set of identity information, such as SSO or<br />
federated identity attributes <strong>and</strong> access control mechanisms need to be<br />
applied in a consistent manner across both methods. It will be important to<br />
use Identity <strong>and</strong> Access Management technologies, including directories for<br />
Web services.<br />
Validation of identity<br />
is usually covered by<br />
authorisation <strong>and</strong><br />
access mechanisms,<br />
which can already be<br />
deployed across a<br />
wide range of<br />
architectural styles.<br />
In many architectures, the way that the presentation <strong>and</strong> user interface layers<br />
are h<strong>and</strong>led (including challenge <strong>and</strong> response protocols for authentication <strong>and</strong> SSO) is via a portal or<br />
portlet. A range of different user credential schemes have been deployed over the years including<br />
passwords, tokens, smart cards, <strong>and</strong> X.509 certificates. Within a Web services or SOA framework, it will<br />
be desirable to reduce the number of types of credentials used, <strong>and</strong> we are seeing Security Assertion Markup<br />
Language (SAML) <strong>and</strong> Kerberos tokens as the emerging leaders here. SAML has advantages in that its<br />
flexibility <strong>and</strong> extensibility allows support for secondary authentication credentials that might be needed to<br />
interact with legacy applications.<br />
December 2006 Section 1: SOA Deployment 21
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
Ideally, security should not even be part of many of the infrastructure elements, such as the ESB; it should<br />
be a capability that can be used as required by whatever infrastructure pieces are in use.<br />
Solving SOA security issues is likely to require the implementation of specialist security tools or<br />
infrastructure – examples come from SOA Software, Layer 7, <strong>and</strong> Amberpoint, as well as the main SOA<br />
infrastructure players. An interesting extension to this argument comes from the networking layer, with Cisco<br />
starting to provide some elements of security.<br />
During the summer of 2006, Cisco announced its Service Oriented Network Architecture (SONA) strategy.<br />
Currently, this is a mixture of its AON product combined with services, which sees the network as rather<br />
more than a transport layer – it is becoming a platform. SONA allows specific services to be provided as<br />
part of the network, such as identity, VPN services, <strong>and</strong> presence services from mobility, so that they can<br />
then be used within applications <strong>and</strong> composite applications.<br />
St<strong>and</strong>ards for SOA security <strong>and</strong> policy are starting to mature, <strong>and</strong><br />
interoperability is improving.<br />
As with many st<strong>and</strong>ards, the issue in the SOA arena is the sheer volume of them, which many organisations<br />
find confusing, <strong>and</strong> tends to muddy the water around SOA rather than provide clarity. A glance at Figure<br />
8.4.1 will give an indication of the scale here. One of the key positive elements is the formation of the Web<br />
Services Interoperability Organisation, WS-I.org, which is working to at least ensure that different models,<br />
products, <strong>and</strong> platforms can work together.<br />
Web Services – *<br />
XML<br />
Identity<br />
WS-Security<br />
WS-SecurityPolicy<br />
WS-Trust<br />
WS-Secure Conversation<br />
WS-Federation<br />
WS-Federation Active Requester Profile<br />
WS-Federation Passive Requester Profile<br />
WS-Policy<br />
WS-PolicyAssertions<br />
WS-PolicyAttachment<br />
eXtensible Access Control Markup Language (XACML)<br />
XML Key Management (XKMS)<br />
eXtensible Rights Markup Language (XrML)<br />
XML-Signature<br />
XML-Encryption<br />
.NET Passport<br />
Liberty Alliance<br />
Security Assertion Markup Language (SAML)<br />
Figure 8.4.1: SOA Security Specifications<br />
The WS-I is made up of a number of software vendors, both from technology <strong>and</strong> applications backgrounds,<br />
including BEA Systems, Fujitsu, HP, IBM, Intel, Microsoft, Oracle, SAP, Sun, <strong>and</strong> webMethods. Its objective<br />
is to promote interoperability across platforms, operating systems, <strong>and</strong> programming languages. The WS-I<br />
is not a st<strong>and</strong>ards body as such, but incorporates st<strong>and</strong>ards from a number of bodies such as the IETF,<br />
OASIS, <strong>and</strong> W3C.<br />
22 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
The most important consideration currently is the existence of the Web Services Interoperability Basic<br />
Profile. This defines a mechanism for interoperability for the core st<strong>and</strong>ards used in Web services<br />
implementations, <strong>and</strong> covers SOAP, WSDL, <strong>and</strong> UDDI as well as some lower-level st<strong>and</strong>ards <strong>and</strong> protocols.<br />
The Basic Profile version 1.0 is not fully compatible with version 1.1 – guidance here is that usage of the<br />
st<strong>and</strong>ard should be at the same level to ensure interoperability.<br />
The Web services security (WS-Security) specification that has been developed <strong>and</strong> ratified by OASIS<br />
provides security for SOAP messages in transit, <strong>and</strong> can be regarded as an extension to SOAP. Originally<br />
developed by IBM, Microsoft, <strong>and</strong> Verisign, where messages need to pass across an untrusted intermediary<br />
structure, st<strong>and</strong>ards such as WS-Security provide a degree of trust, covering authenticity, integrity, <strong>and</strong><br />
confidentiality of messages. Security can be applied at transport level (for example Secure Sockets Layer<br />
(SSL) secures the HTTP layer on which various requests <strong>and</strong> responses are transmitted). However, where<br />
a message is sent via an intermediary, the transport layer no longer has control over the message when it<br />
is at the intermediary, <strong>and</strong> therefore it may also be necessary to implement message-level security – like<br />
keeping a message within a sealed, tamper-evident envelope.<br />
The WS-Security st<strong>and</strong>ard is already reasonably mature – version 1.0 was approved by OASIS in April<br />
2004, <strong>and</strong> version 1.1 was approved in February 2006.<br />
The WS-Security family specifications cover the use of various different tokens, such as Kerberos, X.509,<br />
