Service- Oriented Architecture
Upcoming SlideShare
Loading in...5
×
 

Service- Oriented Architecture

on

  • 821 views

 

Statistics

Views

Total Views
821
Views on SlideShare
821
Embed Views
0

Actions

Likes
0
Downloads
19
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Service- Oriented Architecture Service- Oriented Architecture Document Transcript

  • GET TECHNOLOGY RIGHT IT Strategy Guide Service- Oriented Architecture INSIDE Introduction 2 Real-World SOA: Applications as Services 4 Debating SOA Deployment Challenges 13 Five Missing Pieces of SOA 16 SOA Planning and Design: It’s Still the Wild West 23 Compliments of:
  • Service-Oriented Architecture Introduction To understand and apply the principles of SOA, interoperable services require strict formal data defi- you’d think we would have to agree first on what we nition or do they require fuzziness? The perplexing mean by a “service.” To a surprising degree, we haven’t, answer is both — at different times, in different ways, but this is hardly the first time a powerful idea has been for different purposes. tricky to nail down. Definitions of “objects’ and “com- In the world of SOAP and WS-*, XML Schema typi- ponents” — the ideas that powered earlier phases of cally governs the contracts between services. If the XML software’s evolution — were just as elusive. document that represents a purchase order isn’t a valid Writing for ACM Queue, ObjectWatch CEO Roger instance of the relevant schema, it’s time to throw down Sessions offered one useful way to think about these suc- the warning flag. And with XML Schema, any process, cessive waves of technology. All three models are ways running anywhere — even offline — can perform that of packaging code for reuse, he suggests. They differ in validity check. Let’s say that while flying to Chicago you terms of where and how the code runs. Objects share a use an InfoPath form to create a purchase order and then common operating system process and execution e-mail it to the approver when you land. The approver environment — for example, Linux, Windows, Java, or can focus on the business aspects of the order, secure in .Net. Components live in different processes but share the knowledge that he or she has received and will relay an environment. Services cross both process and envi- to the order processing service a document that will be ronment boundaries. acceptable to that service. The environment for Web services and SOA is the What about the stuff that won’t fit into the schema? global Internet. Of course, that’s been true for quite a Today this contextual data travels in e-mail, where we while. A decade ago programmers began using the Web’s can’t do much with it. Defining parts of schemas that Common Gateway Interface to publish and consume can carry arbitrary XML content, so people can “scrib- services. When we build and deploy services today — ble in the margins,” is a key strategy. At the same time, using REST (Representational State Transfer) and don’t ignore the growing amounts of XML data flow- XML-over-HTTP on the one hand, or SOAP, WSDL, ing through your enterprise that is not, and may never and the WS-* specs promoted by Microsoft and IBM on be, schematized. The prime example is RSS. All kinds the other — we build on that common heritage. SOA of useful services, done in the REST and XML-over- extends the tradition along two axes: data representation HTTP style, are coming up from the grassroots. We and data communication. think of RSS mainly in terms of blogging, but it also Everyone agrees XML is the lingua franca of data affords us a lightweight and incredibly versatile way to representation, but there’s lively debate about how to exchange, route, and recombine all kinds of stuff. Near- use it. XML Schema, for example, is an optional fea- ly every application that today uses e-mail to connect ture that sharply divides communities of practice. Do people and processes can be recast as an RSS-oriented I N F O W O R L D I T S T R AT E G Y G U I D E 2
  • Service-Oriented Architecture Introduction service. Easier and more robust integration, no spam ment a mandated auditing rule, and then you have to — what’s not to like? reroute traffic because a server fails. On days like that In fact, this low-tech approach is so appealing that it won’t ever be easy to get home by dinnertime. The many people are now discounting the WS-* stack. set of principles embodied in an SOA, however, may That’s understandable and in many cases valid. While at least make it possible. we argue about which WS-* standards will stick to the Cynics will note that we’ve been enumerating those wall, a set of key capabilities is emerging. Broadly principles for a couple of years now. You’ve heard the speaking, WS-* pushes aspects of data communication litany: coarse-grained messages, loosely coupled — security, asynchrony, reliability, routing, and proxy- processes, data-driven integration, self-describing data, ing — up into the application layer where we can rea- programming-language and platform neutrality, perva- son about these things as businesspeople rather than sive intermediation. We call this cluster of ideas by dif- wrestle with them as network plumbers. ferent names — grid, enterprise service bus, service- That’s a lofty statement, but here’s a concrete exam- oriented architecture. It’s quite possible that next year’s ple to nail it down. Let’s say your order processing favorite acronym won’t be SOA. But many if not most service is used by a dozen applications and by hun- of the ideas will survive — and will define the dominant dreds of people. Suddenly, one morning, it’s triple- style of enterprise software for years to come. witching time: You add a new application, you imple- — Jon Udell Copyright © 2005 InfoWorld Media Group. All rights reserved. See the full selection of InfoWorld “IT Strategy Guide” reports at http://www.infoworld.com/store/. I N F O W O R L D I T S T R AT E G Y G U I D E 3
  • Service-Oriented Architecture Real-World SOA: Applications as Services service-oriented architecture is an idea, not tions, or any habit of reusing code,” he recalls. a technology. Boundless in scope, it promises both unlim- A new IT management team decided to change that, ited software reuse and the interconnection of everything, mainly to make application development faster, more as long as IT is willing to wrap legacy applications in stan- nimble, and better aligned with business priorities. “We dard interfaces and construct new apps as services, the wanted to stay away from the one-off application and capabilities of which other software can tap into. instead provide a single, common service wherever pos- The idea is simple, but the execution isn’t, because SOA sible to reduce overall complexity. A service architecture turns the conventional model of enterprise software is the way to make disparate technologies work together,” development on its head. Normally, programmers write Sguerra says, adding that, with an SOA in place, IT can software based on a set of well-defined requirements. focus on developing new applications, not reworking old SOA demands that organizations create an ecosystem of ones. “Our philosophy is reuse. There’s a ton of money services that may ultimately have an army of stakehold- invested in the legacy technology, and we wouldn’t be ers inside and outside the firewall. The initial challenge of able to justify a business case just for modernization.” SOA is knowing where and how to start — where to draw Sguerra estimates that the SOA approach has saved a box around a fixed set of requirements and how to approximately 30 percent of the application-develop- build services that will yield tangible ROI while keeping ment budget. After 28 months, about 60 services used an SOA fully extensible. by three key systems — benefits plan administration, We evaluated dozens of SOA implementations to find claims processing, and policyholder administration — a few that had a major impact on an enterprise and/or are now in place, as is the basic communications infra- its partners. These projects are largely works in structure. Of those services, about 50 are used by all three progress; some are only in their initial phases of imple- systems. And the work continues: Guardian plans to cre- mentation. But all can help light the way for enterpris- ate 22 more services for those systems and then bring its es in search of their own strategies to make a simple, other systems into the SOA model, Sguerra says. powerful idea come to life. At the heart of Guardian’s SOA is its enterprise service — Eric Knorr manager, a collection of J2EE workflow and connector middleware tools and an IBM CICS/MQSeries message VSOA Ensures Guardian Gets It Right bus for managing requests. Requests come from one of Five years ago, Guardian Life Insurance decided to three client systems — a Web portal used by customers rethink the basic structure of its application silos, which and independent agents, a CRM system, and an inter- had been developed with little attention to business active phone system used by customers — or from appli- goals, says Jaime Sguerra, chief architect at Guardian. cations themselves. The enterprise service manager “There was no standard way to build or connect applica- decides what services to invoke, in what order, and what I N F O W O R L D I T S T R AT E G Y G U I D E 4
