CBDI Service Oriented Architecture Practice Portal *Independent Guidance for Service Architecture and Engineering*
	Search:

CBDi Journal 2008 / April : SOA Best Practice Report

SOA Governance Framework

The following is an extract from a CBDI Journal Report - SOA Governance: Challenge or Opportunity

Introduction

At CBDI we have always advocated that governance needs to be rooted in clear policy definition and in fact devoted an article to this in June 2007 ¹. Since that time we have been busy assisting organizations improve SOA governance approaches based on an underlying foundation of clear policy definition. One thing that has emerged vividly from this work is that organizations must move forward at their own pace and in a way that is realistic in terms of their current SOA adoption level.

Moreover the approach taken to SOA governance must be in tune with the overall governance requirements and political climate. We have therefore distilled these experiences into an SOA Governance Framework - embracing policy, process, infrastructure and capability maturity - that can be tailored to each organization's specific needs. At the same time we are finding increasingly that SOA governance represents an opportunity to improve overall governance capabilities, which are all too often well short of the bar. Indeed successful SOA governance has to be seen as one component in organizational change management.

SOA Governance Defined

It is now clear that SOA provides huge potential for agility, both in response to technology and business change, and in terms of initiating change for organizational advantage. The problem is however a price tag, which includes difficult governance issues. For example:

if services are to be widely reused then this requires profound and difficult issues in ownership, funding and project management.
If services are widely reused this requires a significant increase in complexity of service specification - how do we make sure services can be specified clearly and consistently in a manner that satisfies multiple consumers with possibly varying requirements, timescales and change cycle times?
And in today's offshore, outsourced world, we need governance over the choice of service provider and critically the delegation of architecture, design and test.

SOA governance is essentially a response to these problems that we define thus:

The part of IT governance that refers to the organizational structures, policies and processes that ensure that an organization's SOA efforts sustain and extend the organization's business and IT strategies, and achieve the desired outcomes .

SOA Governance in Context

An understanding of the idea of business governance is necessary to provide organizational context for SOA governance. Business governance refers to the leadership and organizational structures and processes that ensure that an organization's resources (including its services and supporting IT resources) sustain and extend the organization's business processes and goals. Moreover, SOA governance does not sit in isolation, but is part of IT governance which in turn should be an enabler of business governance.

The Full Spectrum of Governance

An important part of SOA governance concerns technology. Frequently we see vendors promoting a fairly narrow view of governance that just so happens to reflect the capabilities of their products, often focused on the operational activites.

However if an IT organization focuses solely on how its services are deployed and managed without paying sufficient attention to the business architecture drivers and the development processes and practices used to build services in support of that architecture, that organization is very likely to have a set of well-managed "service spaghetti," not a true SOA. Implementing a series of point-to-point services masquerading as an SOA will simply revive the integration nightmare of a few years ago with just another layer of technology.

The Need for a Framework

What is needed is an SOA governance framework that is aligned to the desired business and IT outcomes of the organization and that is compatible with your organization's current approaches to both IT and business governance. At the same time as we argue strongly in this article the SOA Governance Framework should not only be seen as a tool for dealing with these challenges. It is also provides an opportunity to put IT's house in order. Many organizations are at a very immature level of overall IT governance. SOA really forces you to address governance issues if it is to work effectively beyond the state of toy projects. This in turn has a positive effect on improving overall IT governance; see figure 1.

Figure 1: SOA Governance in Context

The CBDI-SAE SOA Governance Framework

It is important that SOA governance is approached in a balanced and complete fashion that addresses the What, How, Who and When aspects of the topic; see figure 2.

Figure 2: The CBDI-SAE SOA Governance Framework

Policy View

The Policy View is shown in figure 3. The policy categories on the left hand side of the figure represented by the horizontal rectangles correspond to the overall sequence of the service lifecycle from Planning through to Operations. The three vertical policy categories depict the ongoing activities that run right through this lifecycle.