<strong>and</strong> SAML. An example of a signed security token is an X.509 certificate; this asserts a binding between<br />
the requester’s identity <strong>and</strong> a public key. Security tokens like this can be carried in a message, or expressed<br />
by a reference so that the receiving service can ‘pull’ the claim from the relevant authority. To ensure<br />
interoperability, adapters <strong>and</strong> common algorithms for signatures <strong>and</strong> encryption will need to be agreed<br />
upon.<br />
The WS-Security model is extensible, <strong>and</strong> allows a service to specify the type <strong>and</strong> degree of security<br />
required. The WS-Interoperability Basic Profile includes Security.<br />
Web services gateways, message brokers, <strong>and</strong> ESBs may provide the trust required themselves, <strong>and</strong><br />
services that interrelate only within an ESB may not need to consider security. However, if they are to be<br />
exposed beyond this, then security will be needed.<br />
RUN-TIME OPTIONS FOR SOA<br />
CATALYST<br />
When most people think of SOA they automatically assume that Web services will be the way that services<br />
interact, <strong>and</strong> have concerns about the efficiency of such deployments. However, a SOA can have a number<br />
of deployment alternatives which can help get around some, but not all, of the performance issues.<br />
SUMMARY<br />
There is a trade-off possible between performance <strong>and</strong> long-term agility, <strong>and</strong> this<br />
needs consideration before committing to a course of action.<br />
Network appliance alternatives to traditional server/software implementation can<br />
offer cost/performance benefits.<br />
Run-time deployment of SOA-based applications does not always mean using Web<br />
services.<br />
High-performance SOA need not be an oxymoron, but good underst<strong>and</strong>ing of issues<br />
is needed.<br />
December 2006 Section 1: SOA Deployment 23
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
ANALYSIS<br />
There is a trade-off possible between performance <strong>and</strong> long-term<br />
agility, <strong>and</strong> this needs consideration before committing to a course<br />
of action.<br />
We need to be quite clear about the purpose of SOA: it is to provide improved utilisation of business<br />
functionality as delivered by application programs. This improved utilisation may take the form of better<br />
integration, creation of composite applications, automation of business processes, <strong>and</strong> the ability to allow<br />
The purpose of SOA is<br />
not to improve<br />
performance, <strong>and</strong><br />
adding extra layers of<br />
software will<br />
inevitably have a<br />
performance impact.<br />
each of these to evolve over time as the business model changes. Because<br />
SOA is layered on top of application resources, it is never going to increase<br />
performance above the capabilities of the underlying systems. (Note, though,<br />
that end-to-end times could be reduced through the ability to execute multiple<br />
tasks in parallel instead of sequentially.)<br />
The purpose of SOA is not to improve performance, <strong>and</strong> adding extra layers of<br />
software will inevitably have a performance impact. However, everything has<br />
its price, <strong>and</strong> IT must continue to meet the processing workload <strong>and</strong><br />
performance expectations of the organisation, SOA or not.<br />
Much of the performance overhead of SOA stems from the use of Web services. The role that Web services<br />
plays is to isolate the SOA control <strong>and</strong> run-time environment from the physical properties of the underlying<br />
services. With Web services, the ESB neither knows nor cares what physical platform a service executes<br />
on, what operating platform is used, or which language has been used to create the application. This<br />
virtualisation is the source of the overhead with which we must contend.<br />
Web services itself is built on top of XML, this being the commonly-accepted st<strong>and</strong>ard for technology-neutral<br />
messages. The message body itself may become quite large, since a common way of exploiting SOA is for<br />
the same basic message to be passed to each service in turn, with each enriching the message with the<br />
results of its own activity. (In this way the message itself retains the context<br />
required for subsequent operations.) Hence, in a complex multi-step process<br />
the body gets larger <strong>and</strong> larger. Additionally, the SOAP envelope contains<br />
information necessary for the routing of the message plus optional extensions<br />
such as the style of messaging needed (e.g. guaranteed once-only delivery),<br />
privacy requirements, public <strong>and</strong> private key tokens for encryption, <strong>and</strong><br />
potentially many more.<br />
Thus the Web services message load can add significantly to the network<br />
traffic, <strong>and</strong> particularly where encryption is needed, to the server overhead for<br />
processing the message. For any but trivial use of SOA, encryption is likely to<br />
be m<strong>and</strong>atory, even inside the firewall. Web services st<strong>and</strong>ards provide for<br />
encryption of just sensitive parts of the message, <strong>and</strong> this option should<br />
always be used to reduce the processing overhead.<br />
We need to consider whether to compromise the logical design to accommodate the performance needed by<br />
the business – but first there is a general rule in IT (which is re-learned in every new generation of technology):<br />
The golden rule: Do not optimise unless you have to!<br />
Thus the Web services<br />
message load can add<br />
significantly to the<br />
network traffic, <strong>and</strong><br />
particularly where<br />
encryption is needed,<br />
to the server<br />
overhead for<br />
processing the<br />
message.<br />
In this case, Web services plays a major role in delivering the adaptability we seek from SOA. By abstracting<br />
away the physical details of an application we gain great freedom to replace applications piecemeal,<br />
outsource to a hosted service provider, provide hot-st<strong>and</strong>by facilities for critical services, <strong>and</strong> many other<br />
important capabilities. If we discard Web services in favour of more compact technology-specific messaging,<br />
we lose these capabilities. Therefore, the best advice is to carry out performance modelling for the projected<br />
system capacity <strong>and</strong> decide if it is truly necessary to optimise.<br />