  • Service-Oriented Architecture Real-World SOA: Applications as Services data resources are needed. It then queues up the servic- applications so they could be used as services, Sguerra es and manages their interaction. At the end of the trans- notes. Guardian uses WSTL (Web Service Transaction action, the client receives the requested result or an error Language) in most cases to translate service requests message. Before the SOA was implemented, “users need- among services, but in some cases, mainframe applica- ed a checklist of all the system to run” for each task; “now, tions don’t support that. Rather than rewrite the main- that workflow is built into the enterprise service manag- frame apps to accommodate WSTL, Guardian uses er,” Sguerra says. EJBs to perform the translation outside the application. “We chose a central enterprise service manager because In the application itself, “we just open a door to see the it was the best way to gain reuse,” Sguerra says. Although EJB,” he says. it may make sense to have a decentralized architecture Sguerra emphasizes that developing applications as where service logic resides in multiple locations so that part of an SOA requires a new way of thinking about services communicate directly, that approach increases application development. “You need to know up front the risk of ending up with multiple versions of the same that it is a cultural change. You can’t go into it pretend- service as development gets out of sync across the sys- ing it’s not going to be a challenge. It takes a lot of coor- tems, he adds. dination,” he says, adding that business units and appli- Because independent agents use the claims, policy- cation developers oftentimes resist sacrificing custom holder, and benefits systems as well, Guardian chose to interfaces that prevent services from supporting multi- implement its SOA through Web services. “It’s harder to ple applications. deploy applications to someone else’s com- puter,” Sguerra says. Developing a Web- Custom Policies Built From Services Guardian Life Insurance built services based on existing applications in its benefits, based interface proved crucial in serving policyholder, and claims systems. The company is adopting Web services standards internal and external users with a single inside and outside its enterprise to simplify service management. communication system. SERV SERV Short-term SERV Member Claims WEB WEB IC IC WEB IC disability The SOA uses Web-based intermediaries ES ES ES details received log benefits in an IBM WebSphere server environment SERV SERV SERV WEB IC Plan Dental claims ES Bill payment WEB WEB IC IC as the framework for translating and mas- coverage ES ES details details list saging data and procedure calls as needed SERV SERV SERV Medical WEB WEB WEB IC IC IC Division ES ES Basic life ES claims between applications and data sources, as benefits details details well as SOAP for messaging. Although Benefits plans systems Policyholder systems Claims systems services reside in a variety of physical loca- tions — within mainframe applications, as Enterprise service manager discrete component services on other Internet SERV Work queue WEB IC ES application servers, as part of a modern Secure Web services server application, or as an external service — the Content SERV WEB IC ES management Guardian SOA groups them logically by services SERV system or as a shared service. Data WEB IC Fax ES warehouse services Because Guardian uses a large number Web CRM Phone of mainframe applications, its IT team portal system system Common systems faced a challenge in exposing all those I N F O W O R L D I T S T R AT E G Y G U I D E 5
  • Service-Oriented Architecture Real-World SOA: Applications as Services Such objections usually disappear when the efficiency recalls. But the third option — to implement an SOA that benefits have been proved, Sguerra adds. When a cus- would provide the data and application translation neces- tom interface or function is truly needed, developers sary for various services to interoperate without changing can usually supply a separate service that relies on a their code or data structures — was viable and ended up common service for the remaining functionality. costing just $1 million. There’s always a trade-off, but Guardian is discovering What Halamka calls a “Napster for health care” has its happy medium. also reduced the cost per transaction from $5 to 25 cents. The system now handles approximately 9 million trans- Massachusetts Takes a Spoonful of SOA actions per month. To manage this network, a group of Many organizations are looking to SOA to tie together medical associations and insurers set up a nonprofit systems within the enterprise or among partners. But organization called the New England Healthcare EDI few face the diversity and complexity that the state of Network (NEHEN). Funded by the hospitals and insur- Massachusetts did when it tried to connect independent ers, it has one common program management officer insurer, hospital, and physician systems with one anoth- and an annual budget of $3 million. er — and with the state’s own systems for care, reim- The result is a “closed-loop system” that ensures accu- bursement, and billing. rate data and validates procedures, coverage, and billing “How do you craft enterpriselike functionality across up front, thereby reducing management costs for all par- hundreds of moving parts that don’t inter- operate with each other?” was the question Connecting Health Care the state faced in 1997, recalls Harvard In Massachusetts’ New England Healthcare EDI Network, hospitals, insurers, physicians, and the state government provide secure services interfaces to billing and patient Medical School CIO Dr. John Halamka, information. Examples of Internet-accessible Web services include patient identification, who spearheaded the effort. Because the coverage verification, physician referral, and claims approval status. Health Insurance Portability and SERV SERV SERV Accountability Act (HIPAA) of 1998 WEB WEB IC IC WEB IC ES ES ES required that every doctor, hospital, and insurer be able to exchange data for trans- Insurer patient Insurer provider Hospital patient actions, doing nothing was not an option. records system records system records system The state’s major hospitals and insurers examined three options. The first was to Individual deploy a common platform and to require physician insurers, hospitals, and physicians who had Internet business with the state to implement and Secure Web server use it. This option, however, was too com- Individual plex to pursue seriously, Halamka says. physician SERV SERVRV SE WEB The second option was to create a unified IC WEB WEB IC IC S E ES ES database for patient medical, billing, and insurance data that participants could access Insurer State disability using their own systems. That solution billing system system would have cost $50 million, Halamka I N F O W O R L D I T S T R AT E G Y G U I D E 6
  • Service-Oriented Architecture Real-World SOA: Applications as Services ticipants across the state. For example, “insurance com- as employer ID, is used in identifying patients, the serv- panies save money by not having [to hire as much] staff ice can easily be modified to account for that, Halamka to deny claims,” Halamka says. says. None of the other systems is affected or even Architecturally, the NEHEN system leaves data struc- aware of the change to the middleware, although sys- tures and applications alone, even if they are fragmented tem owners can decide whether they want their systems in different locations or in different systems. “The big win to use this new identifier class. is not having to rewrite old code,” Halamka says, noting Because SOAP had not yet been developed and XML that some systems date from the 1970s. The system does, was not widely deployed, the NEHEN system initially used however, provide a central exchange that translates data HTML as the common vehicle for data exchange. “In the structures from one system’s format and standards to pre-XML era, we had to use the Web for content rather another’s, and it maps specific transaction services from than the semantic Web [XML] for data. So we used sim- one system to another, aggregating multiple service ple server-side COM components to fetch HTML pages requests and using multiple databases when necessary. from various hospitals and display them in a unified clin- “The data and the services are very disassociated,” ical viewer that we built,” recalls Halamka, who wrote the Halamka notes. “But it doesn’t matter whether they all code for this system. “It was not elegant since we had little sit in one place, as long as the doctor gets it all in a control over the look and feel for the HTML content timely fashion.” From a tactical perspective, as long as returned from each hospital system, but it worked. Today, the system providing the data or service can communi- with XML and XSLT [XSL Transformation] we can treat cate through TCP/IP, “that’s all I need,” Halamka says, the content as data and format it as we like.” adding that most of the Web services in the network were To ease adoption, NEHEN provides a Windows XP developed using Microsoft .Net, with the gateways written and Windows Server 2003 Web services suite that in Visual C++ and deployed on IIS. organizations can deploy to gain the required connec- Strategically, the keys have been to define the business tivity. For individual doctors, NEHEN