Get SOA Policy Management Right: A To-Do List for IT Leaders

IT leaders must understand the general characteristics of the SOA policy life cycle. This will help you to watch over critical control points and organizational relationships. Here's some practical advice from Forrester Research SOA expert Randy Heffner.

By Randy Heffner
Wed, May 06, 2009

CIO — IT leaders must understand the general characteristics of the SOA policy life cycle. This will help you to watch over critical control points and organizational relationships. Here's some practical advice from Forrester Research SOA expert Randy Heffner. SOA policy management is an advanced means of building flexibility and business value into service-oriented architecture (SOA) strategy. SOA policy is emerging as a feature in many types of SOA related products, and your architects should have it on their radar screens. If it sneaks into your SOA strategy without a clear plan, your organization may paint itself into a corner and miss important opportunities to achieve SOA policy benefits.

SOA policies are defined separately from the SOA-based services they control, which allows flexibility in different domains of service characteristics ranging from business operations (monetary limits, transaction routing, etc.), service-level management, deploy controls, security, and more. SOA policy management adds value in two ways: 1) it allows your SOA-based services to change more quickly in response to business changes, and 2) it extends and reinforces your SOA governance processes during both development and production operation, resulting in more reliable and efficient SOA operations.

From your perspective as the CIO or IT leader, it is important to understand the general characteristics of the policy life cycle, which will help you to watch over critical control points and organizational relationships. Key characteristics of getting the SOA policy life cycle right include:

Getting a clear connection with the original source of the policy. Every policy has at least one original source within the organization—a person or team that directly cares about, is responsible for, or is affected by the policy. Your policy management processes must have appropriate integration points and approval checkpoints with these varied original policy sources.

Elaborating policy from the general to the specific. In the early stages of the SOA service life cycle, a policy may be specified in a more general, abstract way, but your SOA platform can only enforce that policy when it is rendered in a concrete, executable form. The policy life cycle, including policy authoring and management tools, will control the transformation and/or translation from abstract to concrete policy—and ensure traceability between the source and the final implementation.

Managing groups of related policies. For some policy domains and policy types, it is useful to manage a group of related policies as a set. For example, to streamline service-level agreements for your SOA services, the service user might choose the appropriate entry in an operations policy group (perhaps with higher chargebacks for higher QoS). Policy groups help to curb growth in the number of policies the organization must manage. They also simplify the model for executives, who can refer simply to the policy group without knowing the details of all the policies in the group.

Ensuring appropriate policy change control. Runtime policy changes, by definition, change the operation of production systems, which affects IT and business operations. SOA governance specifies that there should be appropriate controls over policy changes, but the specific levels of and mechanisms for control will vary by both policy domain and type of policy. Your policy management processes must support a variety of flexible control mechanisms for approving and activating policy changes across the various policy domains and types.

Building an appropriate "air gap" between development and production. Auditors examining your IT processes, applications, and infrastructure, driven by both good industry practice and regulations such as Sarbanes-Oxley, will want to find a clear and definitive separation (i.e., an "air gap") between development and production. The key requirement is that only those responsible for production operation should be able to activate anything (policy or otherwise) within the systems running the business. Conversely, those responsible for activating production changes should have no ability to materially alter the content of the production changes. Policy management blurs this line by externalizing aspects of a service that were previously contained in the program code of an application. Thus, your processes and infrastructure must provide for the service policies authored at development time the same type of controlled, staged migration that all other production application assets go through.

The industry's infrastructure and best practices for SOA policy management have much room to grow before they will be robust and mature. Thus, only very early adopter organizations are typically ready for full-on pursuit of SOA policy management. More conservative firms should take small steps, going only so far as using the out-of-box capabilities of their SOA security and management infrastructure and their SOA repository. But even with these first steps, it is important for architects to understand the scope of the SOA policy management life cycle and its key touch points with SOA governance and the SOA service life cycle. CIOs should hold architects accountable for ensuring that early steps with SOA policy have a path forward to a broader and deeper use of SOA policy.

