260 likes | 275 Views
SOA Governance. Robert Vietmeyer NCES Chief Technologies January 2006. Net-Centric Evolution: Think Differently.
E N D
SOA Governance Robert Vietmeyer NCES Chief Technologies January 2006
Net-Centric Evolution: Think Differently Participating as a part of a continuously evolving ecosystem of people, devices, information and services interconnected by a communications network to achieve optimal benefit of resources and better synchronization of events and their consequences.
What is SOA • An architecture for distributed systems based on the following principles: • Communications and technical interoperability enables coupling • Standards and common practices enables loose coupling • Loose coupling enables flexibility for consumers to discover and consume previously unknown resources; and enables providers to readily and securely support unanticipated users • When a provider performs a business or mission function enabling consumers to consume a requested resource, the provider is providing a service • Decomposing tightly coupled systems and applications into discrete, loosely coupled, externally consumable services enables optimization of resources and agility • Entrepreneurs will discover new possibilities and then provide new services that help others discover yet newer possibilities • Consumers will marvel at the growth of what they are able to consume, and consequently what they are able to do
SOA is not a new concept • Why might I want someone else to do something for me? • I don't like doing it • If I did it, it would take more of my time, money or space • If I did it, it wouldn't be done as well • If I did it, it would take longer for the results to be achieved • I can't do it • Why might I do something for someone else? • I don't mind doing it • It's easy for me • I have the expertise • I have the required credentials • I'm already doing it anyway • I can realize economies of scale
Service Oriented Architecture Convergence of networking technology, maturing IT standards and computing technology enabling the elimination of technical, organizational, and geospatial boundaries Interface Consumer Provider Here’s what’s offered, how to use it and the terms of use • Can search and find a Service • Has a need or want. Determines context of use • Not concerned with how need or want is fulfilled • Can be found in a registry • Fulfills a need or want • Abstracts technical details • Service be upgraded or replaced transparently
What is a service • Service: the performance of a function by one entity for the benefit of another entity • Web Services: A standards based technology for providing and consuming xml-based services over a network • Examples: • FraudLabs Credit Card Fraud Detection 1.1.0: The FraudLabs Credit Card Fraud Detection Web Service is a hosted, programmable XML Web Service that allows instant detection of fraudulent online credit card order transactions. Avoid lost revenue, wasted productivity, and increased operation costs in chargeback and higher reserved funds as a result of online frauds.http://ws.strikeiron.com/FraudLabs/CreditCardFraudDetection?WSDL • Medicare Supplier Directory 2.5.0A programmatic interface to the Medicare Supplier Directory, a one–stop resource that provides names, addresses, and contact information for suppliers that provide services or products under the U.S. Medicare program. http://ws.strikeiron.com/medicare_2_5?WSDL • Sales and Use Tax Basic 3.5.0: Retrieves the current city, state, and county tax rates in the United States based on a given ZIP code, and Canadian provinces based on a province name. http://ws.strikeiron.com/taxdatabasic?WSDL • Icelandic TV stations: Icelandic tv station listing of most major tv stations and current programming in Iceland. http://www.ingig.com/channels.asmx?WSDL
SOA: Observations • A service is not a product • Products might be provided by services providers • SOA is not … • A product • OO • Renaming APIs to services • Easy • An SOA can’t be … • Designed • Built • Bought • Why do SOA • Agility • Resource optimization • New market opportunities • There’s no other option • Currently, the disincentives may be obvious than the strategic advantages
Changing IT Governance • Traditional: command and control of IT resource • Component management (hardware and software) and software reuse • Control of production, distribution and consumption • Vertically oriented • Assumes: • Systems are monolithic and static • A central authority manages system upgrades and modifications • A central authority manages the data flows among components within the environment • The system can be tested as a single, static entity • SOA: create opportunities and prevent harm • Business management: focus on behavior not the tools • Service utilization and opportunistic integration (mash-ups); use not reuse • Market controls production and consumption • Inherent interoperability through open standards, automated compliance checking • Horizontally oriented: intra-enterprise, inter-enterprise, global • Assumes: • No single authority across the components and interactions • Constant change
Changing IT Governance Changing value proposition to traditional IT governance mechanism • Enterprise Architecture • Commonly accepted standards enabling loose coupling (minimizing the impact of change • Need to focus more on business operations than on technology • Speed of change • Increased use of COTS and outsourcing • Component Reuse • X-Platform challenges: .Net, J2EE, LAMP, etc. limiting reuse to single platform • Ease of software development • Difficulty and cost (time) in creating modular, reusable component • Differences in testing, certification and acceptance criteria across potential consumers • Wrong incentives and disincentives • Difficulty in determining the value of reuse • Licensing and protection of intellectual property • Long term support requirements • Open source
SOA Adoption Challenges within the Government • Concerns of dependability and risk of dependency • Change roles from system to service provider/service consumer • Move from vertical, closed systems to open, horizontal services • Prioritizing service development • Changing customer base, requirements prioritization and focus • What is the incentive for supporting more customers • Supporting service operations • Who funds improvements in dependability and performance to support an increasing customer base • Long term planning and acquisition cycles hampering speed and agility • Existing governance mechanism implemented along traditional organizational boundaries and vertical systems • Changing market dynamics among vendors and integrators • Need ability to collaborate across the community of providers, consumers, IT departments and business/mission organizations