24 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
Network appliance alternatives to traditional server/software<br />
implementation can offer cost/performance benefits.<br />
As described earlier, the ESB is really a suite of functionality that provides the means of moving the right<br />
message, in the right format, to the right recipient, in the right sequence. Commercial ESB suites are themselves<br />
built on SOA principles so that functionality can be added without a major reconstruction of the environment.<br />
This is important for the ability to add governance features <strong>and</strong> other ‘optional’ properties to a live SOA<br />
environment. The architecture also means that services provided by the ESB can be removed or replaced by<br />
functionally-equivalent alternatives. This has enabled a sub-market of ESB<br />
features deployed as network appliances rather than as software on a server.<br />
This idea is a logical extension of several mainstream security features commonly<br />
implemented as appliances. In particular, firewalls were originally implemented as<br />
software on conventional servers. but have been implemented as network<br />
appliances as the mainstream deployment mechanism for many years. It is<br />
simply more cost-effective to deploy firewalls in this way.<br />
By the same logic, several services provided by an ESB might be more costeffective<br />
if removed from a general-purpose server <strong>and</strong> implemented instead as<br />
network appliances. Potential c<strong>and</strong>idates for this treatment are XML firewall, XML<br />
schema parsing, XML encryption/decryption, content-based message routing, <strong>and</strong><br />
possibly other functionality also. This approach offloads tasks from the server to<br />
free its resources for business-related work, <strong>and</strong> moves the network-centric logic<br />
down into the network itself. Several vendors provide products that are well-worth evaluating as part of an overall<br />
strategy for dealing with SOA performance. Again, because of the adaptability that SOA offers, these appliances<br />
can be retrofitted to an established SOA environment.<br />
Although the use of network appliances implies an additional expenditure, their use can defer the need for extra<br />
server capacity. The main advantage, however, is that they can make a significant difference to performance <strong>and</strong><br />
throughput without having to compromise the SOA agility.<br />
Run-time deployment of SOA-based applications does not always mean<br />
using Web services.<br />
Any discussion of SOA tends to start out with the assumption of the use of Web services throughout. Wherever<br />
services are to be integrated that are outside of the corporate environment. it is still advisable to use Web services<br />
as the underlying mechanism. This is because security concerns can be dealt with more directly through the<br />
common st<strong>and</strong>ards provided by Web services, <strong>and</strong> because any use of proprietary interfaces will leave the parties<br />
unable to change their services without impacting their partners. An exception to this would be where a particular<br />
industry has already established st<strong>and</strong>ards that pre-date Web services (<strong>and</strong><br />
preferably use a private network for communication rather than the public Internet).<br />
At the outset, it is<br />
worth pointing out<br />
that both .NET <strong>and</strong><br />
J2EE are suitable<br />
deployment<br />
infrastructures for SOA.<br />
...several services<br />
provided by an ESB<br />
might be more costeffective<br />
if removed<br />
from a generalpurpose<br />
server <strong>and</strong><br />
implemented instead<br />
as network<br />
appliances.<br />
For internal deployment, there are several alternatives to the Web services paradigm.<br />
At the outset, it is worth pointing out that both .NET <strong>and</strong> J2EE are suitable<br />
deployment infrastructures for SOA. Within a .NET only or J2EE only environment,<br />
there are few adaptability compromises to be made, in return for which significantly<br />
reduced overheads can be expected. The objects natively exposed by Java <strong>and</strong> .NET<br />
may still take part in an orchestrated sequence of events as part of composite<br />
applications or automated business processes. However, security issues must be<br />
managed in the traditional way rather than letting ESB products be guided by the Web services policy statements.<br />
Greater constraints will be experienced if it is subsequently required to replace a native .NET or J2EE service with<br />
hosted software as a service. Common Object Request Broker Architecture (CORBA)-based applications have<br />
similar properties to J2EE <strong>and</strong> .NET in terms of their use within SOA. However, there are few substantial IT<br />
environments where it would be possible to implement a wide-reaching SOA solution within a single technology. In<br />
a mixed environment, without the use of Web services, the ESB has to be made aware of the physical properties<br />
of the services. This may be of little consequence in the initial deployment, but will be a constraint of future<br />
adaptability when the time comes to replace legacy applications.<br />
December 2006 Section 1: SOA Deployment 25
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
There are also successful SOA deployments using Z/OS IBM mainframes (albeit using a Web services<br />
mechanism), ‘green-screen’ UNIX applications that pre-date client/server, <strong>and</strong> even very elderly proprietary<br />
operating environments. However, we should differentiate between enabling these legacy platforms for use in a<br />
SOA, <strong>and</strong> deploying a non-st<strong>and</strong>ards-based approach. Using adapters to expose the underlying service<br />
functionality of legacy applications is part <strong>and</strong> parcel of the SOA model, provided that the adapters offer a Web<br />
services messaging interface. Adapters might be Commercial Off-The-Shelf (COTS), customised COTS, or entirely<br />
custom-built. Technology that bears a striking resemblance to the screen-scraping used by early client/server<br />
deployments can be used to obtain access to applications for which no other mechanism is available.<br />
Many vendors that support legacy products are very happy to provide Web services adapters to their<br />
applications, or connectors to the underlying platform. For example:<br />
<br />
<br />
<br />