Figure 3: SOA Policy Categories

We have been busy cataloging and defining SOA policy types within the CBDI SAE Knowledgebase with respect to typically associated outcomes and risks; table 1 shows an analysis for a small portion of this hierarchy, which is too big to publish in its entirety in a report of this nature.

Business/IT Outcomes	Interpreted SOA Outcomes	SOA Risks
Easy exchange of well organized, accurate and timely information with customers.	Reuse and orchestration of services across different business processes in different channels and consumer contexts that a) resolve existing process and data quality, currency and completeness issues and b) improve customer satisfaction.	Well intentioned but misinformed integration of customer processes and data that support genuinely separate businesses within a single enterprise. Uncontrolled service usage that leads to data integrity issues or unsupportable scalability demands from consumers.
Data protection must not be compromised.	Common authentication and authorization services provide greater assurance of compliance with business security policies.	Conflict between SOA security and existing application level security. Trust boundaries necessary to avoid performance overhead of continual authorization and authentication reduce achievement of service autonomy.
ROI is ensured. Profitability is maximized.	Service architecture applied to business/IT projects delivers productivity, reduced cost, faster time to market.	Business value of SOA is properly articulated to include life cycle costs including future rationalization opportunities, shorter business change cycle time etc.
Widespread beneficial usage of services.	Solutions adopt and appropriately comply with an enterprise reference architecture and can demonstrate business value from architectural principles such as loose coupling, autonomy, composability and virtualization. Lowered dependence upon specific technologies and separation of concerns enables component based approach to business/IT - enabling ROI AND control from outsourcing, offshoring and commodity solution projects.	Narrow accessibility constrains usage reducing ROI.
Policy Strategy Area	Policy Type	Leaf Node Policy Type
Usage Permissions	Constituency	Constituency Type
		Approved Consumer Organization
		Approved Consumer Software
	Usage Security	Authentication
	Usage Security	Authorization
Usage Commercial Basis	Usage Alignment
	Usage Pricing
	Unit of Usage
	SLA for Usage

Table 1 - Policy Hierarchy Examples: Usage Policy Category

Process View

The process view focuses on the discipline of SOA Governance, its constituent process units, tasks and deliverables. Too often the complexity of SOA governance processes is exacerbated by mixing management with operational concerns. The discipline therefore separates these concerns, which are reflected in two different sets of process units.

The management level, which should be centrally controlled, ensures the SOA Governance Framework - in terms of policy, organization, process and infrastructure requirements - is aligned to the requirements of the organization before embarking on detailed policy definition and enforcement.

The day to day activity of SOA governance is spread across different disciplines according to the type of policy being dealt with. For example policies of the architectural policy type are set up as part of the SOA Architecture and Design discipline, specifically in Service Portfolio Planning.

Organization View

The organization view sets out the roles necessary for SOA governance with guidelines on organizational structure. Some of these roles are specifically focused on governance matters; for example, the SOA Governance Board and the SOA Governance Lead. Others such as the SOA Review Board may have a �leaning� toward governance. And yet others, such as the SOA CoE, Enterprise Service Architect and Service Level Manager, may well be charged with significant governance responsibilities, but as part of a much wider brief.

Certain roles, such as the SOA CoE are group roles that may map to new organizational units or may be subsumed within existing units. In contrast, other roles such as the SOA Governance Lead are likely to be assigned to one (or more) individuals.

It is also important to define policy that states which roles are accountable for which SOA artifacts in terms of responsibility (R), authority (A), expertise (E) and work (W); RAEW analysis is used to assist here ².

Infrastructure View

The infrastructure view sets out the infrastructure capabilities necessary for SOA governance. There is a wide variety of implementation types, both automated and manual, the purpose of which often extends beyond governance alone to areas such as SOA modeling and service execution. The rationale of the infrastructure view is to focus on the governance capabilities in terms of:

Policy Management: how is policy defined and maintained, what level of support is available for assertion languages? For example, using a service catalog and repository with links to modeling tools using a standardized SOA meta model
Enforcement Mechanisms: what is the actual means of achieving different types of compliance, how often is it checked and to what degree of precision? For example, using an ESB to provide run time policy rule checking and routing.
Communication: how can governance be communicated and demonstrated? For example using a service level management dashboard to demonstrate compliance with Quality of Service thresholds.
Change Management: how can governance changes be audited? For example, using a service catalog to enforce service life cycle state change policies (e.g. publish and discovery) with support for system of record via a repository.

