SDA India is an online resource for Software, Development,IT, Architecture, Open Source, Mobile, Security, Databases, Delphi, C, OS, Asp, .Net, Php, Xml, Java

While SOA is not a new term, it has gained industry momentum as a new software category that encompasses collaborative and groupware applications; development, deployment and information access; and system infrastructure. SDA Asia spoke to—Mark Greeff of Sofware AG, to understand the company’s take on SOA governance. Greeff talks about how SOA governance makes it easier for developers and architects to collaborate create and manage world-class business applications, while delivering the next generation of design-time SOA governance via a closed loop process. Read on..

SDA: “SOA governance is about managing the quality, consistency, predictability, change and interdependencies of services.” Can you walk our readers through the need for SOA governance?

Mark Greeff (MG): The need for SOA governance is in being able to analyse and plan projects a lot better and being able to visualise all integration artifact dependencies. If you think about the whole concept of interoperability in different objects, or services available to you—if you take the top-down approach—you could start with a composite application, which can feed off a business process. This in turn acts as a connection of a service orchestration in a service bus, which further has a connection to a legacy Application Planning Interface (API) and integration to a legacy back-end system. From the top down, SOA needs to be able to manage those fine-grained services and provide visibility.

SOA governance is also about how you would describe the dependencies from an interoperability point of view to the consumers out there. SOA is all about giving visibility to all the consumers on the SOA platforms—that could be an enterprise architect, a developer, a business analyst, or a project manager. As all of them will have a different view of SOA governance, it is also about being able to have a flexible platform for them to see how an SOA governance platform integrates what they do and how it improves their job. So a developer would be able to find or discover a service a lot easier, a business analyst would be able to have a better understanding of all of the business processes or people associated with a particular process and so on. As comprehensive reports and data will be available, the decision-making process would invariably improve. This translates directly to better and informed decisions being made by senior management.

SDA: Few would argue that SOA is inevitable and has become a strategic imperative for organisations today. But it can also threaten to transform the enterprise network into a complex, sprawling unmanageable mesh, by encouraging widespread reuse of scattered software components. How can SOA governance prevent rogue services from springing up everywhere, passing themselves off as legitimate nodes and wreaking havoc on the delicate trust that underlies production SOA?

MG: There is a design time/development time aspect and then a run time aspect to the governance model. You might design some service in a particular manner, and there might be some rogue projects that you may not be aware of, that also go out and develop similar applications with similar services without registering them from a design time perspective. As an example, we work closely with CentraSite community members like Amberpoint, who focus on providing a run-time governance engine to discover these rogue services. Together we look managing the end points, and have the ability to have an exchange service model between the run-time world and the design-time world. So we can detect any of those rogue services, register them back to the design-time platform, and then have the CentraSite notification platform, notify certain consumers of the design time model about some rogue services that are affected by this particular service and so on.

SDA: According to Forrester’s Larry Fulton, SOA repository is essential for effective SOA governance. Can you explain the role played by SOA repository in a large-scale SOA program?

MG: Let me tell you from a user perspective, the role played by an SOA repository. We recently got on board, a brand new customer—the Scandinavian Airline. They are running a heterogeneous environment that includes J2EE as well as .NET technology and middleware solutions from a range suppliers. There are several hundred (web-) services available within the organisation across different departments.

They plan to have a single management and governance umbrella supported by open standards that will give them the platform to be able to deal with all of the different complex platforms and provide real governance by documenting and managing services with their related artifacts and their relation to processes and other service consumers. So for me, citing real customer stories and then applying their feedback to governance is the driving force for us at the moment.

SDA: According to Ivo Totev, the main aim of SOA is to bring business and IT close together. How does SOA governance help achieve this aim? Can you explain the need to embrace efficient life-cycle mechanisms for services, policies and processes?

MG: This is an important aspect for us, as it is a lot about analysing the dependencies between different entities like organisations, people, processes, policies and services. One of the things that you seen in the whole governance story are that there has been an organisational governance platform. People have talked about organisational governance for a while. What we are doing now is to bring together that corporate governance model and IT governance model into an SOA governance platform. So if you can think about all the corporate governance stuff—about processes of custom policy laws and such—and IT governance, which traditionally revolves around decision rights, accountability, and behaviour of IT—if we bring them together with SOA governance, it ensures you can define decision-making authority for developing different SOA artifacts. The traditional decision making group of people in an organisation, is split from the very business-centric to the IT-centric business model. There are categories of different types of people who actually make a decision—whether they make decisions on IT principles or IT architecture or IT infrastructure or a business application or just significant infrastructure for IT. Different people make those decisions, and so for us the governance model is also about being able to support that decision matrix and linking it to the policies, projects; processes and eventually services that will be impacted.