provides a Web processes along with the architecture, to understand what application that they can access either directly or the data means in its various repositories, and to know through standard medical management applications, what applications provide what services so that middle- which vendors have modified to support the NEHEN ware can be configured to make the appropriate calls and system. In both cases, the underlying SOAP layer han- translations. “I have the ability to control the business logic dles the communication to billing systems, medical without having to modify the underlying application,” records systems, and so forth. NEHEN may not be the Halamka says. “The middleware approach is very nonin- answer to health care’s ills, but it’s eliminating lots of trusive to the [individual organization’s] IT agenda.” wasted motion in the Massachusetts system. For example, patient IDs vary widely from institution to institution. Rather than require a common identifi- Countrywide Financial Simplifes Lending er for each patient, the NEHEN system uses a proba- For half a decade, Countrywide Financial has seen its bilistic service to check a variety of attributes — name, loan, insurance, and banking services businesses grow nicknames (such as Johnny and Jack for John), ZIP dramatically — and its IT systems increase in com- code, gender, Social Security number, insurer, and plexity — as customers, products, and markets have physician — and then maps patients’ identities across multiplied. To meet this increase in demand, Country- systems. In the event that a new identifier class, such wide decided to embrace a flexible SOA approach, the I N F O W O R L D I T S T R AT E G Y G U I D E 7
  • Service-Oriented Architecture Real-World SOA: Applications as Services long-range goals for which are a familiar refrain in “We needed to abstract the services, which is an ongo- enterprise IT: decrease complexity, improve scalabili- ing process,” and to decide which ones to choose when ty, and reduce overhead. there were duplicates, Presland-Byrne says. He antici- Countrywide is divided into separate business units, pates the need to abstract services further in order to each of which employs an IT staff that operates fairly support Web services because such support “doesn’t autonomously. One unit, Countrywide Servicing Systems come naturally” in an IBM iSeries midrange server envi- Development (CSSD), which primarily supports the ronment, which is what CSSD uses. company’s loan division, began its SOA effort in 2002. Deriving core services and having applications access According to Peter Presland-Byrne, senior vice presi- common ones rather than implement their own is a key dent of application development at CSSD, the unit chose part of the SOA approach and requires a development the SOA approach because “applications support a busi- culture that focuses on reuse, Presland-Byrne notes. To ness problem and so follow certain patterns” that lend encourage adherence to the SOA, Countrywide reviews themselves to two key attributes of an SOA: functional new software development to ensure it fits the SOA, pro- abstraction based on services and an emphasis on vides consistent interoperability, and reuses existing serv- reusable components to provide those basic services. ices where possible. “We’re trying to look at the construct of the business Countrywide originally looked at SOA as its central goal model from a services perspective,” he says. but later realized the real central goal was reuse, which an As it began implementing an SOA, CSSD quickly discov- SOA promotes. “If you truly support reuse, then you make ered that many applications had embedded within them SOA possible,” Presland-Byrne says. services that duplicated functions in other applications. Countrywide also decided to use a messaging system The Building Blocks of Loan Processing Countrywide Financial’s SOA abstracts services from frequently used applications, the data and functionality of which are accessible to new Web applications via messaging and service layers. SERV Generate WEB IC ES bill IBM DB2/400 SERV Applications data store Calculate WEB IC ES SERV payments Single WEB IC ES sign-on Web portal for independent agents SERV SERV Check Get borrower WEB WEB IC IC credit ES ES information SQL Server score SERV SERV WEB IC WEB IC Internet ES ES Get last Get account payment data information IBM DB2/400 data store Application Service layer Messaging bus I N F O W O R L D I T S T R AT E G Y G U I D E 8
  • Service-Oriented Architecture Real-World SOA: Applications as Services as the connectivity mechanism between applications and now examining how it can extend the approach to com- data sources. Because Countrywide’s enterprise uses sev- munication among units. That will require re-examin- eral technologies, including Java and Microsoft .Net, ing services and eliminating duplication, Presland-Byrne “messaging had to be agnostic” to ensure no proprietary acknowledges. The company has already begun consoli- dependencies were introduced into the system, Presland- dating identity into one service that can be accessed via Byrne says. Countrywide relies heavily on IBM’s SSO (single sign-on) across the enterprise. MQSeries and WebSphere MQ Integrator middleware Because each business unit was faced with different for messaging and service handling, as well as Flashline’s growth patterns and technology lifecycles, implement- development environment for managing services and ing a companywide SOA in one big bang was not possi- software components. ble in 2002. Now that each line of business has adopted Although the messaging system is standardized across the concept and has achieved similar levels of technolo- CSSD’s applications, Countrywide does not require con- gy maturity, extending the architecture more broadly is sistent data models. Instead, it uses middleware to ensure something “we can now tackle,” Presland-Byrne says. a consistent information flow, mapping and translating — Galen Gruman data formats as needed. For CSSD, imposing a consistent data model was believed to be unrealistic given that “the British Telecom Dials Into SOA minute you bring in a third-party tool you lose the con- Telecom providers are competing tooth and nail to pro- sistent data model anyway,” Presland-Byrne says. “The vide consumer and business customers with the latest middleware we brought in could translate these different and greatest value-added services. This smorgasbord of standards. That’s what integration tools are for.” offerings includes everything from ring-tone downloads More importantly, your “buffer” middleware — which to hosted messaging, accounting, and other business contains the translation of business logic and data for- services. An SOA makes perfect sense in this have-it- mats between services — must be kept separate from the your-way environment because it enables providers to service logic, Presland-Byrne says. Doing so allows sepa- cobble together new offerings with those of third parties rate applications to access the same service concurrent- and integrate them quickly with their internal, ly, without requiring you to touch the service code as the mainframe-based billing, provisioning, and other sup- applications or data change. Plus, it allows you to run old port systems. and new versions of services simultaneously, either dur- That’s exactly the approach British Telecom (BT) want- ing a transition period or for different application needs. ed to take in serving its SMB broadband customers. In both cases, IT can leave the services untouched. “SMB customers come to us for broadband access Given that most of Countrywide’s services are internal, first,” says Norman Street, head of Internet applications the company does not rely heavily on Web services or and technology at BT Retail. “But the scenario is that as associated technologies such as SOAP, although it does they become more savvy and the Internet becomes more use Web services for a few applications accessed by cus- integral to their business they’ll eventually start moving tomers and field agents. Countrywide has, however, business processes online in an ASP model.” tended to use XML as the semantic data standard for The hosted scenario is especially appropriate for busi- services and middleware because of its easy fit and wide nesses with fewer than 100 employees because often- popularity, Presland-Byrne notes. times these organizations lack sufficient support servic- As its lines of business deploy SOAs, Countrywide is es or suffer from understaffed IT departments. “We were I N F O W O R L D I T S T R AT E G Y G U I D E 9