IBM’s CICS transaction server can operate in a SOA environment in a number of different ways. First of<br />
all CICS directly supports Web services interactions, but can also work with WebSphere application<br />
server clients via Java Connector Architecture (JCA). It can also operate with an ESB, as well as a Web<br />
services gateway, providing considerable flexibility to those organisations that need to continue to use<br />
their legacy CICS systems, but want to enable reuse within SOA projects.<br />
During 2006, BEA Systems announced that it was enhancing its legacy Tuxedo infrastructure with SALT<br />
– Service Architecture Leveraging Tuxedo. BEA’s SALT is a way of service-enabling its Tuxedo platform<br />
by providing a native Web services layer on top of Tuxedo. Tuxedo is built on BEA’s Application-to-<br />
Transaction Monitor Interface (ATMI) architecture, allowing both C <strong>and</strong> COBOL programming. It is a<br />
transaction server built on UNIX, comparable to the IBM mainframe CICS transaction server, suitable for<br />
complex, transaction-based applications such as billing. What SALT brings is like an ‘ESB for<br />
transactions’ – it implements an XA st<strong>and</strong>ard, so that transactions either happen or not – there is no grey<br />
area (in other words one part of a transaction is automatically undone if the overall transaction fails to<br />
complete). It offers two-phase commit capability.<br />
Oracle is introducing the idea of Service Beans in its next version of the Oracle E-Business Suite. These<br />
will allow the underlying services within the suite to be deployed in a range of different ways – as EJB<br />
Session Beans; as Web services; or as co-located Java API. The service bean encapsulates the<br />
implementation details, <strong>and</strong> provides a consistent <strong>and</strong> easy-to-use interface, allowing them to be used<br />
as building blocks within a SOA. Such services are then available for BPEL process management, <strong>and</strong><br />
they can consume <strong>and</strong> output Service Data Objects (to the JSR 235 specification).<br />
High-performance SOA need not be an oxymoron, but good<br />
underst<strong>and</strong>ing of issues is needed.<br />
This Section has outlined some of the performance challenges <strong>and</strong> some of the potential solutions. The<br />
question now is how to achieve the best compromise between agility <strong>and</strong> performance. The natural<br />
inclination within IT (charged for many years with squeezing a growing workload into a diminishing<br />
technology budget) is to look for the high performance solution. However, this<br />
is not the best approach in these new circumstances.<br />
The challenge here is<br />
to model the services<br />
that are meaningful<br />
to the business <strong>and</strong><br />
then map these to the<br />
underlying<br />
application(s) that can<br />
support the service.<br />
Since SOA is architecture, we should be able to separate the logical design<br />
from the physical. The logical service architecture should be designed only<br />
considering the business requirements to ensure the maximum reuse of<br />
services. The challenge here is to model the services that are meaningful to<br />
the business <strong>and</strong> then map these to the underlying application(s) that can<br />
support the service. This may not be a one-to-one mapping – in order to<br />
satisfy the requirements of a business service it might be necessary to<br />
integrate several applications. Equally, each application is likely to provide a<br />
range of functionality that is best divided between logical services.<br />
The scope of this analysis should be constrained to the project in question, but using the business analyst’s<br />
experience <strong>and</strong> insight to determine where reuse will be possible in subsequent projects.<br />
The next step is to form a model for the likely performance characteristics of each service, <strong>and</strong> to use<br />
capacity planning tools to determine the infrastructure requirements to support the anticipated workload.<br />
The market for SOA capacity planning is maturing well, with a variety of competent products now available.<br />
26 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
The capacity planning exercise will show where there is a need to apply optimisation. The minimum<br />
optimisation to meet targets is a more appropriate target than reducing the run-time overhead to the<br />
absolute minimum. The first targets for optimisation should be the situation where a number of small, lowlevel<br />
services are aggregated to create a widely-used service, <strong>and</strong> where there is little or no requirement for<br />
direct use of the low-level services. In this instance, direct native calls to the low-level services can be made<br />
with little adverse impact. In fact, this interchange could bypass the ESB entirely, with the high-level service<br />
making direct RPC calls to the required applications.<br />
The important step in this optimisation is that the original logical model should be retained, <strong>and</strong> the nature<br />
of the optimisation, together with the reasons for the decision to optimise should be recorded. The Chief<br />
Architect should review all such cases to ensure the best compromise has been reached.<br />
Other optimisation considerations include:<br />
Ensuring that encryption is truly necessary, <strong>and</strong> only applying encryption to the sensitive portions of a<br />
large message.<br />
<br />
<br />
<br />
Consider breaking multi-function services down into several simpler single-function services (as the<br />
simpler service will have simpler <strong>and</strong> smaller message requirements).<br />
Consider using alternative messaging protocols to HTTP for inside-the-firewall deployment.<br />
Consider the use of Binary XML or compression to reduce the size of XML messages.<br />
Consider physically relocating services to minimise network overheads.<br />
Whatever trade-offs are made for the sake of performance, it is important that it is not treated as a one-person<br />
decision that is the responsibility of a technical architect. The impact on agility <strong>and</strong> the ability to meet the<br />
forward plans of the business must be considered, alongside each compromise of the ideal architecture.<br />
SERVICE-ORIENTED DEVELOPMENT<br />
CATALYST<br />
A key challenge to organisations when getting to grips with SOA is in the development area. It is no longer<br />
about application development, it is about service development, yet underst<strong>and</strong>ing the impact on the<br />
