Paul Butterworth Policy Based Approach

807 views
763 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
807
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Paul Butterworth Policy Based Approach

  1. 1. This Presentation Courtesy of the International SOA Symposium October 7-8, 2008 Amsterdam Arena www.soasymposium.com info@soasymposium.com Founding Sponsors Platinum Sponsors Gold Sponsors Silver Sponsors SOA Runtime Governance A Policy-Based Approach Paul Butterworth Chief Technology Officer AmberPoint, Inc October 2008 1
  2. 2. Agenda  SOA Characterization  Policy-based Runtime Governance  Some Examples Based on our experiences with ~200 customers © 2008 AmberPoint, Inc. 3 Typical Service Network Topology  Services not applications Internal Services  Shared Order Entry  Dynamic Accounting  Federated Partner Credit firewall Shared Services External Services © 2008 AmberPoint, Inc. 4 2
  3. 3. Typical Service Network Infrastructure Appliance Web Service Network Java Service Biz Application Service Bus DBMS Biz Application Mainframe Application In all but the newest of environments, “SOA” ≠ “Just Web Services & XML” © 2008 AmberPoint, Inc. Keys to Successful Governance and Management of SOA Applications  Continuous SOA Discovery  Service Management & Security © 2008 AmberPoint, Inc. 6 3
  4. 4. Keys to Successful Governance and Management of SOA Applications  Business  Architects & Development   Operations  Continuous SOA Discovery  Service Management & Security  Business Transaction Management  Business System Validation  Closed Loop Governance © 2008 AmberPoint, Inc. 7 SOA Runtime Governance and Life Cycle SOA Runtime Governance automates real-time visibility and control at each stage of the SOA lifecycle Development Staging Production Business Logic IDE’s Process Tools Policies Diagnostics More Policies • Performance • Security • Performance • Security • Availability • Logging • Availability • Logging • SLAs • Audit Validation Performance Service Levels Capacity Discovery Planning • Automatically enforce Discovery • Automatically discover governance rogue services © 2008 AmberPoint, Inc. 8 4
  5. 5. Agenda  SOA Characterization  Policy-based Runtime Governance  Some Examples © 2008 AmberPoint, Inc. 9 Governance Constraints as Policy  Declarative specification of system characteristics as “Policies”  Configurations  Constraints  Desired states  Specify what must be accomplished as opposed to “how”  What are my service levels not how to measure them  What are my faults not how to detect them  What level of security do I require © 2008 AmberPoint, Inc. 10 5
  6. 6. Policy Benefits in Runtime Governance  Improve Productivity and Increase Accuracy  Simpler constraint specification  Easier to understand  Easier to change  Eliminate Policy Obsolescence  Decouple policy description from policy enforcement  Remap and reassign policies as environment evolves – New intermediaries and system architecture – New phase of lifecycle – testing vs. production – Different department / division – architectural choices  Leverage intrinsic and increasing SOA capabilities of various “intermediaries” whenever possible  Platforms – Indigo, WebSpeher, WebLogic, NetWeaver, IONA, etc.  ESBs – AquaLogic, WebSphere ESB, SAP XI  XML-aware Appliances – Cisco AON, Forum, Datapower, Reactivity, etc. © 2008 AmberPoint, Inc. 11 Policy-based Runtime Governance Architecture Policy Requests Runtime Service Governance Network Business Operations - Track our contracted Runtime service levels Policy policies Systems Operations service - Ensure reliability contract Runtime Policy & Analysis Enterprise Service Bus Engine Security Officer - Enforce authentication Developer Collected - Feedback on Data data runtime errors Runtime Policy Execution Point (PEP) Simple Policies Complex Policies  Instrumentation Load  Service level Exception  Failover Balancing Management agreements  Load balancing data PEP  Exception handling  Content-based routing data begin end  Advanced security  Transformations  Validation  Encryption  Security checks S1 S2 S3 S4 S1 S2 © 2008 AmberPoint, Inc. 12 6
  7. 7. Binding Policy to SOA One-at-a-Time Dynamic Approach Approach Logging all p1 p1 p1 p50 services Security where Load-Bal where deployed s1 Encryption “Accounting” Weighted on .NET app servers s2 s3 s1 s5 100 svcs x 50 policies s3 s6 5,000 s2 policy points s4 s100  Apply p1 to s1  All production services  Apply p2 to s2  All orders > $10,000  Apply p1 to s2  All services in Accounting application  …..  All services deployed in WebLogic containers © 2008 AmberPoint, Inc. 13 Detailed Metadata of Your SOA Environment  Operational Info:  When service was discovered  Availability  Type of service  Type of container  Link to WSDL Operational Info  Business Info:  Business owner  Division  Version  Etc. Custom: Business Info  Chargeback info  Risk assessment  Links to URL‟s  Etc. © 2008 AmberPoint, Inc. 14 7