To evolve and build policy management into your SOA governance and life-cycle processes:

1. Start by identifying the policy domains you will first use. Policy domains will drive the highest priority requirements for your policy management processes; therefore, identifying these domains will do the most to scope and prioritize your policy management implementation tasks. This provides a focused starting point, from which your architects should understand how additional policy domains will be added in the future.

2. Identify and implement policy approval points. As you expand policy management to each new policy domain, identify where and how approval for policy changes will take place as well as who will give approval. Starting with policy authoring tools, design either manual or automated approval processes according to the capabilities of your infrastructure and tooling (and, potentially, the affordability of customizing the tooling to implement automated or workflow-based approvals). Effective approval processes provide a strong foundation for effective, controlled policy management.

3. Plan for and implement policy assessment. Do not assume that the job ends with simply enforcing policy. Downstream auditing and compliance is an important sometimes mandatory part of the process. Even if it were not, policy management is most effective when the loop closes with assessment and ongoing improvement of policy operations.

Randy Heffner is a Vice President at Forrester Research, serving Enterprise Architecture professionals. He is a leading expert on architectures and design approaches for building enterprise applications that are secure and resilient in the face of continuous business and technology change. Randy will be speaking on how to take SOA governance to the next level at Forrester's IT Forum 2009.

Follow everything from CIO.com on Twitter @CIOonline

Print

You are here: Applications » Service-Oriented Architecture (SOA) » Expert View

Most Recent Service-Oriented Architecture (SOA) Stories

Open Group Publishes Standards to Align Cloud Strategies

University Medical Center Virtualizes, Cuts Storage Needs By 65%

How to Use a Business-Focused Approach in SOA Design and Governance

How Enterprise Architects Can Be a Business Person First

Cloud Computing: Advice for Application Control Freaks

White Papers »

IDC MarketScape: Worldwide Business Process Platforms 2011 Vendor Analysis

This IDC study uses the IDC MarketScape model to assess the capabilities of vendors to support midrange to complex process improvement scenarios using business process management software.

Oracle SOA vs. IBM SOA - Customer Perspectives on Evaluating Complexity and Business Value

With this white paper, Oracle SOA vs. IBM SOA, you'll get a healthy perspective on SOA and figure out which one is best for your organization.

Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives

Download this white paper, Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives, for a guide to governance that will set you on the right path.

Get Serious About SOA Governance: A Five-Step Action Plan for Executives

Download this whitepaper, Get Serious About SOA Governance: A Five-Step Action Plan for Executives to see why many organizations are reaping the rewards of successful SOA transformations and what you need to do to make yours one of them.

Accelerate time to application value

For your IT organization to keep pace with the business, you need a new, faster approach to infrastructure deployment-an approach that increases agility and accelerates time to application value. That's HP Converged Systems. Built on Converged Infrastructure, these systems deliver the industry's first portfolio of pre-integrated, tested, and optimized infrastructure solutions for applications running in virtual, cloud, dedicated, or hybrid environments.

Top 10 Myths About Virtualizing Business-Critical Applications

Even though virtualization has brought positive change to enterprise IT over the last decade, some skepticism remains about how valuable virtualization can be in the way companies deliver and run business applications. Uncover the truth about how you can run your business critical applications with confi dence without sacrifi cing
availability or service quality-and at lower costs.

Webcasts »

Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere

Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as support considerations

Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere

Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and disaster recovery and support considerations.

Virtualize Business-Critical Applications with Confidence

Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere® 5, VMware is helping customers accelerate the deployment of business-critical applications, including Exchange, SQL, SAP and Oracle.

Discover the Benefits of Virtualization for Federal Applications

Want to say goodbye to missed SLAs? VMware can help you virtualize mission-critical applications such as Oracle, MS Exchange and SharePoint to achieve dramatic improvements in uptime, performance and responsiveness. In this webcast, we'll discuss the key benefits of virtualizing your agency's most critical applications and Oracle databases as a necessary first step in fulfilling OMB's mandate to move IT services to the cloud. With VMware, you'll be on the way to quick, effective and full compliance.