development function can be complex.<br />
SUMMARY<br />
There is a SOA lifecycle in the same way as there is an application development lifecycle.<br />
<strong>Planning</strong> the infrastructure for SOA will require careful thought.<br />
Services within a SOA may be combined in unforeseen ways.<br />
SOA <strong>and</strong> Agile can be complementary.<br />
ANALYSIS<br />
There is a SOA lifecycle in the same way as there is an application<br />
development lifecycle.<br />
Development pressures in the past have always meant that applications are developed with little thought<br />
for reuse, change, or integration. This mindset will need to change in a SOA environment. However, it is<br />
clear that there is a lifecycle for SOA just as there is for earlier types of application development.<br />
December 2006 Section 1: SOA Deployment 27
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
Requirements analysis needs to establish what the service needs to do, its scope, <strong>and</strong> potential usage<br />
patterns. Given the much closer alignment of business needs that SOA dem<strong>and</strong>s, services will usually be<br />
business-relevant – however, there may also be infrastructure services needed to support a SOA.<br />
Infrastructure vendors in particular are identifying this need – for example, BEA Systems has coined the<br />
Requirements analysis<br />
needs to establish<br />
what the service<br />
needs to do, its scope,<br />
<strong>and</strong> potential usage<br />
patterns.<br />
phrase Micro Services Architecture to cover the way it sees the need break up<br />
its infrastructure tools into smaller pieces that can then be assembled to meet<br />
the diverse requirements of its customers in the future.<br />
The design <strong>and</strong> development phases may require platform-specific issues to be<br />
taken into account, such as the choice of programming language, <strong>and</strong> the<br />
development environment to be used. A number of the platform vendors provide<br />
SOA development tools (such as JDeveloper from Oracle), <strong>and</strong> there are<br />
additional vendors such as Skyway Software that offer specialist tools here.<br />
Developing composite applications in a SOA should, of course, focus heavily<br />
on reuse of existing services wherever possible, <strong>and</strong> this mindset must be<br />
encouraged from the outset. Sometimes it may not be possible to serviceenable<br />
an existing application, <strong>and</strong> it will need to be re-written in a new way.<br />
In addition, there will always be the need to create some completely new<br />
services. The mantra should always be to reuse first, then potentially recycle…<br />
<strong>and</strong> only finally develop new services from scratch.<br />
At the service deployment phase, a number of considerations come into play<br />
such as installing <strong>and</strong> configuring distributed components, service interfaces,<br />
<strong>and</strong> the necessary middleware products; <strong>and</strong> all of this from development to<br />
test to staging to production environments.<br />
Once services are<br />
deployed, ongoing<br />
administration will be<br />
required to include<br />
service monitoring<br />
<strong>and</strong> auditing, <strong>and</strong> to<br />
control the whole<br />
change management<br />
process.<br />
Packaging of all the artefacts required is unlikely<br />
to be fully present, given that the full breadth of<br />
the SOA paradigm is still evolving.<br />
The design <strong>and</strong><br />
development phases<br />
may require platformspecific<br />
issues to be<br />
taken into account,<br />
such as the choice of<br />
programming<br />
language, <strong>and</strong> the<br />
development<br />
environment to be<br />
used.<br />
Once services are deployed, ongoing administration will be required to include<br />
service monitoring <strong>and</strong> auditing, <strong>and</strong> to control the whole change<br />
management process. Whilst it may not be highly desirable to allow a service<br />
to change over time, in practice it may be impossible to avoid this. The OASIS<br />
SOA Reference Model allows for versioning of services. Doing this helps to<br />
manage any interface changes. Clients of a service then have to be able to<br />
make a decision about which version of the service (with the older or the<br />
newer interface) they need.<br />
An iterative process to the development lifecycle will be necessary – it is unlikely that any organisation will<br />
get it all right the first time, even if they use the services of the most experienced vendors <strong>and</strong> services<br />
providers. It will be valuable to get a widespread underst<strong>and</strong>ing up-front so that not too much time is wasted<br />
doing things the wrong way.<br />
Not all services will be created in-house – in fact, it may be that the skills required at first are not available<br />
in-house. All the major Systems Integrators are investing heavily in SOA training <strong>and</strong> development, <strong>and</strong><br />
many have already assisted in successful pilot projects.<br />
The optimal way to proceed with service-oriented development is to combine a top-down <strong>and</strong> bottom-up<br />
approach together. An imbalanced approach could risk ‘paralysis by analysis’ if too top down, <strong>and</strong> service<br />
creation for the sake of it can be too far the other way.<br />
Roles<br />
A complex SOA project is likely to entail a wide range of different skills that will require an underst<strong>and</strong>ing<br />
of the different roles needed when developing services within a SOA. A lot of this comes down to basic<br />
people issues – to ensure that there is an underst<strong>and</strong>ing of services at the right level. Service-oriented<br />
development can be a major challenge if developers do not underst<strong>and</strong> the concept, <strong>and</strong> reuse will be<br />
minimal unless the services are designed in the right way.<br />
28 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
IBM recommends that the development phase of a SOA project will require a number of roles, such as<br />
Software Architect, Developer (this may include application developer, component developer, <strong>and</strong><br />
integration developer), Test Engineer, Test Architect, <strong>and</strong> Test <strong>Impleme</strong>nter. Whilst this may appear overkill,<br />
<strong>and</strong> sometimes these roles could be filled by one or two people, the identification of the different roles<br />