  • Service-Oriented Architecture Real-World SOA: Applications as Services looking to develop some of these service offerings in- Integration Server 2003, and managing other service house but also bundle them with third-party applications deployment and delivery functions. and mobile products,” Street says. “BizTalk Server provides a workflow engine and tem- To compete effectively, BT needed to be able to quickly plates to configure the business logic,” Street says. It also test new services in the market. If a service proved prof- handles message flows and other integration functions. itable, it would have to scale quickly. If it didn’t, BT had to SQL Server holds the user and product data. And of be able to decommission the service and replace it with course, it all runs on Windows 2003 server. another without a lot of integration effort. BT was also Although BEA provided a versatile set of tools, Street looking to allow customers to manage their own sub- and others at BT liked the idea that Microsoft had a plat- scribed services online through a Web-based interface. form specifically targeted to service providers. “Microsoft It was clear that BT’s current integration model could- was very conscious of the advantages of a complete plat- n’t support such a fast-paced scenario. “We were using a form approach,” Street says. “With CSF we got much typical spoke model for integrating services with our back- more out of the box, which would take away some inte- end systems. We really needed to reduce the time and cost gration steps.” of integration and become a lot more agile,” Street says. BT was also aware that Microsoft had the kind of appli- After looking into several alternatives, BT quickly con- cations SMB users would be interested in. “If we were cluded that it needed an SOA. BEA Systems had sup- going to be selling those applications, it made sense to plied BT with integration technologies in the past, but get the integration technology from the same source,” for this project, BT decided to go with Microsoft’s CSF (Connected Services A Framework for Telecom Services Framework), an SOA-based service-deliv- BT’s SOA uses Microsoft’s Connected Services Framework to expose its back-end billing and operational support systems as Web services, while BizTalk Server handles the message flows. ery platform that functions as an extension Small-business of Microsoft BizTalk Server, SQL Server, Small-business user SERV user WEB IC ES and Windows Server 2003. CSF provides tools and components Internet geared specifically to the needs of service providers looking to bundle services for a Third-party service Secure variety of devices, such as PCs, PDAs, and Web server mobile phones, and to quickly plug them in SERV WEB IC ES to their back-end business and operational Mircosoft Connected Services Framework - Session management - Service catalog - Service logic orchestration support systems. These include a number - Identity management - Resource management - User profile management of adapters that hook into existing BSS (business support system) and OSS (opera- SERV SERV SERV WEB WEB WEB IC IC IC tion support system) applications and ES ES ES expose them as Web services. It also includes a UDDI/WSDL service directory and tools and standards for defining quali- Legacy BSS Legacy OSS Microsoft solution ty of service, managing identities using application application for hosted messaging Active Directory and Microsoft Identity I N F O W O R L D I T S T R AT E G Y G U I D E 10
  • Service-Oriented Architecture Real-World SOA: Applications as Services Street says. “At the same time, CSF had well-defined Web ance was looking for when it sought to provide its busi- service interfaces and the open standards to integrate ness partners with self-service access in real time. with any application.” And Street was aware that Micro- “We exchange a lot of data with our different distribu- soft was providing tools for and encouraging .Net devel- tors outside the firewall,” says Jeff Gleason, director of IT opers to develop to CSF. “We felt that there would be strategies at Transamerica’s annuity products and serv- applications from third-party .Net developers that would ices division. “A lot of that was being done via flat-file undoubtedly be useful for our small and medium-sized batch data exchanges.” business customers,” he says. Gleason realized that to stay competitive, Transamerica CSF’s standard Web service interfaces would make it would have to provide its business partners with real-time easy to plug in third-party applications, build composite access to its numerous legacy back-end systems. That’s a applications, and tie it all into their back-end systems. complex undertaking, however, for several reasons. Introducing and retiring services would mean simple “We live in a very challenging legislative environment, changes to the CSF interface as opposed to building or with Sarbanes-Oxley, the Patriot Act, anti-laundering laws, unraveling multiple layers of custom integration. tax laws, and other types of controls,” Gleason says. “As leg- Next summer BT plans to introduce its first set of host- islation and the competitive environment change, we need ed messaging services based on Microsoft’s Solution for to be able to make changes to our internal systems quick- Hosted Messaging and Collaboration, which provides an ly, including changing rules, the ways taxes are calculated, adapter for CSF. Future plans include bundling third- or the way a product functions given specific criteria. At party applications, possibly migrating some of BT’s existing applications off its Self-Service Apps for Insurance Agents legacy platforms to integrate with CSF, and Transamerica’s SOA exposes legacy system functionality and data as a set of core Web services, which provide the building blocks for self-service apps that can be tailored to the making BT Retail’s CSF-based services needs of insurance agents. available to other parts of BT’s business. SERV SERV “CSF would make it relatively simple to, WEB WEB IC IC ES ES Remote for example, provision a mailbox and then agent with phone Internal IVR system bundle it with a mobile service,” Street says. As usual, when an SOA is operational, there’s no shortage of ideas to expand it. Legacy policy Legacy policy admin system admin system — Leon Erlanger Internet Agent hub Transamerica Turns Silos Internal Into Services Secure Web server application One of the real promises of SOA is SERV SERV WEB WEB IC IC enabling companies to leverage existing ES ES legacy systems as a set of core, reusable Web service building blocks that can be Agent apps assembled to create new processes and Legacy distributor Legacy distributor applications quickly and inexpensively. support system support system That’s just what Transamerica Life Insur- I N F O W O R L D I T S T R AT E G Y G U I D E 11
  • Service-Oriented Architecture Real-World SOA: Applications as Services the same time, we often have to customize products and Other SeeBeyond tools leverage BPM capabilities to services for each of our different distribution channels. create the “agent hub” that handles the complex message And sometimes we get requests from specific banks or bro- routing required. So, for example, in response to a ker dealers to create products for their particular niche request from a user application, one of Transamerica’s markets or new areas they want to compete in. These three or four legacy policy administration systems might things often impact our internal business processes.” return a cryptic product descriptor. That product To provide real-time access, Transamerica also needed descriptor could then be passed to a separate distributor ways to validate agents as licensed and appointed to sell support system that would return a more user-friendly specific products in specific states. “Validating an agent is product name. That or another distributor support sys- not as simple as looking something up in a system,” Glea- tem might also handle commissions and manage the son says. Depending on the commission structure there information on which agents are appointed in which might be many different rules about how the commission states to which products. hierarchy, which has up to 10 levels, is set up internally.” The end-user applications use an insurance industry With all this complexity, Web services and SOA were XML schema developed by the nonprofit Association for natural choices for Transamerica. “We needed a solution Cooperative Operations Research and Development that was both tightly integrated and loosely coupled,” (ACORD) standards organization. The XML data is then Gleason said. A lot of business logic exists within transformed into the proprietary format required by each Transamerica’s current back-office legacy systems. legacy back-end application. Basically, this ensures the “Instead of continually recreating that logic, it made loose coupling essential to an SOA. “If we acquire anoth- sense to create a set of core services to expose that logic so er company and we need to validate agents against their that it could be accessed by different applications, distributor support system, it’s simply a matter of creat- processes, and channels, whether they were batch ing an adapter from ACORD to the proprietary format processes, real-time processes over the Web, internal fat- required by that system. Everything on top speaks client applications, or even IVR [Interactive Voice ACORD and doesn’t care what the implementation of Response] systems.” the service is behind the scenes,” Gleason says. To support all these methods of access, each Web serv- SeeBeyond also provides the tool for creating portals ice would have to be capable of accommodating not only and graphical portlets. The ultimate dream is to provide straight SOAP Web services calls but also MQSeries and each business partner with a single custom application JMS (Java Messaging Service). These core services could and interface to all the back-end systems necessary to then be mixed and matched as part of a larger group of fulfill each partner’s specific needs. composite services that could accommodate the needs of Gleason advises those getting involved with SOA to do various channels and individual business partners. as much planning and preparation as possible. “If we had SeeBeyond’s ICAN (Integration Composite Applica- it to do over again, we’d spend a lot more time up front tion Network) provides the tools for exposing as Web prototyping, testing, and setting up the architecture and services the back-end mainframe transactions that pro- standards. After all, you’re creating one object and one vided much of Transamerica’s existing functionality. One service that will be used by lots of different processes. You such tool, eGate Integrator, is used to provide the inte- have to make sure you don’t make changes to the service gration broker and message transformation from one that help one project but break others,” he says. data format to another. — L.E. I N F O W O R L D I T S T R AT E G Y G U I D E 12
