Johannesburg, 11 Apr 2008
Imagine asking a CEO if he knew where all his enterprise applications were, how secure they were, and if they were being properly managed.
He`d probably treat you as if you were loony, and he`d be right to do so. Amazing, then, many salespeople are trying to sell services-oriented architecture (SOA) without being able to answer precisely these three questions.
The fact is that, for all its promised benefits, SOA as an environment is inherently more difficult to control than its predecessors:
* Host-based computing, by centralising all logic and data, was easy to manage, secure and monitor.
* Client-server computing, by separating the logic, data and user interface, created a level of chaos and runaway costs that has never really been brought under control. The key factor here was the loss of control from the centre, and it has defined computing for the last 15 years.
* Now we have SOA, which offers us the promise of agility, flexibility, legacy extension, return on investment and much more. The downside is that SOA can be infinitely distributed, making it hardest of all to control, unless the appropriate infrastructure is in place.
As companies increasingly make use of widely distributed architectures, and on the one hand access third-party services and on the other expose their own applications as Web services, they need to be able to answer with total clarity the questions: Do I know what I have?; Do I know where it is, and how it is performing?; Am I managing it correctly?; And is it secure? The harsh truth is that many companies are going down the SOA road without the ability to answer these questions. Yet they would never have done such a thing with legacy computing paradigms.
Without the ability to secure, manage and monitor services, no company should consider tackling SOA:
* Security: IT needs to address "man in the middle" and "last mile" vulnerabilities. Unless properly governed, SOA could allow anyone, anywhere, to invoke, deploy or orchestrate a Web service at any time. This service would potentially reside alongside thousands of others, exponentially increasing the security risk. In addition, such a scenario would open the risk of rogue services passing themselves off as legitimate nodes and undermining the trust equation that makes SOA possible. By implementing runtime governance, IT can reduce risk through service discovery and automatic policy enforcement.
* Monitoring: Unless you can see in realtime what is happening with and around your services, you cannot say you have discharged your obligation in terms of SOA governance. The ideal is business process visibility, enabling you to manage your SOA from a business process perspective.
* Enterprise-class management: As with all forms of systems management, the ability to view, manage and control all services in a heterogeneous SOA environment, in realtime, from one, centralised dashboard is fundamental. SOA governance demands a management and tools capability that runs the gamut from planning to design, development to deployment, operation to optimisation. Finally, such a capability allows users to define, sort and prioritise by business or IT metrics, and to manage service level agreements.
SOA promises to bring great benefits to business; as with most previous IT paradigms, it has been oversold, even hyped to a point where expectations exceed reality.
To align the hype with the truth, and prevent disappointment, early SOA adopters need to ensure they lay a solid foundation, one which allows them the same control as they enjoyed decades ago. Anything else will lead to SOA being viewed as yet another IT fad.
Share