needed may help assemble the best project team.<br />
<strong>Planning</strong> the infrastructure for SOA will require careful thought.<br />
<strong>Planning</strong> for a SOA deployment will require capacity planning <strong>and</strong> hardware planning where estimates of<br />
service volumes need to be considered, as well as usage patterns. Such planning will not be straightforward;<br />
a SOA infrastructure is made up of many components, such as middleware, mediation <strong>and</strong> orchestration<br />
brokers (which may be part of an ESB), infrastructure integration services (such as for security, monitoring,<br />
<strong>and</strong> exception management), as well as BPM engines, <strong>and</strong> of course, the underlying network infrastructure.<br />
This may itself have many components that impact performance <strong>and</strong> capacity<br />
including routers, switches, traffic load balancers, <strong>and</strong> encryption (such as<br />
SSL) <strong>and</strong> transformation XML Stylesheet Language Transformation (XSLT)<br />
accelerators.<br />
When carrying out capacity planning for SOA, performance is probably one of the<br />
easier aspects to measure, yet even that can be a challenge given the distributed<br />
nature of SOA. Estimating the number of transactions that are likely to occur, the<br />
number of users accessing a service is also quite measurable.<br />
Composite applications may be made up from a number of services, <strong>and</strong> these<br />
may not all have the same SLA (especially over time), which may of itself lead<br />
to interesting decisions as to how to scale up the required infrastructure.<br />
A common approach would be to over-engineer the infrastructure – <strong>and</strong> certainly it would be wise to allocate<br />
budget to hardware at the outset of a SOA project. But some of the infrastructure elements can be very<br />
expensive if under-utilised (BPM engines are a particular example here). A pattern-based approach to<br />
capacity planning is one good option, taking into account a range of access patterns to the services that<br />
encompass simple <strong>and</strong> complex scenarios.<br />
A simple pattern might cover a validation service (using a schema, for example), a transformation from one<br />
format to another, <strong>and</strong> then publishing a message onto a queue. A more complex pattern might add in lookups<br />
<strong>and</strong> process management capabilities. The capacity planning process should then test the various<br />
scenarios <strong>and</strong> record results in order to then extrapolate based on peak load estimates. This peak should<br />
then be projected forward over time to forecast where additional capacity might be required in the future.<br />
Another part of infrastructure planning is to consider failover <strong>and</strong> disaster recovery – establishing how<br />
alternative infrastructure can be utilised <strong>and</strong> what the service failover options should be. In any serious<br />
project, failover should be designed in, <strong>and</strong> then tested to ensure that it works.<br />
Services within a SOA may be combined in unforeseen ways.<br />
When carrying out<br />
capacity planning for<br />
SOA, performance is<br />
probably one of the<br />
easier aspects to<br />
measure, yet even that<br />
can be a challenge<br />
given the distributed<br />
nature of SOA.<br />
A key issue in testing within a SOA is that it is not always clear, when designing a service, how it is going<br />
to be used. A service could be reused <strong>and</strong> combined with other services in ways that are not foreseen at<br />
the development phase, so services will therefore need rigorous testing to ensure that when the<br />
unpredictable happens, they cope. Testing in a SOA will encompass the ability to test Web services but also<br />
other types of service.<br />
As with any type of application or service, one of the first tests should be whether the service does what it<br />
is intended to do, in terms of the capabilities that it is intended to deliver. Such functional testing will also<br />
need to be carried out but issues such as unit testing, system testing, load testing, <strong>and</strong> overall performance<br />
all need to be addressed when testing is carried out, <strong>and</strong> where a service may have multiple bindings, each<br />
will need to be tested.<br />
December 2006 Section 1: SOA Deployment 29
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
From a functional perspective, where a service has a user interface, then usability testing may also be<br />
appropriate. Testing may also involve using the same types of communication infrastructure (for example an<br />
ESB) as would then be used in production, <strong>and</strong> here there may be issues with licensing, where development<br />
<strong>and</strong> testing can be carried out within the terms of a licence, but it may require additional payment for<br />
production.<br />
Performance testing will be another area that should have careful attention paid to it – especially where<br />
significant use is made of XML messaging. Although performance is improving over time, <strong>and</strong> various<br />
technologies exist to speed up XML parsing, XML is still highly verbose. One method might be to enable the<br />
message to be parsed in phases, so that the first part of the message can be acted upon whilst the rest of<br />
it is still being processed. However, recent benchmarks indicate that performance may be less of a major<br />
issue than it used to be.<br />
A number of test tools are starting to emerge, <strong>and</strong> the well-known testing vendors are all starting to work<br />
on testing for SOA, including Parasoft <strong>and</strong> Mercury. Another aspect for testing within a SOA will be<br />
simulation, which will be especially relevant for services that have not yet been created or are not currently<br />
available. The automatic generation of tests will also be valuable within a SOA project.<br />
SOA <strong>and</strong> Agile can be complementary.<br />
Agile software development first started to take off during the late 1990s, when Kent Beck promoted<br />
Extreme Programming (XP); a set of values, principles, <strong>and</strong> practices for planning, coding, designing, <strong>and</strong><br />
testing software. Agile software development approaches tend to have a number of common values, such<br />
as frequent inspection <strong>and</strong> adaptation, frequent delivery (with some proponents advocating nightly build<br />