  • Service-Oriented Architecture Debating SOA Deployment Challenges The benefits of SOA are out there — more expects its IT suppliers to be supporting SOA. flexibility, faster development of business apps, for exam- "It sounds like a light beer commercial, but [an SOA ple — but getting everything up and running means is] faster, it’s cheaper, it’s better,” at providing a more planning for the long term, especially when security is coherent IT strategy, Redshaw added. still something of a question mark. Motorola’s SOA features business activity monitoring Motorola’s three-year-old campaign to build an SOA for Siebel and Oracle applications as well as a supply has yielded deployment of 180 services so far, and is chain management system. Building an SOA allows IT expected to expand to 1,000 by early 2006. The company staff to "drill down into the legacy spaghetti and harvest anticipates that the number of services will ultimately top the gold,” by expressing legacy systems as Web services out at 1,500, said Toby Redshaw, Motorola corporate vice used in a component layer, Redshaw said. president for IT architecture, emerging technology, and Deploying an SOA, however, requires critical compo- e-business. He cited the competitive edge afforded by an nents such as a UDDI directory and Web services secu- SOA while also noting deployment issues. rity, management, and governance. Although UDDI has “One-hundred-eighty doesn’t sound like a lot, but that been considered disappointing in enabling provision of clearly puts us in the top 5 percent globally, maybe a lit- Internet-based Web services directories, Redshaw is a tle better than that,” Redshaw explained. believer. "If you don’t have a good directory to go find Motorola’s SOA, as would be expected, relies heavi- these things in, it’s ‘game over.’ I don’t care how good the ly on Web services. "We think we’re in a competitively other parts are,” he said. advantageous [position] because we’ve been playing this for three years,” Redshaw said. He also empha- The Good, Bad, and Ugly sized the benefits of "small agile” over "big slow” in Web services security and management are important, business automation. given corporate priorities on security and the poten- Brought into Motorola to turn around the company’s IT tial of destructive payloads in a Web services message, systems, SOA was to be the basis of the company’s strategy. according to Redshaw. "[The] fastest path to get fired "Back then, we called it a service-based architecture,” in IT today is a big security problem,” he said. A gov- Redshaw said. "We believe this will let us add business ernance layer, meanwhile, enables optimization in an services [at a] two- to three-times rate of speed,” he added. SOA, Redshaw explained. SOA also allows Motorola to do more with less, he added. An SOA allows for team-based development, building Citing the need for SOA, Redshaw said companies these of business projects based on existing processes and days cannot afford to be less efficient with their comput- reuse of components. It also lets IT staff deliver exactly ers than their competitors can. "Today, your company will what business teams asked for, according to Redshaw. get killed in four to five quarters,” he said. Motorola also SOA has had its drawbacks, Redshaw acknowledged, I N F O W O R L D I T S T R AT E G Y G U I D E 13
  • Service-Oriented Architecture Debating SOA Deployment Challenges including immature standards in early years, the secu- services and SOAs need to scale beyond the four walls rity challenges of loosely coupled architectures, and of a single enterprise. performance concerns caused by loose coupling of Miko Matsumura, vice president of marketing at of software components and bandwidth-intensive XML. Infravio, said the issue of provisioning services is a "The security issues are not small. You need some seri- major hurdle and more work is needed to automate a ous pros on your team to address this,” Redshaw said. process that in some cases is now handled by users fill- An SOA can solve problems pertaining to informa- ing out a form in a Word document. tion exchange among disparate business systems as Rick Gaccia, senior director of product management at well as address the need to provide services to multiple Oracle, agreed, adding that companies are struggling with parts of an organization, said Lou Absher, data man- how to put details of the Web service into a directory. ager at the University of California, Santa Barbara. “You need to know what the schema is and how the “I do think the key … is you have to have the rules of lifecycle is managed,” said Wendell Lansford, a senior implementation and you have to refer back to them as vice president at Systinet Software. He added that com- you are going through this process,” Absher said. panies start out without a game plan, when what is real- BEA Systems CTO Mark Carges also emphasizes the ly needed is a series of deployment best practices. “They transformational nature of an SOA. “This is not some- need check points and control procedures to go from a thing that happens overnight,” he said. pilot project to a production model,” Lansford said. SOA is intended to address technology "pain points,” In order to scale out an SOA, users need to figure out including providing more flexible architecture, appli- how services will be assimilated into different environ- cation and data integration, and business process ments, added David Linthicum, CTO of Grand Central. implementation. Other goals include boosting enter- “How do you mediate different protocols, semantics, prise portal initiatives and enabling customized appli- and security?” Linthicum asked. He added that there is cation development and composite applications, no directory standard, which is another problem. "We according to Carges — not to mention streamlining of need a standard directory everyone can agree on to make supply chains, more effective integration with business provisioning against all the SOA platforms out there easy.” partners, and allowing employee self-service. As far as automating SLAs between producers and Challenges in SOA deployments include platform het- consumers of Web services, all agreed it is likely to erogeneity, message brokering, data silos, security, and remain a manual or person-to-person procedure that is lifecycle management, Carges said, noting that security done offline and then incorporated into the Web service. and the issue of data silos can be addressed through secu- Linthicum said the process is laboriously slow, rity and data services layers respectively. Metadata and involving legal departments and many business meet- service-level agreements also are critical in an SOA. ings between providers and customers. The true measure of an SOA is its ability to enable “As services become more standard we need auto- service reuse, Carges said. “At some point, someone mated agreements, but nothing like that exists today,” has to stop writing code,” he commented. he explained. Matsumura added that people still like to do busi- Improving SOA Security Handshakes ness on a personal level and this becomes the gating Despite the benefits, SOA users and those in the plan- factor in deploying an SOA with partners. He pointed ning stages don't hold back their criticism of what Web out that the biggest barrier to linking portals, for I N F O W O R L D I T S T R AT E G Y G U I D E 14
  • Service-Oriented Architecture Debating SOA Deployment Challenges example, is not technology but the legal agreements. Yet another point of contention with SOAs is the inability to monitor SLAs in an SOA as compared to monitoring a service on the Web. “There’s no visual way to monitor an SOA,” said Linthicum, explaining that SOAs have hundreds or thousands of touch points where it might be failing as one application is bound to another. One Grand Central customer, Linthicum noted, came up with a unique solution. Instead of monitor- ing the service it offers to its customers, this company monitors the services they consume. “They know what they promised and so they make sure their partners meet their agreements,” Linthicum said. Regardless, the biggest shortcoming in SOAs is secu- rity, authentication, and authorization. For example, there is no easy approach to token exchange if one company uses SAML and another company uses a dif- ferent security protocol. Going a step further, “two SAML versions don’t even communicate. You need a middleware layer to deal with it,” Linthicum added, calling it a huge mess that needs to be solved. “This is the biggest exposure in SOAs.” — Paul Krill and Ephraim Schwartz I N F O W O R L D I T S T R AT E G Y G U I D E 15