SDA: Can you talk about the role of trust in SOA Governance?

MG: Trust is a critical aspect from the customer’s perspective. You might have different departments developing different projects. What is required in a governance model is to be able to say there is a service that has been developed around, let’s say, change of address. Change of address is actually a service that is re-usable across different projects. So the participants in the team of that given projects, at some point in time will want to know if the service is a trusted service. Does it have some accreditation or something that says it’s gone through some approval inside the governance model, which shows that this is a trusted service that can be consumed by all of these different projects? So being able to mange that trust model for services and for all of its associations and also the governance model is a critical thing for us and we currently support that.

SDA: Tell us a bit more about Software AG’s Crossvision SOA suite. How does this meet the challenges of building an SOA to satisfy the unique needs of two separate groups of business analysts and system architects?

MG: Software AG’s Crossvision Suite is a solution, which offers you methods to create, optimise and govern business processes. Based on open standards, it supports legacy systems, enabling equal leverage of all your IT assets. Consisting of six fundamental components, namely Crossvision Application Composer, Crossvision Business Process Manager, Crossvision Service Orchestrator, Crossvision Information Integrator, Crossvision Legacy Integrator, and CentraSite, our Crossvision Suite provides you the ability to achieve your vision.

The main component in the Crossvision suite is CentraSite. It is built jointly by Software Ag and Fujitsu on an open and standards-based SOA Registry/Repository as a full SOA Governance solution. With CentraSite you can achieve control and transparency across all IT assets within the organisation and monitor your SOA with reporting capabilities.

We have customers that run on all kinds of platforms. They run our technology in heterogeneous environments, so it’s kind of our responsibility to be able to integrate anything that the customer says is a legacy platform. For us, Crossvision Legacy Integrator is quite important, because the amount of customers and business that we get around the legacy integration suite today is colossal. The industry has changed from five years ago; people are saying that they can’t afford to have twenty million dollar projects now, and expecting value out of their legacy platforms and being able to expose that value to business logic or some such. So one of the things that we do once we expose something out of a legacy platform, is to register that, whether it be an object or a web service into the repository.

The next thing is our Crossvision Service Orchestrator layer. It is probably one of the most robust service bus platforms currently in the market—one of the main reasons being the way that we deal with the interoperability. Our service bus can orchestrate payloads of information from anything to anything. But what we also do is give SOA consumers and suppliers visibility of the service orchestration models, so that all of the orchestrations are made visible as part of our governance model.

Crossvision Application Composer is the building block that allows the user to build composite applications that bring the value of a SOA directly to users. Crossvision Business Process Manager (BPM) is a new class of software to model, optimises, automate, integrate and manage business processes. Lastly, Crossvision Information Integrator provides information on demand from across the organisation. It enables rapid and cost-effective implementation of business initiatives, such as single view of information based on semantic rules.

SDA: Can you talk about the consequences about ungoverned SOA? What about security breaches and things like non-compliance?

MG: There is no easy way of describing an ungoverned SOA. The closest analogy that I can think of is a bank that has been running for the last 15 years. Take for instance it has been running all of its credit card systems, its banking systems, its security on a mainframe. The way that people can talk to the bank is either by a web channel, ATM, customer-facing interface, and such. All the systems, objects or programs or databases will all be stored and managed on that mainframe. Now imagine chunks of that application and services being distributed onto platforms around the globe.

The security requirements across a heterogeneous design and runtime SOA environment require a SOA security framework and the infrastructure to be well protected with appropriate firewalls and multiple security layers. In addition, the operation of these distributed SOA services will also require contracts, SLAs and policies to govern them.

We make sure that we partner with major security players out there—from identity management systems all the way to XML Security Gateway players—there is a whole gamut of security layers that now become more critical to manage under a single governance platform. Security drives a big chunk of fear and uncertainty around SOA itself. Once the customer is assured of his end points, the policies around those end points, the processes around those policies, and the services attached to those policies etc., it is all about that dependency model. For us security is one piece to building a solid governance model moving forward.

SDA: Can you talk about companies in the APAC region? How long there have been managing SOA and are there any challenges they face in the aforementioned space?

MG: The APAC region is highly fragmented. In Australia the interest level is extremely high, depending on the vertical that you are talking about. In Japan there is lot of talk and discussion around it. The Japanese market by itself is highly complex, simply because of localisation of the solutions. But there is decent amount of interest.

On the whole, in Asia it is safe to say that there is lot of interest, there haven’t been massive projects around SOA yet but it is definitely tending towards that goal.