SOA: What’s Needed • Common practices • Design patterns • Standards • Processes • Governance • Policies • Authorities • Incentives and Disincentives • Infrastructure
Evolving SOA Technology • Web Services: SOAP, WSDL, UDDI • Enterprise SOA • NCES Core Standards • “Web 2.0” • Internet, consumer driven SOA through mash-ups and remixing • Standards: HTTP, RSS, REST • GRID • ebXML? • SOAP v1.1: Simple Object Access Protocol • WSDL v1.1: Web Services Description Language • UDDI v3.0.2: Universal Description, Discovery and Integration • W3C XML-Encryption • W3C XML-Signature (XML-Digital Signature [DSIG]) • SAML v1.1: Security Assertion Markup Language • WS-Security v1.0 • WS-I.ORG Basic Profile v1.1 • SOAP, WSDL, UDDI, HTTP v1.1 • RFC2246, TLS, SSL , PKI • XACML v1.0: Extensible Access Control Markup Language • XKMS v2.0: XML Key Management Specification • XSLT v1.0: Extensible Style Language Transformations • CSS Level 1: Cascading Style Sheets • XHTML v1.1: Extensible Hypertext Markup Language • WebDAV: Web Distributed Authoring and Versioning
Evolving Standards (WS-*) • WS-Policy • WS-Policy Framework • WS-PolicyAssertions • WS-PolicyAttachments • WS-Provisioning • WS-Privacy • WS-MetadataExchange • WS-Topics • WS-SecurityPolicy • WS-Trust • WS-SecureConversation • WS-Federation • WS-Transaction • WS-Coordination • WS-AtomicTransactions • WS-BusinessActivity • WS-Composite Application Framework • WS-Context • WS-Service Coordination Framework • WS-Transaction Management • WS-Choreography • WS-Eventing • WS-Reliability • WS-ReliableMessaging • iECM Interoperable Content Management • XACML v2.0* • BPEL v1.1, Business Process Execution Language • WSDM, Web Services Distributed Management • MUWS: Management Using Web Services • MOWS: Management of Web Services • SOAP v1.2, Simple Object Access Protocol • WSDL v 2.0, Web Services Description Language • WSRP, Web Services for Remote Portlets • ID-WSF 1.0, Identity Web Services Framework • SPML v1.0, Service Provisioning Markup Language • XCBF v1.1, XML Common Biometric Format • XPath v2.0, XML Path Language • WS-Manageability -Concepts, -Representation • WS-BrokeredNotification • WS-BaseNotification • WS-Federation Language –Active –Passive Requestor Profile • WS-Addressing • WS-Naming • WS-Attachments • WS-Inspection
SOA Concepts: what needs to be governed • SOA Concepts: • Service • Service provider • Service consumer • Service offer • Service specification • Contract/SLA • Service access point • Service agent • Service host External visibility - SOA governance Internal visibility -Traditional IT governance
SOA Foundation consists of services, software and guidance that enables DoD programs and systems to secure, publish, find, and manage GIG enterprise services. NCES SOA Foundation Services Summary of Increment I Capabilities: • DoD Web Services Profile • Service Discovery • Service Security • Enterprise Service Management • Machine-to-Machine Messaging • Mediation • Metadata Services
NCES Service Registry: DOD Services Yellow Pages Registry Registry Service Providers … … Service Providers …….… Service Offers Service Offer #1 Service Offer #n Service Access Points Access Point #1 Access Point #2 Access Point #1
Service Visibility • Provide a means to publish metadata for a service • What specification is this service adhering to? • What policies does this service meet? • What is the expected release schedule for the service? • What documentation is available for the service? • What is the availability and performance of the service? • Who is using a service? • How has the service changed over it’s lifecycle? • What contract terms or service levels are available? • Where do I go for support if there is a problem? • Consumers need this information available in order to make decisions on which service to use • Providers need this information available in order to make decisions to support backwards-compatibility, hardware platforms, network bandwidth, etc
SOA lifecycle control Provider Service offers, specs, access points Human approvers Consumers Approval Process Production Registry Development Registry Automated policies and standards compliance Production Environment Development Environment
SOA Security Challenges On the Internet, nobody knows you’re a dog!
Identity Management • To build an SOA there must be: • Strong identity credential for people (i.e. PKI certificate) • Strong identity credential for service providers and service consumers • A place to verify these credentials • Globally meaningfulcredentials • A place to find other attributes about people (name, presence information, organization, role, etc.) • Provide white pages services • To help control access • To determine what privileges a person should have
NCES Security Services Policy Enforcement Point Service Consumer Service Interaction (w/ Authentication) Service Provider Web Service Discovery Service Credential Validity Service Principle Attribute Service Policy Decision Service Log/Audit Service Web Service Discovery and Management Attribute Management Identity Management DMDC, GDS, AD Privilege & Authorization Authorities Other Attribute Authorities Role Authorities PKI
SOA Governance Challenges • Governance needs to provide … • Ability for providers and consumers to establish and maintain dependencies and trust • Service discoverability and predictability of service performance • Interoperability: ensuring compliance with policies, standards, and common practices • Protection for both Consumers and Providers against rogue information and services • Support autonomy and decentralized management • Ability to contain undesired emergent behavior, • Ability to abstract the actions and concerns of different stakeholders so the actions of one do not unintentionally harm another • New roles and authorities required • Who establishes service provider, service consumer identities and how do they do it • How do you hold producers, providers and consumers accountable? Do we need a judiciary function to support SLA processes and accountability?? • What policies are applied against a SOA components and when are they applied in the life-cycle • Who manages business processes that span traditional organizational boundaries. Ability to align service development and implementation with business requirements that cross existing boundaries • Governance models: • Constitution, Federalist Papers • Capitalism, Stalinism, Communism, etc., • SEC, FDA, FCC, etc. • Balance bureaucracy and command driven resource allocation with needed support for market driven innovation and evolution
SOA Interactions Service Consumer Service Provider Business Transaction Service Consumer Agent Service ProviderAgent Request / Response Exchange Provider Host Consumer Host Transport Communication