  • Service-Oriented Architecture Five Missing Pieces of SOA the high concept of SOA (service-oriented ices infrastructure vendor Blue Titan, says the need for architecture) continues to enthrall IT. Yet SOA’s prom- reliability is similar to that which “we’re used to dis- ise of universal application integration is vague at best, cussing in other computing paradigms. SOA is not quite confounding anyone who takes a closer look. Such scruti- ready for the utmost transactional reliability — nonre- ny reveals major gaps — in reliability, security, orchestra- pudiation, once-and-only-once delivery, and rollback — tion, legacy support, and semantics. but it’s only a matter of time until the standards Peter Underwood, vice president of software develop- and implementations mature to meet that requirement.” ment at brokerage firm Wall Street Access, says his team In fact, several draft Web services specifications already has had to do some serious thinking up front before address issues in mission-critical and lengthy processes. planning SOA integration. WS-ReliableMessaging, for example, is designed to guar- “You begin with the idea that [SOA] is bigger than a antee that a SOAP message arrives at its destination. WS- bread box. In other words, it’s just a framework,” Under- AtomicTransaction, WS-Eventing, and several other pro- wood says. Although SOA “has taken on a life of its own posed specifications would define ways of handling because of Web services” standards, Underwood believes a complex, stateful, and long-running business transac- significant gap remains between Web services’ potential tions. But unlike many security-related protocols (see and its current capabilities. below), widespread use of reliability standards such as Execs are happy to use Web services for simple needs, these have yet to be realized. such as feeding information to Web-based portals. But Until then, says Chris Crowhurst, vice president of complex, mission-critical jobs are another story — and enterprise architecture at Thomson Prometric, a may demand Web services standards that are still under provider of computer-based testing and assessment serv- development. So when is a Web services SOA strategy ices, “Reliable messaging [for Web services] is quite a advisable, and when is good old EAI better? It all depends burden. But at the end of the day, applications just need on what you are trying to do and which gap in Web serv- to build around it” because of the benefits of the inter- ices’ capabilities you encounter. operability Web services provides. For now, “building around it” means coding applica- Reliability tions to anticipate and to accommodate error condi- The need for highly reliable, asynchronous messaging tions. It also means buttressing point-to-point SOAP may be the most difficult to meet, at least in the short interactions with an intermediary — such as a Web term. Aiaz Kazi, general manager of business integration services management broker — that provides a stan- at EAI stalwart Tibco, calls this kind of messaging “crit- dardized layer of abstraction. Available from inde- ical to enterprise-quality integration.” pendent players such as Actional, AmberPoint, and Sam Boonin, vice president of marketing at Web serv- Blue Titan, these products enable managers to provide I N F O W O R L D I T S T R AT E G Y G U I D E 16
  • Service-Oriented Architecture Five Missing Pieces of SOA fail-overs and upgrades to software endpoints with Security minimal interruption to the production systems. (Use- Authorization, authentication, and encryption raise a ful Web services management must work across a serious red flag for IT managers contemplating Web range of platforms, which explains the absence of sim- services-based integration. Traditionally, access con- ilar solutions from such major vendors as BEA, IBM, trol has been a matter of requiring a log-in and authen- and Microsoft.) tication. In the distributed Web services world, where On the other hand, as Dan Foody, CTO of Web servic- components of one application might easily go off and es management vendor Actional, notes, “Not every talk to components that live in different domains, problem requires the same kind of reliability.” Those keeping disparate but interconnected systems secure that must be ironclad tend to be asynchronous, long- is a far more complicated problem. running transactions with many interdependencies such As with reliable messaging, a bevy of standards for Web as complex financial transactions. For less demanding services-style interactions have been proposed. Two are jobs, SOAP over HTTP works fairly reliably — particu- particularly important and are being implemented wide- larly with simple, synchronous interactions. ly: WS-Security and SAML. The former describes a high- Rajan Jena, an enterprise architect at Bristol-Myers ly extensible framework for itemizing various facets of a Squibb subsidiary Oncology Therapeutics Network, uses system’s security capabilities, whereas the latter defines both conventional messaging-oriented middleware and a standard process of transmitting assertions to facilitate Web services in his company’s integration infrastructure. SSO (single sign-on) models of authentication. He says that messaging solutions are appropriate when For enterprise SOAs, analyst Phil Wainewright of the transaction volume is high and is transmitted in batches. lively Loosely Coupled discussion site (infoworld.com On the other hand, Web services are best “when volume is /1859) singles out a third, though not yet mature, pro- low — but it has to be totally real-time.” posal. WS-Policy would provide a means for different Gaps in SOA — and What Will Fill Them The missing pieces of Web services-based SOAs will require mature Web services standards, many of which are years away from fruition. Meanwhile, more conventional technologies can get the job done. STANDARD TO YEAR GAP DESCRIPTION KEY SOFTWARE WATCH MAINSTREAM Reliability Guaranteed delivery of messages, including Messaging-oriented WS-Reliable- 2006 support for complex message models middleware and enterprise Messaging service bus Security Federated, policy-based authorization Distributed identity WS-Policy 2006 and authentication management Orchestration Design and execution of composite Web services-savvy BPM tools BPEL 2007 Web services Legacy support Incorporation of legacy systems and XML application adapters N/A 2006 packaged applications into SOA Semantics Mapping specific business meaning to data Cross-functional Web services Industry- 2007 and services specific schemas I N F O W O R L D I T S T R AT E G Y G U I D E 17
  • Service-Oriented Architecture Five Missing Pieces of SOA systems to declare what sorts of security mechanisms perspective, as opposed to developers actually coding it” they require before accepting connections. “Without it, into the applications, he says. “We see that as a major your ability to loosely couple across domains [would be] advantage. It actually makes the applications more secure.” severely limited,” Wainewright says. Although no proposed standard meets the Web Orchestration services security challenge by itself, as a group they The coordination of distributed software components provide a foundation on which to plan an ongoing for the purpose of creating meaningful business process- strategy. Indeed, the Web Services Interoperability es is at once the most complex and the best-suited to (WS-I) vendor and user group (infoworld.com/1860) service-oriented styles of integration. The reason is ratified portions of WS-Security for its Basic Security clear: In the simplest of terms, applications built on Profile, a collection of best practices designed to SOAs are designed to be pulled apart and reassembled ensure interoperability. The organization is expected as needed. As the backbone of today’s BPM solutions, to add support for SAML and other standards as well. “orchestration,” as it is called, enables IT managers to In the short term, a relatively practical way to secure string together new meta-applications from the func- Web services is to employ the techniques used to secure tionality of packaged or homegrown applications standard Web-based applications: transport-level mech- already in place (infoworld.com/1664). anisms such as SSL. Blue Titan’s Boonin says this capability is important to One advantage of SSL is its support for two-way many adopters of SOA integration strategies. “[They] are authentication in the form of client/server certificates, building composite applications on top of [SOA infra- but the ongoing maintenance of a certificate infrastruc- structure] and orchestrating services into reusable busi- ture for a large number of clients can be a challenge. A ness processes,” Boonin says. On the surface, assembling complementary option that is available today is to these pieces to guide the flow of a business transaction is employ generalized XML-savvy firewalls — such as those a straightforward task. After all, the primary stumbling from DataPower, Forum Systems, Reactivity, and West- block for BPM solutions has been the monolithic nature bridge Technology — and XML digital signatures to pro- of software. Web services, on the other hand, break soft- vide an additional measure of prevention for Web serv- ware into components, each of which relating to a single ices network traffic. business function. After a distributed security architecture is in place, IT The biggest challenge isn’t to create the modular appli- managers should find a silver lining in the security cloud. cations but to change the way those systems represent Ongoing maintenance of application security has often the data they process. Thomson Prometric’s Crowhurst fallen on the shoulders of programmers — a poor use of counsels “identifying a schema at the heart of the busi- their skills and a potential security hazard. With Web ness,” rather than designing process flows around indi- services-based security, it becomes much more feasible vidual systems and their data records in isolation. In to restrict that responsibility to authorized operations other words, it’s best to think about the output of busi- staff alone. ness processes as documents that contain answers to Oncology Therapeutics Network’s Jena describes this each major question along the way. XML, the founda- security approach as critical in his company’s transition to tional element of Web services, enables this conception an SOA for its CRM and order management systems. and makes it happen. “Thomson Corporation is XML- “That means we can implement [security] from a policy obsessed,” Crowhurst says. I N F O W O R L D I T S T R AT E G Y G U I D E 18