programs), collaboration <strong>and</strong> close communication with business users, <strong>and</strong> the emergence of requirements<br />
(incremental), technology, <strong>and</strong> team capabilities rather than defining these up-front.<br />
Developing SOA applications might appear to be an area where design all needs to be conducted up-front,<br />
<strong>and</strong> therefore more compatible with a traditional ‘waterfall’ methodology rather than a more agile, iterative<br />
approach.<br />
However, in practice the two approaches are quite complementary. In a SOA the interfaces of a service will<br />
need to be carefully planned <strong>and</strong> designed – <strong>and</strong> should then remain relatively stable. However, Agile<br />
methodologies <strong>and</strong> software engineering practices can still be applied to the development of applications<br />
that expose external service interfaces. It will be necessary to think very carefully about interfaces that are<br />
being exposed at the end of any particular iteration. If, after a few iterations, a client needs one of these<br />
interfaces to be changed, then it may well have to be changed, ensuring that the change has minimal<br />
impact through techniques such as mediation <strong>and</strong> versioning.<br />
IBM’s Developerworks Web site has some valuable articles illustrating how Agile can complement Web<br />
services development in particular, <strong>and</strong> SOA on the whole.<br />
A guiding principle of SOA is that services should ideally follow the same design philosophy, <strong>and</strong> once<br />
created, assembling them should require less skill than other development models – assembly is often seen<br />
as within the capabilities of a business analyst. Hence, service-oriented development will facilitate a much<br />
more agile business in the future.<br />
30 Section 1: SOA Deployment<br />
December 2006
www.butlergroup.com<br />
Technology Management <strong>and</strong> Strategy Report<br />
SECTION 2:<br />
SOA in Action<br />
Butler Group<br />
a Datamonitor Company
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
www.butlergroup.com<br />
SOA CASE STUDIES<br />
CATALYST<br />
Studying the practical experiences of organisations that have embarked upon a Service Oriented<br />
Architecture (SOA) strategy is a useful way to gain information about the methods employed, the<br />
outcomes achieved, <strong>and</strong> the lessons learnt.<br />
SUMMARY<br />
IBM – St<strong>and</strong>ard Life.<br />
ANALYSIS<br />
IBM – St<strong>and</strong>ard Life<br />
St<strong>and</strong>ard Life is an assurance company headquartered in Edinburgh, Scotl<strong>and</strong>. It employs over 12,000 people<br />
<strong>and</strong> manages more than UK£105 billion in assets for over seven million customers worldwide. Its portfolio has<br />
exp<strong>and</strong>ed to include investments, banking, <strong>and</strong> healthcare offerings that are delivered through four<br />
independently operated organisations within the UK: St<strong>and</strong>ard Life UK, St<strong>and</strong>ard Life Investments, St<strong>and</strong>ard<br />
Life Bank, <strong>and</strong> St<strong>and</strong>ard Life Healthcare. St<strong>and</strong>ard Life also has international operations in Canada, Germany,<br />
Irel<strong>and</strong>, India, <strong>and</strong> China that contribute approximately 30% to the company’s worldwide new business.<br />
Business Challenges<br />
St<strong>and</strong>ard Life has seen the speed <strong>and</strong> complexity of operating its business increase. The majority of its revenue<br />
is now delivered from Independent Financial Advisors (IFAs), many of whom use industry-sponsored portals to<br />
obtain product <strong>and</strong> price comparisons from multiple providers on behalf of their customers. Pressure from<br />
competitive aggregators, which can provide IFAs with a comprehensive, single view of customer holdings, is<br />
on the rise, as are customer expectations for faster service <strong>and</strong> on-line access to personal financial information.<br />
Whilst St<strong>and</strong>ard Life has always enjoyed a good reputation for customer service, it recognised the growing need<br />
to be even more responsive to its customers <strong>and</strong> to drive loyalty within its many business channels.<br />
St<strong>and</strong>ard Life was looking for ways to make working with its business channels simpler <strong>and</strong> to improve<br />
customer service, but reducing costs was also a priority. For St<strong>and</strong>ard Life, cost reduction had implications that<br />
went beyond contributing to its own bottom line, with cost-cutting also potentially improving its st<strong>and</strong>ing with<br />
IFAs. If St<strong>and</strong>ard Life could lower its cost of doing business, IFAs would have an opportunity to lower theirs,<br />
helping IFAs improve their margins, which could foster IFA loyalty <strong>and</strong> gain a competitive edge.<br />
SOA Strategy<br />
To address these challenges, St<strong>and</strong>ard Life looked to establish a new, more flexible architecture that would<br />
enable it to leverage its existing business process <strong>and</strong> technology assets. In 1995, St<strong>and</strong>ard Life had<br />
st<strong>and</strong>ardised its data access <strong>and</strong> catalogued its reusable data services. Then, between 1999 <strong>and</strong> 2001,<br />
St<strong>and</strong>ard Life defined its application development architecture <strong>and</strong> the framework that would support it.<br />
This became the blueprint for what is now the company’s SOA approach, which provides the foundation for<br />
St<strong>and</strong>ard Life’s implementation of Web services.<br />
The technology framework componentises business processes <strong>and</strong> the IT functions that support them in order<br />
to extend those processes to constituents, both internally <strong>and</strong> externally. Web services are used to provide selfcontained,<br />
modular applications that are designed to work together without relying on custom-coded<br />
connections. They can be combined <strong>and</strong> recombined to meet the changing needs of the business. This<br />
flexibility <strong>and</strong> reuse leads to shorter development cycles with less effort expended, resulting in substantially<br />
lower costs. The list of St<strong>and</strong>ard Life’s reusable business services includes verify identity, provide life cover<br />
information, <strong>and</strong> create an outgoing document.<br />
32 Section 2: SOA in Action<br />