When Java EE Is Overkill: Lightweight Application Server Benefits

The complexity, cost and technological bloat of traditional Java EE application servers are often barriers to running a lean and efficient IT organization. Increased need for scalability and rapid application delivery are driving businesses to reconsider the platform they use for application deployment. By combining the portability and agility of the Spring framework with a lightweight application server, your organization can meet business demands while staying within budget constraints. VMware vFabric™ tc Server is a modern, lightweight Java application server based on Apache Tomcat. It improves developer productivity, control and manageability-and is the most flexible platform for virtualizing Java applications and workloads for the cloud. View this webcast to learn about real-world examples of companies that have adopted VMware vFabric tc Server and how to plan for future cloud deployments.

Introduction to VMware vCenter Site Recovery Manager 5

Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to expand disaster protection beyond their most critical applications, largely because they are uncertain whether the quality of the protection is really worth its cost. VMware vCenter™ Site Recovery Manager 5 is the market-leading disaster recovery product that addresses this situation for organizations of all kinds. It complements VMware vSphere to ensure the simplest and most reliable disaster protection for all virtualized applications.

Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter

CIO Insider

CIO Enterprise

CIO Enterprise Applications

CIO ERP

View all Newsletters | Privacy Policy

IT Jobs »

See All Jobs » Post a job for $295 »

Jobs powered by SimplyHired

White Papers » All White Papers

IDC MarketScape: Worldwide Business Process Platforms 2011 Vendor Analysis

Oracle SOA vs. IBM SOA - Customer Perspectives on Evaluating Complexity and Business Value

Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives

Get Serious About SOA Governance: A Five-Step Action Plan for Executives

Accelerate time to application value

Top 10 Myths About Virtualizing Business-Critical Applications

The Hidden Truth About Virtualizing Business-Critical Applications

Enterprise Java Applications on VMware: Unix to Linux Migration Guide

Virtualizing Tier 1 Applications: A Critical Step on the Journey Toward the Private Cloud

Best Practices Guide: Microsoft Exchange 2010 on VMware

Google: Security for Google Apps Messaging & Collaboration

Forrester: Economic Impact of Switching to Google Apps

ESG Analyst White Paper - VMware's vSphere Storage Appliance: High Availability for Small IT Operations

Lightweight Application Development Systems Ride the Cloud: IDG Report

Modernizing Application Platforms for Cost-Effective Cloud Readiness

VMware View Optimization Guide for Windows 7

VMware View Optimization Guide for Windows 7

A Guide for Enterprise VMware ThinApp Deployments

NetApp, VMware, Cisco, Wyse, Fujitsu 50,000 Seat VMware View deployment

Licensing for SaaS Applications: ISVs Take to the Cloud

Sponsored Links

Customized information views & Twitter events at New Fulcrum Point

ShoreTel UC cuts costs like no other. Mobilize your business today.

E-book: Discover Business-Ready Storage Systems For Oracle Environments

Managed Hosting Buyer's Guide - Benefits to key considerations

Discover how integration of operations mgmt and service mgmt enhances productivity.

Converge your infrastructure with HP. Access white papers, case studies, videos and more.

High performance. Delivered. Click to see Accenture's client successes

See how Accenture helps clients perform at the highest levels

Compare risk and TCO in single and multivendor networks on Feb 23.

Connect with global CIOs now at Enterprise CIO Forum

Upcoming Webinar: Managing Cost in the Cloud

Splunk translates machine data into "aha" moments for IT and the business.

Evolving Your Data Center for the Cloud

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Gain cutting-edge insights at MIT in 2-5 day executive programs.

Converge your infrastructure with HP. Access a valuable case study in the CI Resource Center now.

Redefine Software support with HP

Click to see how Accenture has delivered high performance to clients

Learn how Accenture helps clients become high-performing businesses.

Join the Conversation. Follow Oracle EPM & BI on Twitter Today.

Check Point Trusted by the Global 100

Resource Center

buy a link »

Skip to top