  • Service-Oriented Architecture Five Missing Pieces of SOA Several standards for orchestration and BPM have to incorporate its own version of BPM-focused middle- been proposed. One of these, BPEL (Business Process ware, dubbed NetWeaver. Finally, XML-centric data Execution Language), has broad industry support and stores specifically designed for SOAs, such as Blue Titan’s even appears in a number of BPM products — although Data Director and Software AG’s Tamino, will represent everyone concedes that the robust version, BPEL 2.0, an increasingly important aspect of addressing business is still months from completion. Complementing process schema. BPEL, WS-AtomicTransaction and WS-CAF (Com- posite Application Framework) are designed to facili- Legacy Support tate the complex transactions that make up long- The software solutions used to connect applications running and stateful business processes. with legacy systems are not unlike the kits that world BPM pure-plays, traditional EAI companies, and the travelers carry in their briefcases. Just as the right sort major platform vendors all see promise in the ability to of dongle allows an American visitor in Greece to plug visualize, execute, and monitor processes using this new, a laptop power cord into the wall, a specialized appli- standards-based form of BPM. Enterprise application cation adapter allows one system to pull data from vendors such as SAP and Oracle, which bought the BPM another. pure-play Collaxa in 2004, are also on board. SAP is tak- And just as each country seems to have its own stan- ing a radical approach, actually redesigning its software dard for power outlets, each legacy system requires its But What About Performance? the five challenges highlighted in this article serialize and deserialize SOAP calls into internal ob- reflect trade-offs intrinsic to the distributed, loosely cou- jects is estimated to be 10 times higher than that re- pled nature of Web services-based SOAs. But skeptics quired for native approaches such as Remote Method frequently cite another issue — performance — as a par- Invocation. This sounds meaningful until you con- ticular weakness of the model. This criticism generally sider the lessons learned from the Web itself. Like has two parts: the distributed nature of SOAs and the HTML, XML is a very wordy approach to describing in- overhead of Web services protocols. formation. Yet it is precisely that readability and ex- Any distributed system performs slower than a self- tensibility that compensates for the performance contained one, simply because the network becomes the impact, while Moore’s Law — along with specialized limiting factor. And of course, some applications can’t tol- devices such as XML accelerators — moves ever erate network-incurred delays. But that axiom isn’t unique closer to canceling out the performance implications to Web services or SOA. The benefits of flexibility and ac- across time. cess gained by keeping systems close to the units of work In the end, neither Web services advocates nor critics they represent — and connecting those systems to others hold every card. It’s a question of using the right tool for across an organization or across the Internet — far out- the right job. High-volume transactions will continue weigh the performance hit introduced by the network. to be addressed by proprietary, binary middleware so- More germane is the relative weight of XML trans- lutions for some time. But applications that require actions when compared with binary ones. The effort it less frequent but much more flexible interactions will be takes for a system such as a Java application server to served, increasingly, by Web services. — B.S. I N F O W O R L D I T S T R AT E G Y G U I D E 19
  • Service-Oriented Architecture Five Missing Pieces of SOA own adapter. For years, EAI vendors emphasized their Semantics portfolios of legacy application adapters as key differen- Defining the business meaning of transactions and data tiators — and as sources of revenue. is the most intractable issue that IT managers face. Fortunately, as standards such as Web services Although the semantics challenge predates Web services increasingly dominate interoperability, the cost of — vertical industries have been developing their own simple connectivity has fallen. And third-party appli- XML schema for years, for example — SOAs bring cation adapter specialists such as Attunity and iWay semantics to the fore. In fact, semantic interaction is a have increased competition and have vastly expand- central part of well-designed SOAs. ed the number of connectivity options available today. No technology or software product can truly solve the A sometimes overlooked benefit of legacy applica- semantic problem. Business and IT managers must tion adapters is that they mask the complexity and ultimately shoulder the hard, painful work of defining obtuseness of many proprietary APIs. The role of a and implementing functions and data models for good adapter is not unlike that of a well-composed industry- and function-specific processes. Nonetheless, Web service: It provides a layer of abstraction that prebuilt components and battle-tested consulting insulates the rest of the application infrastructure expertise can simplify many of the challenges. from all sorts of messiness. Some vendors, such as EAI vendors see their greater experience building inte- Software AG, have specialized in the “semantic inte- gration solutions as a hedge against the commodification gration” of legacy applications to XML-based inte- that Web services standards portend. Tibco’s Kazi puts gration backbones. it bluntly: Software integration “is a party we went to Packaged applications from companies such as Ora- many, many years ago — we almost started this party.” A cle and SAP already provide some degree of support cursory look at his company’s Web site reveals specific for standards-based connectivity, typically by wrap- solutions for industries ranging from telecommunica- ping a proprietary API, such as SAP’s Business API, tions to health care to transportation. with a SOAP interface. As application vendors make As they move to support SOA, packaged application use of Web services and add middlewarelike functions vendors are also touting their experience with specific to their own products, the standard method of inte- industries and business processes as an asset. In particu- grating packaged applications will come to reflect the lar, SAP emphasizes its xApps initiative, which represents best practices of SOA. a Web services-based implementation of business Even so, dealing with expensive, proprietary applica- processes that cross the traditional “silos” of vertical and tion adapters will continue to be the only option for functional systems. connecting many truly archaic systems to a common Increasingly, companies are recognizing the value of integration framework. XML-based standards for their own industries. For There is one silver lining for IT shops with main- example, the financial services industry has developed frames from companies — such as IBM — that have FIXML (Financial Information Exchange Markup Lan- aggressively ported basic Web services stacks to their guage), an interchange protocol for bank transactions; antique equipment. Ironically, their rigid APIs can and the accounting industry has proposed XBRL (Exten- be far simpler to expose through SOAP than untan- sible Business Reporting Language) for describing and gling the mess of APIs found in many client/server auditing general ledger-style records. High-tech manu- systems. facturers continue to use the granddaddy of XML vocab- I N F O W O R L D I T S T R AT E G Y G U I D E 20