SOA Maturity View

We have developed a rich SOA Governance Framework that identifies expected SOA governance capabilities at each of five stages of SOA maturity as defined in the CBDI SOA Maturity model ³ to provide overall consistency. The maturity view includes capability maturity tables for policy, process, organization and infrastructure; table 2 provides some overall examples together with outcomes and risks.

The SOA governance capabilities indicated in the cells are mapped to the organization's �as is� state of SOA governance and to the �to be� state in terms of projected SOA outcomes. An SOA Governance Roadmap is then constructed forming a foundation for transition plans.

While the SOA Governance Maturity Model is rich, in order to provide comprehensive coverage, the intention is that it should be workable in small manageable chunks within its target context. This is where outcome and risk analysis, together with a good understanding of organizational context, come into play as described in the second part of this article.

Governance Area	Early Learning	Applied	Integrated	Enterprise	Ecosystem
Desired Outcomes	Successful Proof of Concept (PoC)	Assurance of QoS for project level services Adoption of common reference architecture is enabling reuse and flexibility within individual business solutions	Assurance of QoS for shared services Coordination of scope between selected projects is delivering cross-project consistency	Implementation of Service Portfolio Plan delivering consistent business processes and data for enterprise Compliance with common reference architecture ensuring enterprise-wide sharing/reuse, agility Delivery of agreed Service levels Cross life cycle management of Service assets delivering portfolio rationalization and component delivery approach	Industry compliance delivering business benefits through shared information and processes
Exposure to external risks Failure of external services	SOA is applied to inappropriate projects that are doomed to fail. SOA never gets past the first post	Solution meets immediate requirements, but is no better able to respond to future changes. SOA applied for wrong reasons	Uncoordinated SOA activity results in duplication and inconsistency in service delivery and usage misalignment across projects in classification and granularity of services resulting in incorrect usage, lack of usage	Service anarchy Inconsistency between assets at different SLC states Uncontroled offshoring and outsourcing	Suboptimal partnerships, relationships with customers, suppliers and third parties
Policy	PoC goal definition.	Basic Service Concepts Architecture Layering Default standards and QoS levels Project Service Portfolio Plan (SPP) Basic Service Description Service Life Cycle	SOA ref arch Compliance Usage by constituency Runtime standards QoS levels Publishing/Discovery of Design time reuse assets Service Specification Provider/Consumer Service Lifecycle	Sourcing and Usage with SLA Service Level Management Multi-participant Service lifecycle Enterprise Service Portfolio Plan (SPP) Publishing /Discovery of runtime reuse assets	Certification Business QoS levels Common global Service Specification
Process	Existing SDLC process checkpoints	Solution designs reviewed with respect to Project Service Architecture	Service Specification forms contractual interface between solution projects and provisioning projects	Service specification forms contractual interface between solution projects and provisioning projects	Clear traceability between business programs and IT (solution and provisioning) projects
Organization	Establish SOA Community of Interest Initiate SOA Steering Board to start managing SOA adoption	Establish SOA CoE EA perform SOA Governance Lead role	SOA Program Office Service Integration Office Dedicated SOA Governance Lead Service Architecture Review Board	Twin-Track - separation of provide/consume activities Sourcing and usage manager Service Ownership/Sponsorship SOA Governance Board	Vertical industry bodies set service standards
Infrastructure		Simple Service Catalog. Design time only. Monitor/log service run-time, alert to problems	Service Catalog - with governance over publish/discovery activities	Service Asset Management with SLC governance tools - Integrated with Service Catalog Service Management - Policy driven, SLA support	Service Asset Management with SLC Automation Policy Store/Management, Policy Enforcement Automation