  8. 8. Capability-based Delegation of Runtime Policies AmberPoint  Gathers existing application Runtime Governance knowledge and policies Runtime Dependencies Policy  Assigns policies based on Repository capabilities  Translates runtime policy into Security AuthN Monitoring platform-specific interfaces Logging  Monitors execution Load-Bal Round-Robin  Agents to round out capabilities and for other components Network 15 © 2008 AmberPoint, Inc. Agenda  SOA Characterization  Policy-based Runtime Governance  Some Examples © 2008 AmberPoint, Inc. 16 8
  9. 9. Universal Policy Library Consistent enforcement regardless of SOA infrastructure  Library of commonly used runtime policies  Instrumentation  Throttling  Content-based Policies  Failover  Versioning  Load Balancing  Authentication – certificates,  Quality of Service credentials, SAML, etc  Performance  Availability  Authorization  Throughput  Censorship  Service Level  Credential Mapping Agreements  Crypto – Signatures &  Exception Handling Encryption  Validation  Based on standards  WS-Policy  WS-SecurityPolicy  WS-PolicyAttachment  User-extensible  Leverage the metadata  “Apply Encryption to All Services where Application_group = „Accounting‟”  Synchronize with other governance processes © 2008 AmberPoint, Inc. 17 Service Virtualization  Abstracts service changes and versions behind a published „façade‟ (a „virtual‟ service)  Enables endpoint routing, load-balancing, failover, transformations etc. Before After • Sees simpler interface • Service changes don’t show through. Service Service Virtual •Load balance A B •Route Svc •Transform (PEP) •Version OrderLookup ScheduleShip ChangeDate ChangePrior Service Service ChangeQty LookupETA A B OrderLookup ScheduleShip ChangeDate ChangePrior ChangeQty LookupETA © 2008 AmberPoint, Inc. 18 9
  10. 10. Service Level Management  Real-time visibility into service network performance and availability  Segmentation and prioritization based on business criteria  Trigger preventative and corrective actions  Redirect traffic  Make less critical requests wait  Reporting  Compliance Process Engine Service Bus  Historical trends for capacity planning © 2008 AmberPoint, Inc. 19 Transaction Management  Visibility into technical and application-level errors  “rejected”, “unknown”, “Error code: UUUEX32AF”, SOAP faults, no response, transport-level errors  Monitoring of business-level anomalies  International travel ticket with price < $100  IT & Business Operations Non-Compliance  Order completed and shipped, but never invoiced  Regulatory non-compliance (Privacy Act, HIPAA conditions etc. ) © 2008 AmberPoint, Inc. 20 10
  11. 11. SOA Security XML Encryption/Decryption • Apply to parts of message, across multiple hops • Independent of transport, language or vendor <?xml version='1.0'?> env:Fault > <Name> <PaymentInfo xmlns='http://example.org/paymentv2'> Unknown Servic <Encrypted <Name>John Smith</Name> <EncryptedData "urn:ups -shipping XML Signatures/Validation Type='http Type='http://www.w3.org/2001/04/xmlenc#Element' Service Down <CipherDa xmlns='http://www.w3.org/2001/04/xmlenc#'> • Apply to parts of message, <CipherData> server:8192/e <Cipher <CipherValue>A23B45C56</CipherValue> across multiple hops </CipherData> </EncryptedData> /soapenv : </Ciphe • Transport, language & vendor </PaymentInfo> independent Process Engine Service Bus Last-Mile Security for Distributed SOA Integrate with Existing Security Solutions • Local intermediaries enforce security for each end-point • Manage security events & exceptions across distributed environments © 2008 AmberPoint, Inc. 21 Client Provisioning AmberPoint Management Svcs policies Registry Policy Data Manager Collection data policies data service contract switch  Provisions client with service contract requirements  Looks up service endpoint and caches it for higher performance  Provisions required security policies  Automatically process request and response to match policy requirements  Insertion of security info, acquire security tokens, etc.  Collects client-side service level metrics  Provides visibility into “first mile” SLA metrics  Local logging of interactions, if requested Reduces costs by eliminating coding. © 2008 AmberPoint, Inc. 22 11
  12. 12. Business System Validation  Acceptance testing of pending changes to SOA Validation Checklist environment : Capacity Adequate  New Versions of Services : Security Policies Functioning  Policy Changes : WS-I Compliant  Bug Fixes Unexpected Deviation for  Infrastructure Patches, etc. B2B Partner Usage  Uses knowledge of dependencies and observed interactions  Simulates services that Development Staging Production can’t be replicated in pre-production environments  External services  Fee-based services Process Engine Service Bus  Gives Staging and Operations a final check before deploying changes The “Preflight Check” for SOA Systems © 2008 AmberPoint, Inc. Q&A Paul Butterworth pbutterworth@amberpoint.com www.amberpoint.com 510.663.6300 24 12

×