  • Service-Oriented Architecture Five Missing Pieces of SOA ularies, RosettaNet, to exchange product and component ogy catalysts such as vertical industry standards, he information in their supply chains. points to a high number of mergers and acquisitions as In fact, many observers say that the dynamics of a com- a major contributor to this trend. Rather than slowly pany’s industry may be one of the most important drivers sorting out and replicating information from one com- as to when and how a move toward SOA will happen. pany’s systems to another, he says smart adopters should Bob Sutor, director of WebSphere infrastructure at IBM, use SOA-style efforts to “actually integrate business units notes that industries such as financial services are par- onto the network” quickly and with less disruption than ticularly active adopters of SOA. In addition to technol- they would otherwise. Identity’s Role in SOA “identity and web services are closely related,” application design or technology. Any number of tools could says Jamie Lewis, Burton Group’s CEO and research be used to authenticate a user to a given identity, for ex- chair. “It’s almost a yin and yang.” ample, ranging from simple passwords, to digital certifi- As to whether SOA (service-oriented architecture) leads cates, to Kerberos, to biometrics. Individual services need to identity or whether enterprise adoption of identity fos- not know anything about the underlying authentication sys- ters greater acceptance of SOA, Lewis sees it as a chicken- tem so long as they are satisfied with the validity of the and-egg problem: Each encourages the other. Although user’s digital identity. much discussion has addressed the potential security As SOAs evolve, Lewis says, the role of identity will continue problems of Web services, Lewis believes that SOA will ul- to expand, moving beyond its current associations with user timately lead to better security across the enterprise. accounts and permissions to include the identities of the The problem, Lewis says, is that when it comes to se- services themselves. Particularly, as services begin to con- curity, developers have historically been forced to re- nect to one another without direct human intervention, the peatedly reinvent the wheel. Whereas modern need to validate the source of service requests will become programming languages such as C#, Java, and Python in- ever more pressing. corporate levels of abstraction that free developers from According to Chris O’Connor, director of security strategy thinking about low-level tasks such as memory manage- at IBM, Big Blue’s Tivoli division is working to establish the ment, there are no such standard facilities for the basic same standards for the identities of machines as for the iden- functions of user authentication and authorization. tities of individuals. Picture a server, for example, capable of By building standard security mechanisms and expos- testing its current operating status against a set of well- ing them as Web services, network administrators not known, static properties to determine whether its OS has only enforce more consistent security policies, but appli- changed or a hard drive has been removed — in a sense, cation developers are freed from the low-level drudgery of validating its own identity. Such a system would go a long way building explicit security controls into their software. toward establishing levels of trust among automated, dis- “It’s an opportunity to begin the process of getting ap- tributed Web services. plication architecture to understand infrastructure ar- “Most of the work that has been done has been on the chitecture,” Lewis explains. identity of people,” Lewis says. “But in the long run, the iden- Identity-based security controls are the natural choice tity of things will be more important.” for SOA because they are not dependent on any single — Neil McAllister I N F O W O R L D I T S T R AT E G Y G U I D E 21
  • Service-Oriented Architecture Five Missing Pieces of SOA In spite of these challenges, most IT managers agree that adopting a service-oriented integration infrastruc- ture is more a question of “when,” not “if.” Even so, the old adage, “measure twice, cut once,” applies in spades. Without clear business analysis and principles guiding the development, “you wind up recre- ating interfaces, which is a real nightmare,” Wall Street Access’ Underwood says. David Sprott, CEO and principal analyst of research company CBDi, agrees but cautions that the transition to a service-oriented strategy shouldn’t be technology- driven. “Using services thinking [helps] to get business and IT on an equal footing. In other words, don’t just do services because it’s cool. Drive activity on the business requirement and ROI criteria,” he says. Thomson Prometric’s Crowhurst echoes that learn- ing how to represent essential business processes as services is critical. “It takes a cultural shift to change how development happens,” he says. “Compared to that, the technical challenges are just an intellectual exercise.” i Brent Sleeper is a principal at The Stencil Group, a busi- ness consulting and advisory services company. I N F O W O R L D I T S T R AT E G Y G U I D E 22
  • Service-Oriented Architecture SOA Planning and Design: It’s Still the Wild West Remember methodologies and CASE tools? does not do much good until the rest of the enterprise They were procedures and approaches for designing and comes on board. building information systems, typically using structured SOA planning and design has received almost no press and object-oriented design techniques. This was huge when you consider the amount of articles out there about back in the day, but ultimately methods and CASE tech- the technology. I’ve taken a run at a planning methodolo- nology retreated back into the world of development. gy with my “12 Steps to SOA,” (www.infoworld.com/3247) Today, we are all doing things differently when it comes written four years ago now, and there are others out there to architecture and design (or doing no architecture and as well including approaches from ZapThink , and even design, based on what I’m seeing out there). You can vendors such as PolarLake . However, typically these types trace a lack of planning back to architecture failures of publications take a back seat to the ESB vs. Fabric almost every time. debate, or even arguments over who invented a buzzword. Along comes SOA. What SOA is, at its essence, is real- Not productive. ly good architecture in a standards-oriented wrapper. It’s With the development of the SOA Reference Model also complex distributed systems architecture that and the SOA Blueprints from OASIS, we are beginning requires a ton of forethought and planning for architects to focus more on planning and design than before. How- and developers to get it right. ever, there is much more to be done to arm those moving Moreover, SOA is more of an ideal than a simple archi- towards SOA with the right procedures, checklists, tecture and development project. You’re really never repeatable patterns, and approaches to insure success. done, but you are heading in a unified direction — the We need to get real about leveraging SOAs, and that ability to create an architecture that provides an infra- takes a lot of planning and consideration. structure of agility for business, allowing them to respond to change in a timely and efficient manner. Are We Willing to Share? That’s the reason we’re investing here. One of the things that I’ve been thinking about as we cre- So, what’s a SOA architect to do? How does one design ate standards like SOA Blueprints is whether or not and build a SOA? Where do you start? How do you know enterprises are actually willing to share their solutions. you’re done? SOA Blueprints, as you may recall, is a standard for Truth be told, we’re not good at building SOAs yet, sharing SOA solution patterns, based on your SOA although you can point to some early project-level suc- requirements. In other words, you match up your needs cesses. SOA is more of a strategic notion, one that tran- with common solutions that are known to work with scends projects, and a single instance in an enterprise those needs. I N F O W O R L D I T S T R AT E G Y G U I D E 23
  • Service-Oriented Architecture SOA Planning and Design: It’s Still the Wild West Can’t argue that it’s a good idea to see what else is working before you try it yourself. That’s why we pur- chase how-to books at the hardware store. One of my questions concerns how the Blueprints folks plan on gathering solution patterns. I’m not sure many enterprises will be willing to give them up, and I’m not sure the vendor community is an authority on what works and what does not. Indeed, many enterprises I’m dealing with consider their SOA a strategic technology and won’t reveal what’s in their recipe for fear that their competition will discov- er their technical secret sauce. I found this out when attempting to gather case studies for conferences, arti- cles, and books: You get the doors slammed in your face most of the time, and when you do get to see case studies, they are simplistic and uninteresting. So, how do we learn from the work of others, and lever- age a knowledgebase such as Blueprints? I think the answer is in common patterns gathered by those imple- menting SOAs, this includes consultants and other serv- ice organizations. Without naming names, determine and gather general solution patterns and document the requirements. Perhaps pay a fee for each solution entered that adds value to the knowledgebase. Then again, perhaps the lack of willingness to share our secrets will make standards such as Blueprints unvi- able going forward. We don’t want to kiss-and-tell, even when it comes to technology. — Dave Linthicum I N F O W O R L D I T S T R AT E G Y G U I D E 24