December 2006
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
In 1999, Web services st<strong>and</strong>ards were just emerging. Therefore, to best meet its internal needs, St<strong>and</strong>ard<br />
Life developed internal XML st<strong>and</strong>ards that are analogous to today’s Web services st<strong>and</strong>ards. St<strong>and</strong>ard Life<br />
continually evaluated Web services st<strong>and</strong>ards as they matured, <strong>and</strong> is now beginning to implement these<br />
new st<strong>and</strong>ards as XML-enabled reusable services that are available over a messaging layer to agents <strong>and</strong><br />
business partners.<br />
St<strong>and</strong>ard Life’s service-oriented approach has allowed the company to exploit its existing IT assets <strong>and</strong><br />
applications, <strong>and</strong> to align technology with its key business objectives. Today, St<strong>and</strong>ard Life’s SOA has been<br />
implemented across all of the major UK operations in the St<strong>and</strong>ard Life Group. At the core of the SOA is<br />
IBM WebSphere Message Broker, a st<strong>and</strong>ardised messaging technology that allows St<strong>and</strong>ard Life to<br />
integrate its various hardware, software, <strong>and</strong> platform systems. Web services are enabled by IBM Rational<br />
Application Developer for WebSphere <strong>and</strong> IBM WebSphere Application Server.<br />
Outcomes<br />
St<strong>and</strong>ard Life has seen significant benefits as a result of implementing SOA <strong>and</strong> reusing business services.<br />
Over 300 business services, such as the ability to provide agent details, produce statements, <strong>and</strong> maintain<br />
addresses, are available for reuse by IFAs, agents, <strong>and</strong> customers. The company can easily deploy new<br />
combinations of services, thereby simplifying the process of working across its various business channels,<br />
<strong>and</strong> as Web services employ common st<strong>and</strong>ards, anyone, regardless of technology environment, can make<br />
use of the services available.<br />
St<strong>and</strong>ard Life has also seen a significant decrease in client application development times. To date, the<br />
company has been able to reuse nearly 51% of its services, contributing to savings in excess of UK£10.4<br />
million in development costs. With so many services available for reuse, St<strong>and</strong>ard Life’s IT department can<br />
combine services to develop <strong>and</strong> deploy composite applications more quickly, <strong>and</strong> as the business needs<br />
them. This makes St<strong>and</strong>ard Life more agile <strong>and</strong> able to respond to new business opportunities with greater<br />
speed.<br />
By exploiting its catalogue of reusable services <strong>and</strong> making them available to business partners, St<strong>and</strong>ard<br />
Life has been able to improve customer service. This, in turn, differentiates St<strong>and</strong>ard Life from its<br />
competitors in the eyes of IFAs <strong>and</strong> customers using aggregate sites to evaluate <strong>and</strong> select providers. As a<br />
result St<strong>and</strong>ard Life has been voted ‘company of the year’ by UK IFAs for the past five years.<br />
Since St<strong>and</strong>ard Life has implemented a SOA using Web services, its transaction rates have increased<br />
without the need to increase operations staff, <strong>and</strong> by sharing business functions with key constituents, the<br />
company can ensure the consistency of information that its customers receive, whether that information<br />
comes from an IFA portal, St<strong>and</strong>ard Life’s Web site, or from a conversation with one of the company’s<br />
customer service representatives. This consistency strengthens the St<strong>and</strong>ard Life br<strong>and</strong> across multiple<br />
products <strong>and</strong> channels.<br />
St<strong>and</strong>ard Life’s SOA has evolved over a 10-year period. During that time, the company has learned an<br />
important lesson – an effective SOA combines technology with business processes <strong>and</strong> people. St<strong>and</strong>ard<br />
Life made the important shift from having a technology-centric culture to having a service-oriented one, <strong>and</strong><br />
enhanced the skill sets of its employees, for example, by training them in XML, to support this culture shift.<br />
It also exploited <strong>and</strong> revitalised its existing IT <strong>and</strong> application assets to support its business processes,<br />
enabling St<strong>and</strong>ard Life’s IT function to both support the organisation <strong>and</strong> contribute to the bottom line.<br />
Key outcomes included:<br />
Reuse of nearly 51% of existing services, resulting in savings of more than UK£10.4 million in<br />
development costs.<br />
<br />
<br />
<br />
<br />
Increased transaction rate by 900% without increasing operations staff.<br />
Improved responsiveness to market change <strong>and</strong> customer needs.<br />
Better customer service.<br />
Ensures consistency of information that customers receive, strengthening company br<strong>and</strong>.<br />
December 2006 Section 2: SOA in Action 33
Technology Management <strong>and</strong> Strategy Report<br />
www.butlergroup.com<br />
This Report reveals:<br />
The essential considerations when planning <strong>and</strong> implementing<br />
SOA.<br />
How to use SOA to transform the way the organisation operates.<br />
The pitfalls to avoid when deploying SOA.<br />
Why becoming a process-centric enterprise complements SOA.<br />
How to separate the hype from the reality of SOA.<br />
A roadmap for the deployment of SOA.<br />
The importance of taking into account the impact of SOA on the<br />
wider IT environment.<br />
The challenges of developing data architecture to support SOA.<br />
How early adopters are gaining advantage from SOA.<br />
Butler Group<br />
a Datamonitor Company<br />
Analysis without compromise<br />
Headquarters:<br />
Europa House,<br />
184 Ferensway,<br />
Hull, East Yorkshire,<br />
HU1 3UT, UK<br />
Tel: +44 (0)1482 586149<br />
Fax: +44 (0)1482 323577<br />
Australian Sales Office:<br />
Butler Direct Pty Ltd., Level 46,<br />
Citigroup Building, 2 Park Street,<br />
Sydney, NSW, 2000,<br />
Australia<br />
Tel: +61 (02) 8705 6960<br />
Fax: +61 (02) 8705 6961<br />
End-user Sales Office (USA):<br />
Butler Group,<br />
245 Fifth Avenue, 4th Floor,<br />
New York, NY 10016<br />
USA<br />
Tel: +1 212 652 5302<br />
Fax: +1 212 202 4684