SOA 2007: The March to Governance

By Julie Craig

(Back to article)

2006 was a turning point for Service Oriented Architecture (SOA), the year when the hype became reality. Multiple companies brought SOA to production, but they faced challenges in doing so.

They found that SOA was hard, and that the difficulties went beyond technology. Governance presents a major challenge, and for many this was the top challenge. This article is a condensed version of Enterprise Management Associates (EMA) research published in July 2007 that explores the reasons why governance is a key success factor in SOA rollouts.


Throughout 2006, EMA published a series of research papers documenting the progress of SOA in the real-world of IT. The final paper in the series, SOA: A View from the Trenches , featured in-depth case studies of companies that had reaped significant benefits from deploying business services over an SOA. When asked what advice they had for other companies, all cited planning and governance as a key challenge and four-out-of-five cited governance as the top challenge.

This finding was unexpected, as most of the press on SOA to date has focused on SOA's technical challenges. However, after talking with these early adopters, it became clear that SOA's success or failure may actually have more to do with cross-organizational and business-related factors, both of which are elements of governance.

Governance Drivers

Governance has taken center stage over the past few years and this is not a coincidence. Industry awareness of governance and best-practices has grown, with most organizations familiar with disciplines such as the IT Infrastructure Library (ITIL) and the Control Objectives for Information and Related Technology (COBIT). This familiarity has been driven by an industry seeking answers.

It isn't any secret that 70-to-80 percent of most IT budgets go toward maintenance and administration, leaving only 20-to-30 percent for growth and innovation. One of the primary reasons is complexity. As the industry migrates from mainframes and thin-clients to tiered, Web-centric applications, the number of applications, devices, and platforms managed by the average IT organization is skyrocketing. These days, it is not uncommon to find IT organizations supporting 1000 or more different business applications.

This shift has taken its toll on IT personnel and budgets. In many cases, it has also taken a toll on the relationship between IT and the business. With business often blissfully unaware of the net effect of this technology shift, IT is often viewed as a money pit.

As a result, IT organizations are finding themselves on the losing end of a no-win proposition. As the business evolves, it requires new business applications. Development provides them, then hands deployment and support over to IT. IT is the last stop on the application railroad, with one route in and no route out.

As this scenario plays out, IT has turned to governance in desperation. With very little control over the volume and complexity of the applications they support, IT is investing in best practices to improve efficiency.

SOA Governance

SOA governance applies best-practices and SOA-specific management technologies to the same problem: the need to control and manage complexity. Good governance is an antidote for complexity.

It includes support processes based on best-practices, visibility into technology relationships via good configuration management, and specialized application management products. Each contributes visibility to SOA deployments, helping to transform them from a "black box" to an ordered hierarchy viewed through a clear pane of glass.

Some of the specific challenges discussed by early adopters include the following:

How do we fund software for reuse across the company? One of the big payoffs for companies deploying SOA is reuse. Most view production SOA services as organizational "assets" that increase in value over time as they are used by multiple business services.

However, most companies fund software development projects by department. When one department funds SOA services with its own budget, how do other departments "pay" for use of the service once it is deployed? Although reuse can yield enormous cost benefits for the business, it requires changes in cost allocation for development and use of software assets.

Once a SOA business service is in production, how do we control access to it? SOA services are designed to be loosely-coupled, meaning they publish their interfaces, and can then be used by other services that require their functionality. In the real world, this means that, once SOA services are deployed, they are sitting on the network and available for use.

Many companies report a "free for all" as rogue users and rogue services find and bind to production services. This can wreak havoc with performance and create significant security problems. Without controls in place, for example, an unauthorized user might be able to access sensitive personnel or payroll data. SOA specific management products help eliminate this problem by providing visibility to which services are being used and by whom, and limit access to approved users and/or services.

How do we monitor, manage and measure service levels? This is a significant issue, as the IT industry at large is still grappling with the requirement to manage heterogeneous, distributed and composite non-SOA applications. Managing availability and measuring service levels for loosely-coupled services adds additional complexity. Although a few application management vendors are starting to address this problem, most are behind the curve in terms of delivering products that truly solve it.

How do we apply security, and how much is enough? In addition to the access control issues discussed above, SOA deployments also face security related challenges similar to those encountered in managing distributed, tiered applications.

An additional problem, however is that SOA's sweet spot is integration. With SOA applications executing both within organizational boundaries and across the extranet, security concerns become paramount. Even error messages generated during execution can contain sensitive information that must be shielded from outside entities.

Talking with SOA early adopters was fascinating. After reading multiple stories of deployment failures, it was refreshing to speak with companies that had leveraged SOA to reap big business gains.

In many cases, these companies had become leaders in their industries by bringing new products to market much faster than competitors. Others reported cost-avoidance by speeding integration projects, enabling them to do more work in less time. All reported challenges, but it appears that companies that are most successful leverage governance to manage technology and to drive the cross-business changes that successful SOA requires.

Julie Craig is a senior analyst with Boulder, Colo.-based Enterprise Management Associates, an industry research firm focused on IT management. Julie can reached at jcraig@enterprisemanagement.com.